_geoip_lookup_failure

Hello,

I am trying to use geoip but I get the error message "_geoip_lookup_failure".

I have looked at several forum threads, I don't know if I am missing something or if I need to install something.

input {
    tcp {
       port => 13343
    }
}

filter {
    geoip {
      source => "src"
      target => "geoip"
      database => "/usr/share/logstash/sensor39/geoip_database_management/1720025651/GeoLite2-City.mmdb"
      add_field => { "[geoip][coordinates]" => "%{[geoip][longitude]}" }
     }
        mutate {
        convert => [ "[geoip][coordinates]", "float"]
        }

  dissect {
    mapping => {
      "message" => "<%{pri}> %{timestamp} %{hostname} %{app}[%{pid}]: %{cef_data}"
               } 
          } 


  grok { match => { "cef_data" =>
      "CEF:%{INT:cef_version}\|%{DATA:device_vendor}\|%{DATA:device_product}\|%{DATA:device_version}\|%{DATA:signature_id}\|%{DATA:Description}\|%{INT:email_
severity}\|%{GREEDYDATA:body}"
    }
  }


 mutate { remove_field => [ "event", "original", "message", "cef_data" ]  }

}


output {

        stdout { codec => rubydebug }


}



There is nothing that creates the [src] field before the geoip filter runs. That will result in the failure tag getting added.

Hello,
thanks for replying, the field does exist, I just modified the .conf the idea is to leave as I am using the geoip structure.

I share the output


            "reason" => "Sender domain not found",
      "signature_id" => "44535354",
       "Description" => "TRACKING",
                "rt" => "2024-07-03T19:47:25.200430Z",
          "hostname" => "myhost",
        "@timestamp" => 2024-07-03T19:47:31.658545486Z,
          "mailUuid" => "cd0dd6ec-222-4221-220a-f6"eb6c82b",
               "pri" => "15",
               "app" => "tmes",
       "messageSize" => "0",
             "suser" => "user@test.com",
    "device_version" => "1.0.0.0",
    "device_product" => "TMES",
               "pid" => "1",
               "src" => "1.1.1.1",
         "timestamp" => "2024-07-03T19:47:31Z",
             "duser" => "user2@user.com",
         "messageId" => "",
     "device_vendor" => "Trend Micro",
       "cef_version" => "0",
          "@version" => "1",
         "direction" => "incoming",
            "email_" => "4"
}
{
           "tlsInfo" => "upstreamTLS: TLS 1.2; downstreamTLS: None",
              "tags" => [
        [0] "_geoip_lookup_failure"

After almost a full working day I managed to get it to work.

The problem was that the name of the field on which the information is going to be extracted, in my case "src" must be according to the ECS (Elasticsearch Common Schema).

The solution was to perform a mutate type replace where I change the name "src" to "source.ip".

Note: I don't know if there are too many lines, as the saying goes "if it works, don't touch it" at least while I understand more about this ELK topic.

 }
     mutate {
         rename => {"src" => "source.ip"}
 }
geoip {
         default_database_type => "City"
         source => "source.ip"
         target => "destination"
         database => "/var/lib/logstash/geoip_database_management/1714436415/GeoLite2-City.mmdb"
         add_field => { "[geoip][coordinates]" => "%{[geoip][longitude]}" }
     }

     mutate {
        convert => [ "[geoip][coordinates]", "float"]
     }