How to get the IP address of the HTTP request sender using logstash?

Elastic Stack Logstash
#1

I am trying to find the IP address of the HTTP request sender (using Logstash HTTP input plugin) in logstash.

curl -XPUT 'http://127.0.0.1:8080/twitter/tweet/1' -d 'hello'

My config file for logstash is:

input {
 http {
    host => "127.0.0.1"
    port => "8080"
  }
}

filter {
    geoip {
      source =>    #I want the IP of the sender here
      target => "geoip"
      database => "/home/gourab/logstash-5.2.2/GeoIP2-City.mmdb"
      add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
      add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}"  ]
    }
    mutate {
      convert => [ "[geoip][coordinates]", "float"]
    }
}
output {
    stdout { codec => rubydebug }
    elasticsearch {
        hosts => ["192.168.1.193:9200"]
        action => "index"
        index => "temp_load_index"
    }
}
#2

is the ip coming from an apache log? can you provide the logs that have the ipaddress and your grok parse statement?

sorry, i see what you are saying. You want the ipaddress of someone hitting logstash directly? Im not sure how that could be done as i have never seen that use case. is there a reason you are using logstash as a web server?

#3

Isn't this information stored in the host field?

#4

No, it's not stored anywhere. I just want to know IP of the system that is sending the HTTP request to logstash.

#5

It's certainly stored in host for me:

$ cat test.config 
input {
 http {
    host => "127.0.0.1"
    port => "8080"
  }
}
output { stdout { codec => rubydebug } }
$ /opt/logstash/bin/logstash -f test.config
Settings: Default pipeline workers: 8
Pipeline main started
{
       "message" => "hello",
      "@version" => "1",
    "@timestamp" => "2017-03-17T07:04:06.866Z",
          "host" => "127.0.0.1",
       "headers" => {
         "request_method" => "PUT",
           "request_path" => "/twitter/tweet/1",
            "request_uri" => "/twitter/tweet/1",
           "http_version" => "HTTP/1.1",
        "http_user_agent" => "curl/7.26.0",
              "http_host" => "127.0.0.1:8080",
            "http_accept" => "*/*",
         "content_length" => "5",
           "content_type" => "application/x-www-form-urlencoded"
    }
}

(Using the exact same curl command that you posted.)

#6

If I am not wrong we can read the header of the HTTP request sender.

"headers" : {
            "http_accept" : "*/*",
            "content_type" : "application/x-www-form-urlencoded",
            "request_path" : "/twitter/tweet/1",
            "http_version" : "HTTP/1.1",
            "request_method" : "PUT",
            "http_host" : "127.0.0.1:8080",
            "request_uri" : "/twitter/tweet/1",
            "content_length" : "5",
            "http_user_agent" : "curl/7.47.0"
          },

I just wished to know if the IP of the sender.

#7

I think host is the IP of the system that is running the Logstash. I want the IP of the sent message "hello" to my logstash.

#8

I think host is the IP of the system that is running the Logstash.

The source code indicates otherwise.

This is very easy for you to verify. If you have evidence that it really is the IP address of the local host then please present them.

How can I add the request IP address to every document?
#9

Thanks. host is what I was looking for. (The problem was I was running it on local systems that's why 127.0.0.1)

#10

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.