How to rightly use geoip filter & get latitude & longitude to visualize in Map

Hello Guys,

I have geoip plugin installed in elasticsearch and I have used the below logstash config -

if "ng" in [tags] {
grok {
match => {
"message" => "%{IP:service_ip} - - [%{HTTPDATE:service_timestamp}] "%{WORD:service_method} /%{NOTSPACE:service_request_page} %{WORD:service_request}/%{NUMBER:service_http_version}" %{NUMBER:service_server_response}"
}
}
geoip {source => "service_ip"}
}

But the events are not getting any of the geoip fields and are tagged under _geoip_lookup_failure.

You help is required here!

Can you give an example of an IP that gets that failure tag?

Hi Badger, Its 10.6 series! It is container networking IP within a tenant

10/8, like 192.168/16, is a reserved network. It has different locations for different people. For me, 192.168.1.1 is a wireless hub across the room from me. That is probably true for millions of people, so every one of those people would need a different geoip database to resolve the location of reserved networks. This is why you get a lookup failure for reserved networks with the default database.

It would be possible to build your own custom database for the reserved networks you have to deal with.

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.