Geoip lookup fails

Elastic Stack Logstash
1

As far as I can tell I've followed the directions, but all of my geoip lookups fail. What did I miss?

input {
    udp {
        port => 11001
        codec => netflow {
            versions => [5, 9]
        }
        type => netflow
    }
}

filter {
    if [type] == "netflow" {
        geoip {
            source => "src_addr"
            target => "src_geo"
        }
        geoip {
            source => "dst_addr"
            target => "dst_geo"
        }
    }
}

output {
    if [type] == "netflow" {
        elasticsearch {
            index => "netflow-%{+YYYY.MM.dd}"
            hosts => "elasticsearch:9200"
        }
    }
}

Captertyure

[2018-08-01T15:08:13,530][WARN ][logstash.outputs.elasticsearch] Restored connection to ES instance {:url=>"http://elasticsearch:9200/"},
[2018-08-01T15:08:13,535][INFO ][logstash.outputs.elasticsearch] ES Output version determined {:es_version=>6},
[2018-08-01T15:08:13,539][INFO ][logstash.outputs.elasticsearch] Using mapping template from {:path=>nil},
[2018-08-01T15:08:13,537][INFO ][logstash.outputs.elasticsearch] New Elasticsearch output {:class=>"LogStash::Outputs::ElasticSearch", :hosts=>["//elasticsearch:9200"]},
[2018-08-01T15:08:13,536][WARN ][logstash.outputs.elasticsearch] Detected a 6.x and above cluster: the `type` event field won't be used to determine the document _type {:es_version=>6},
[2018-08-01T15:08:13,540][INFO ][logstash.outputs.elasticsearch] Attempting to install template {:manage_template=>{"template"=>"logstash-*", "version"=>60001, "settings"=>{"index.refresh_interval"=>"5s"}, "mappings"=>{"_default_"=>{"dynamic_templates"=>[{"message_field"=>{"path_match"=>"message", "match_mapping_type"=>"string", "mapping"=>{"type"=>"text", "norms"=>false}}}, {"string_fields"=>{"match"=>"*", "match_mapping_type"=>"string", "mapping"=>{"type"=>"text", "norms"=>false, "fields"=>{"keyword"=>{"type"=>"keyword", "ignore_above"=>256}}}}}], "properties"=>{"@timestamp"=>{"type"=>"date"}, "@version"=>{"type"=>"keyword"}, "geoip"=>{"dynamic"=>true, "properties"=>{"ip"=>{"type"=>"ip"}, "location"=>{"type"=>"geo_point"}, "latitude"=>{"type"=>"half_float"}, "longitude"=>{"type"=>"half_float"}}}}}}}},
[2018-08-01T15:08:13,561][INFO ][logstash.filters.geoip   ] Using geoip database {:path=>"/usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-filter-geoip-5.0.3-java/vendor/GeoLite2-City.mmdb"},
[2018-08-01T15:08:13,582][INFO ][logstash.filters.geoip   ] Using geoip database {:path=>"/usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-filter-geoip-5.0.3-java/vendor/GeoLite2-City.mmdb"},
[2018-08-01T15:08:13,904][INFO ][logstash.filters.geoip   ] Using geoip database {:path=>"/usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-filter-geoip-5.0.3-java/vendor/GeoLite2-City.mmdb"},
[2018-08-01T15:08:14,184][INFO ][logstash.inputs.beats    ] Beats inputs: Starting input listener {:address=>"0.0.0.0:11000"},
[2018-08-01T15:08:14,211][INFO ][logstash.pipeline        ] Pipeline started successfully {:pipeline_id=>"main", :thread=>"#<Thread:0x142e6ee5 run>"},
[2018-08-01T15:08:14,225][INFO ][logstash.inputs.udp      ] Starting UDP listener {:address=>"0.0.0.0:11001"},
[2018-08-01T15:08:14,301][INFO ][org.logstash.beats.Server] Starting server on port: 11000,
[2018-08-01T15:08:14,343][INFO ][logstash.agent           ] Pipelines running {:count=>1, :running_pipelines=>[:main], :non_running_pipelines=>[]},
[2018-08-01T15:08:14,301][INFO ][logstash.inputs.udp      ] UDP listener started {:address=>"0.0.0.0:11001", :receive_buffer_bytes=>"106496", :queue_size=>"2000"}
2

Your Kibana screenshot shows a fieldname of netflow.ipv4_dst_addr, so I think you should be doing

    geoip {
        source => "[netflow][ipv4_dst_addr]"
        target => "dst_geo"
    }
3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.