Getting geoip to work in ELK 5

Diggy · June 23, 2017, 1:00pm

Hello, all.

I hope I'm in the right forum for my problem. I've recently gotten the ELK 5.x stack set up and working. With the exception of geoip, that is. I've posted my config files here: https://pastebin.com/i0v5s0jR. I have six indices - log, logstash, filebeat, winlogbeat, packetbeat, and topbeat (log is an alias for aggregating the logstash, filebeat, and winlogbeat indices). I can see geoip-related output in the filebeat index, as in the following:

{
"_index": "filebeat-2017.06.23",
"_type": "apache-access",
"_id": "AVzU-6DBskuRy8qeQkAy",
"_version": 1,
"_score": null,
"_source": {
"agent": ""-"",
"geoip": {
"timezone": "Asia/Hong_Kong",
"ip": "164.52.7.132",
"latitude": 22.25,
"country_name": "Hong Kong",
"country_code2": "HK",
"coordinates": [
114.1667,
22.25
],
"continent_code": "AS",
"country_code3": "HK",
"location": {
"lon": 114.1667,
"lat": 22.25
},
"longitude": 114.1667
},
"offset": 25593777,
"auth": "-",
"ident": "-",
"input_type": "log",
"count": 1,
"source": "/var/log/httpd/access_log",
"message": "164.52.7.132 - - [23/Jun/2017:08:44:23 -0400] "USER test +iw test :Test Wuz Here" 400 309 "-" "-"",
"type": "apache-access",
"tags": [
"log",
"beats_input_codec_plain_applied",
"geoip"
],
"referrer": ""-"",
"@timestamp": "2017-06-23T12:44:23.000Z",
"response": "400",
"bytes": "309",
"clientip": "164.52.7.132",
"@version": "1",
"beat": {
"hostname": "mailout1.na39.com",
"name": "mailout1.na39.com"
},
"host": "mailout1.na39.com",
"rawrequest": "USER test +iw test :Test Wuz Here",
"fields": null,
"timestamp": "23/Jun/2017:08:44:23 -0400"
},
"fields": {
"@timestamp": [
1498221863000
]
},
"sort": [
1498221863000
]
}

However, I can't see it in the log or logstash indices. In Kibana, when I try to create a tile map visualization using the filebeat index, I see the map, but get this: "No Compatible Fields: The "filebeat-*" index pattern does not contain any of the following field types: geo_point" in the field metric. If I try to use the logstash index, I see the map until I try and search on a particular host, when I get "No results found". That's probably because there are no geoip-related field returned by logstash.

I hope I'm clear as to what I've conveyed above. Your help, as always, would be greatly appreciated.

Diggy · June 26, 2017, 1:06pm

Hi, all.

I've re-up'd my config files in the hopes that someone can help me out. https://pastebin.com/b1qTTX7g

Best,

Diggy

system · July 24, 2017, 1:07pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.