GeoIP LookUp failure

asajj · June 7, 2018, 9:09am

Hi Everyone,

i'm playing a bit with the ELK-Stack and i have a problem with the GeoIP-Filte of Logstash.

Via Winlogbeat I send EventLogs (more exact Network Sysmon Events). If a connection is established in generates a Event with the "DestinationIp". I want to GeoIP this adress. In ElasticSearch the Event looks like this:

{
        "_index" : "windows_records-2018.06.06",
        "_type" : "wineventlog",
        "_id" : "AWPSjUxSYiQHMjlX73pg",
        "_score" : 1.0,
        "_source" : {
          "computer_name" : "DESKTOP-XXXX",
          "process_id" : 2876,
          "log_name" : "Microsoft-Windows-Sysmon/Operational",
          "level" : "Informationen",
          "record_number" : "4066",
          "event_data" : {
            "User" : "NT-AUTORITÄT\\SYSTEM",
            "SourceHostname" : "DESKTOP-XXXXX",
            "SourcePort" : "50992",
            "Image" : "C:\\Windows\\System32\\svchost.exe",
            "DestinationPort" : "443",
            "ProcessGuid" : "{6AD2706A-835F-5B15-0000-001019371F00}",
            "DestinationPortName" : "https",
            "UtcTime" : "2018-06-06 00:44:19.113",
            "DestinationIp" : "52.114.XX.XX",

I thought the only thing to do specify in Logstash this:

filter {
    geoip {
        source => DestinationIp
    }
}

Because in Kibana the field is called "event_data.DestinationIp" i tried this also in my logstash configuration with and without quotation marks. However i always got the tag "_geoip_lookup_failure" in the document.
I also tried to push it in a new index, but nothing help.
In my understanding logstash needs for geoip a string with an IPv4/IPv6 address which should specified with "source" in the Logstash configuration.
I have ElasticSearch "5.6.9" and ingest-geoip plugin installed
Thanks at all.

Badger · June 7, 2018, 10:35am

Does it work if you use this?

source => "[event_data][DestinationIp]"

asajj · June 8, 2018, 11:41am

Thank you very much! It works!

Sometimes it could be so easy.

asajj · June 8, 2018, 2:56pm

Alright my Kibana has now the correct coordinates like

But if i want to set up some map visualizations with Kibana it says:

No Compatible Fields: The "windows_records-*" index pattern does not contain any of the following field types: geo_point

This means in my opinion i need field with "long" and "lat" as values and type "geo_point" so i tried these in Logstash:

filter {
geoip {
source => "[event_data][DestinationIp]"
add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ]
}
convert {
convert => [ "[geoip][coordinates]", "geo_point" ]
}
}

But with this my Logstash won't start because of "Problems loading a plugin", "Cannot create Pipeline"

Badger · June 8, 2018, 3:01pm

I think you meant that first convert to be a mutate, but that's not going to work either because you cannot convert to geo_point. You need an index template that defines your field as a geo_point. This thread might help you.

asajj · June 8, 2018, 3:03pm

Yes, i mean convert. Thanks for fast response. I try it. Thank you very much again

system · July 6, 2018, 3:04pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
_geoip_parse_failure on logstash config Logstash	10	1739	October 4, 2017
_geoip_lookup_failure Error Logstash	3	2020	September 27, 2018
_geoip_lookup_failure Logstash	3	140	July 3, 2024
Logstash 7.1 and _geoip_lookup_failure Logstash	3	834	July 15, 2019
_geoip_lookup_failure though all geoip fields are populated Logstash	17	2733	September 12, 2019

GeoIP LookUp failure

Related topics