Oh, okay. I didn't remember that logstash-forwarder (which is deprecated—you should switch to Filebeat) placed each line in the line field. That's okay, but it means you need to tell the grok filter to parse that field instead of the message field that you don't have. When that's done you can point the geoip filter to the field containing the IP address.