GeoIP - locate ip address from text file

Vladpov · October 17, 2019, 11:39am

Hey guys,

I was wondering if I can see location of IP address when insert an IP address from text file via logstash with filter for geoip in it.

I was trying it with Apache log line sample from GeoIP in the Elastic Stack tutorial. I created a new index

PUT my_index
{
  "mappings": {
    "properties": {
      "location": {
        "type": "geo_point"
      }
    }
  }
}

And then changed filter in logstash config file for:

filter {
  grok { match => { "message" => "%{COMBINEDAPACHELOG}" } }
  geoip { source => "clientip" }
}

The output I see in Kibana:

               Time 	       geoip.ip  	geoip.timezone      geoip.location.lat    	geoip.location.lon    	 geoip.continent_code  
Oct 17, 2019 @ 11:41:23.231	162.156.141.3	Europe/London	         51.496	               -0.122	                     EU

When I try to make a new visualisation with Coordinate Map I have there geopoint location but no points in map are shown.

In Index Pattern settings I don't have field clientip as geo_point but String.

Thanks for any help!

Badger · October 17, 2019, 3:09pm

The default target for a geoip filter is a field called geoip. The default template for indexes that match logstash-* makes that a geo_point.

You are on the right lines, but you need to make [geoip][location] a geo_point, not [location]. See the template above for how to do that.

Vladpov · October 17, 2019, 7:04pm

Thank you for your help! It works now!

system · November 14, 2019, 7:04pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.