gourab.jtv
March 16, 2017, 3:21pm
1
I am trying to find the IP address of the HTTP request sender (using Logstash HTTP input plugin) in logstash.
curl -XPUT 'http://127.0.0.1:8080/twitter/tweet/1' -d 'hello'
My config file for logstash is:
input {
http {
host => "127.0.0.1"
port => "8080"
}
}
filter {
geoip {
source => #I want the IP of the sender here
target => "geoip"
database => "/home/gourab/logstash-5.2.2/GeoIP2-City.mmdb"
add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ]
}
mutate {
convert => [ "[geoip][coordinates]", "float"]
}
}
output {
stdout { codec => rubydebug }
elasticsearch {
hosts => ["192.168.1.193:9200"]
action => "index"
index => "temp_load_index"
}
}
is the ip coming from an apache log? can you provide the logs that have the ipaddress and your grok parse statement?
sorry, i see what you are saying. You want the ipaddress of someone hitting logstash directly? Im not sure how that could be done as i have never seen that use case. is there a reason you are using logstash as a web server?
Isn't this information stored in the host field?
gourab.jtv
March 17, 2017, 7:01am
4
No, it's not stored anywhere. I just want to know IP of the system that is sending the HTTP request to logstash.
It's certainly stored in host for me:
$ cat test.config
input {
http {
host => "127.0.0.1"
port => "8080"
}
}
output { stdout { codec => rubydebug } }
$ /opt/logstash/bin/logstash -f test.config
Settings: Default pipeline workers: 8
Pipeline main started
{
"message" => "hello",
"@version" => "1",
"@timestamp" => "2017-03-17T07:04:06.866Z",
"host" => "127.0.0.1",
"headers" => {
"request_method" => "PUT",
"request_path" => "/twitter/tweet/1",
"request_uri" => "/twitter/tweet/1",
"http_version" => "HTTP/1.1",
"http_user_agent" => "curl/7.26.0",
"http_host" => "127.0.0.1:8080",
"http_accept" => "*/*",
"content_length" => "5",
"content_type" => "application/x-www-form-urlencoded"
}
}
(Using the exact same curl command that you posted.)
gourab.jtv
March 17, 2017, 7:10am
6
If I am not wrong we can read the header of the HTTP request sender.
"headers" : {
"http_accept" : "*/*",
"content_type" : "application/x-www-form-urlencoded",
"request_path" : "/twitter/tweet/1",
"http_version" : "HTTP/1.1",
"request_method" : "PUT",
"http_host" : "127.0.0.1:8080",
"request_uri" : "/twitter/tweet/1",
"content_length" : "5",
"http_user_agent" : "curl/7.47.0"
},
I just wished to know if the IP of the sender.
gourab.jtv
March 17, 2017, 7:11am
7
I think host is the IP of the system that is running the Logstash. I want the IP of the sent message "hello" to my logstash.
I think host is the IP of the system that is running the Logstash.
The source code indicates otherwise.
# proc needs to be defined at this context
# to capture @codecs, @logger and lowercase_keys
p = Proc.new do |req|
begin
remote_host = req['puma.socket'].peeraddr[3]
REJECTED_HEADERS.each {|k| req.delete(k) }
req = lowercase_keys(req)
body = req.delete("rack.input")
@codecs.fetch(req["content_type"], @codec).decode(body.read) do |event|
event.set("host", remote_host)
event.set("headers", req)
decorate(event)
queue << event
end
['200', @response_headers, ['ok']]
rescue => e
@logger.error("unable to process event #{req.inspect}. exception => #{e.inspect}")
['500', @response_headers, ['internal error']]
end
end
This is very easy for you to verify. If you have evidence that it really is the IP address of the local host then please present them.
gourab.jtv
March 17, 2017, 9:11am
9
Thanks. host is what I was looking for. (The problem was I was running it on local systems that's why 127.0.0.1)
system
April 14, 2017, 9:11am
10
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.