Geoip Issues with Logstash?

killmasta93 · August 27, 2015, 2:52am

Hi I was wondering if someone could help me out. I have been at it a while but nothing and whats funny is that sometimes it shows the geoip of some countries but others not. Did i miss something?

http://pastebin.com/pEPD6Y0T

Also when i run tail -f /var/log/logstash/logstash.stdout
i should be getting something like this
http://s2.postimg.org/4vvn0yhbt/Clipboarder_2015_08_26_007.png

tags" => [
    [0] "PFSense",
    [1] "firewall",
    [2] "packetfilter",
    [3] "GeoIP"

but instead i get

tags" => [
 [0] "PFSense",
 [1] "firewall"

Thank you

Joshua_Rich · August 27, 2015, 3:25am

The geoip filter won't work for private addresses, so everything in 10.0.0.0/8 (like all your block messages) won't get geo data added. The geoip filter only works on internet routable addresses.

killmasta93 · August 27, 2015, 3:50am

Hi,
Thank you for your response, so the 10.141.5.1 is private? my network is 192.168.3.0/24

if that's correct then everything is working good? but i do see that some IP do not get registered with the country names

Thank you

Joshua_Rich · August 27, 2015, 4:10am

That's right. Also, geoip lookup is a best effort, the database is definitely not thorough nor completely accurate, so you may find some IPs just do not resolve to anywhere. We also unfortunately ship and older version of the geoip database within Logstash, we will be shipping a newer version in a future release I believe.

lloydde · August 27, 2015, 4:40am

That's correct @killmasta93. These are called rfc1918 addresses, because that is the Requests for Comments (RFC) that defined them.

IPv4 Private Address Space and Filtering
10.0.0.0/8 IP addresses: 10.0.0.0 -- 10.255.255.255.
172.16.0.0/12 IP addresses: 172.16.0.0 -- 172.31.255.255.
192.168.0.0/16 IP addresses: 192.168.0.0 – 192.168.255.255.