_geoip_lookup_failure but not specified

Using filebeat to send IIS logs from Windows System and to my logstash server and then to elastic search and Kibana.
Elastic search and Kibana - 5.3.2 Logstash and filebeat - 5.3.2
filebeat.yml :

#=========================== Filebeat prospectors
- input_type: log 
# Paths that should be crawled and fetched. Glob based paths.
  paths:
# Add the path to IIS Logs
    - d:\Inetpub\logs\logfiles\*\*
  document_type: iis
#-------------------------- Elasticsearch output -------------
# Comment out
#output.elasticsearch:
  # Array of hosts to connect to.
  #hosts: ["localhost:9200"]
#----------------------------- Logstash output ---------------
# Uncomment and set Logstash IP
output.logstash:
  # The Logstash hosts
  hosts: ["nemesis.hstv.local:5044"]
  # Optional index name. The default index name is set to name of the beat
  # in all lowercase.
  index: 'filebeat_iis'

iis-filter.conf:

 filter {
  if [type] == "iis" {
    grok {
      match => { "message" => "%{TIMESTAMP_ISO8601:log_timestamp} %{WORD:S-SiteName} %{NOTSPACE:S-ComputerName} %{IPORHOST:S-IP} %{WORD:CS-Method} %{URIPATH:CS-URI-Stem} (?:-|\"%{URIPATH:CS-URI-Query}\") %{NUMBER:S-Port} %{NOTSPACE:CS-Username} %{IPORHOST:C-IP} %{NOTSPACE:CS-Version} %{NOTSPACE:CS-UserAgent} %{NOTSPACE:CS-Cookie} %{NOTSPACE:CS-Referer} %{NOTSPACE:CS-Host} %{NUMBER:SC-Status} %{NUMBER:SC-SubStatus} %{NUMBER:SC-Win32-Status} %{NUMBER:SC-Bytes} %{NUMBER:CS-Bytes} %{NUMBER:Time-Taken}"}
    }
  }
}

When I view the filebeat_iis in Kibana - Discover, every entry has 2 tags:

beats_input_codec_plain_applied
_geoip_lookup_failure

Why do I get the _geoip_lookup_failure when I haven't specified it?

It is used i a diiferent .conf file for WinLogBeat.

@teejayuu The fields seem to come from Logstash. Should I move your topic to LS forum?

Sorry. Can you move it to the correct place.
Thanks

Just moved it to LS

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.