GeoIP lookup failed

Alex_Liu · July 16, 2020, 8:19am

Hi,

how to debug GeoIP lookup failure? For below attached screenshot, why the first clientIP: 123.58.60.5 lookup failed, but the second one 112.85.231.147 succeed?

the configuration is simple, and the GeoLIte2-city.mmdb database is the latest.

geoip {
    source => "clientip"
    database => "/usr/data/geolite2/GeoLite2-City.mmdb"
    fields => ["region_name"]
  }

warkolm · July 16, 2020, 10:01am

It could be the database doesn't have that IP listed, it does happen from time to time.

Alex_Liu · July 16, 2020, 2:07pm

yes, you're correct, the first ip address's info is not as accurate as the second one in GeoLite2 Database.

$ /usr/bin/python3 /home/alex/pytest/ipquery.py
geoip2.models.City({'continent': {'code': 'AS', 'geoname_id': 6255147, 'names': {'de': 'Asien', 'en': 'Asia', 'es': 'Asia', 'fr': 'Asie', 'ja': 'アジア', 'pt-BR': 'Ásia', 'ru': 'Азия', 'zh-CN': '亚洲'}}, 'country': {'geoname_id': 1814991, 'iso_code': 'CN', 'names': {'de': 'China', 'en': 'China', 'es': 'China', 'fr': 'Chine', 'ja': '中国', 'pt-BR': 'China', 'ru': 'Китай', 'zh-CN': '中国'}}, 'location': {'accuracy_radius': 50, 'latitude': 34.7725, 'longitude': 113.7266, 'time_zone': 'Asia/Shanghai'}, 'registered_country': {'geoname_id': 1814991, 'iso_code': 'CN', 'names': {'de': 'China', 'en': 'China', 'es': 'China', 'fr': 'Chine', 'ja': '中国', 'pt-BR': 'China', 'ru': 'Китай', 'zh-CN': '中国'}}, 'traits': {'ip_address': '123.58.60.5', 'prefix_len': 18}}, ['en'])

# alex @ LAPTOP-FB6FQ8MU in ~ [21:57:21] 
$ /usr/bin/python3 /home/alex/pytest/ipquery.py
geoip2.models.City({'city': {'geoname_id': 1799722, 'names': {'de': 'Nantong', 'en': 'Nantong', 'fr': 'Nantong', 'ja': '南通市', 'pt-BR': 'Nantong', 'ru': 'Наньтун', 'zh-CN': '南通'}}, 'continent': {'code': 'AS', 'geoname_id': 6255147, 'names': {'de': 'Asien', 'en': 'Asia', 'es': 'Asia', 'fr': 'Asie', 'ja': 'アジア', 'pt-BR': 'Ásia', 'ru': 'Азия', 'zh-CN': '亚洲'}}, 'country': {'geoname_id': 1814991, 'iso_code': 'CN', 'names': {'de': 'China', 'en': 'China', 'es': 'China', 'fr': 'Chine', 'ja': '中国', 'pt-BR': 'China', 'ru': 'Китай', 'zh-CN': '中国'}}, 'location': {'accuracy_radius': 500, 'latitude': 32.0303, 'longitude': 120.8747, 'time_zone': 'Asia/Shanghai'}, 'registered_country': {'geoname_id': 1814991, 'iso_code': 'CN', 'names': {'de': 'China', 'en': 'China', 'es': 'China', 'fr': 'Chine', 'ja': '中国', 'pt-BR': 'China', 'ru': 'Китай', 'zh-CN': '中国'}}, 'subdivisions': [{'geoname_id': 1806260, 'iso_code': 'JS', 'names': {'en': 'Jiangsu', 'fr': 'Province de Jiangsu', 'zh-CN': '江苏省'}}], 'traits': {'ip_address': '112.85.231.147', 'prefix_len': 17}}, ['en'])

Badger · July 16, 2020, 5:51pm

The plugin ships with a database that probably dates from when the plugin was built. You could try downloading a current database from MaxMind and see if coverage for that IP has been added.

Topic		Replies	Views
Logstash geoip filter error: _geoip_lookup_failure Logstash	1	598	December 11, 2018
_geoip_lookup_failure in Logstash pipeline using GeoLite2-City.mmdb Logstash	5	368	June 16, 2023
_geoip_lookup_failure question Logstash	1	503	January 2, 2018
Encountering _geoip_lookup_failure within the IP address range 104.16.16.0/20 Logstash elastic-stack-alerting	13	346	April 7, 2024
Why my geoip lookup is failing? Logstash	3	715	May 3, 2023

GeoIP lookup failed

Related topics