Geoip Issues with Logstash?

Hi I was wondering if someone could help me out. I have been at it a while but nothing and whats funny is that sometimes it shows the geoip of some countries but others not. Did i miss something?

Also when i run tail -f /var/log/logstash/logstash.stdout
i should be getting something like this

tags" => [
    [0] "PFSense",
    [1] "firewall",
    [2] "packetfilter",
    [3] "GeoIP"

but instead i get

tags" => [
 [0] "PFSense",
 [1] "firewall"

Thank you

The geoip filter won't work for private addresses, so everything in (like all your block messages) won't get geo data added. The geoip filter only works on internet routable addresses.

Thank you for your response, so the is private? my network is

if that's correct then everything is working good? but i do see that some IP do not get registered with the country names

Thank you

That's right. Also, geoip lookup is a best effort, the database is definitely not thorough nor completely accurate, so you may find some IPs just do not resolve to anywhere. We also unfortunately ship and older version of the geoip database within Logstash, we will be shipping a newer version in a future release I believe.

That's correct @killmasta93. These are called rfc1918 addresses, because that is the Requests for Comments (RFC) that defined them.

IPv4 Private Address Space and Filtering IP addresses: -- IP addresses: -- IP addresses: –

See also:

You could try this Creating geoip data for internal networks

@lloydde @Joshua_Rich thank you for helping me understand

and @warkolm i will sure check it out looks very interesting

Thank you again