Geoip NOT WORKING HELP

leea · August 8, 2018, 7:48am

Input.conf
input {
beats{
port => 5044
type => "ioc"
}
beats{
port => 5043
type => "packetbeat"
}
beats{
port => 5045
type => "snort"
}
}

logstash.conf
filter {
date{
match => ["timestamp", "dd/MM/yyy:HH:mm:ss Z"]
}
if [type] == "snort"{
csv {
separator => [","]
columns => ["datetime","msg","proto","src_ip","src_port","dst_ip","dst_port","priority"]
}
geoip{
source => "src_ip "
target => "geoip"
database => "/home/fyp/Desktop/GeoLite2-City.mmdb"
add_field => ["[geoip][coordinates]", "%{[geoip][longitude]}"]
add_field => ["[geoip][coordinates]", "%{[geoip][latitude]}"]
}
mutate {
convert => ["[geoip][coordinates]", "float"]
}
}
else if [type] =="ioc"{
csv{
separator => [","]
columns => ["name","value"]
}
}
}

output.conf
output {
stdout { codec => "rubydebug" }
if [type] == "snort" {
elasticsearch{
index => "snort"
document_type => "snort"
}
}
else if [type] == "ioc"{
elasticsearch{
index => "ioc"
document_type => "ioc"
}
}
else {
elasticsearch{
index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
pipeline => "geoip-info"
}
}
}

pierhugues · August 8, 2018, 2:42pm

@leea From what I see in your configuration and the title of your post 'GEOIP' I believe it's problem with Logstash.

Can you add a bit more details about your issue, the behavior you are experiencing and the expected results? Also adding Logstash, Beats and Elasticsearch version can help to narrow down your problem.

leea · August 9, 2018, 1:27pm

in kibana there is a _geoip_lookup_failure and there are no geoip fields being shown
ELK Version 6.2.4

pierhugues · August 9, 2018, 8:02pm

@leea The "_geoip_lookup_failure" is generated by the geoip in Logstash, by looking at your configuration I see that you are parsing the src_ip field from and the example you provide the value of the src_ip is 192.168.0.148, this IP is from a private IP range. These IPs won't be resolvable by the geoip filter.

You can add a conditional in your filter block to skip them.

if [src_ip] !~ /^192.168./ {
geoip{
source => "src_ip "
target => "geoip"
database => "/home/fyp/Desktop/GeoLite2-City.mmdb"
add_field => ["[geoip][coordinates]", "%{[geoip][longitude]}"]
add_field => ["[geoip][coordinates]", "%{[geoip][latitude]}"]
}
}

system · September 6, 2018, 8:02pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.