How to setup logstash with geoip


(Maile Halatuituia) #1

I want to enable this


(Magnus Bäck) #2

Please explain better what you're trying to achieve and what you have so far. What does your data look like, for example?


(Maile Halatuituia) #3

Hi Magnus
I am collecting my DNS log and i am able to do so with packetbeat sending dns logs to the elk stack. All i want to do now is to add the geographical data for clients query to my dns server.
I can share with you my Kibana Webinterface if that will help provide more detail as i am new to this.
FYI
I just heard ELK Stack from somene else and google everything and am able to put things together just last week after 3 weeks of searching ... woohoo !!! i made it ...
Anyway the point is i am new and not a programmer but hopefully i will be able to get the most out of this Wonderfull Appliation.

Hope to hear you soon.

Maile.


(Magnus Bäck) #4

If you're sending Packetbeat data via Logstash, use the geoip filter plugin to turn IP addresses into latitude/longitude values. If you're sending Packetbeat data directly to Elasticsearch (and you're using ES 5.0 or later) use the GeoIP ingest processor.


(Maile Halatuituia) #5

Yes I am using ES 5.1 .... Could you suggest a link or hint for proposed method above ....
Thanks in advance ..
Maile.


(Magnus Bäck) #6

Which of the methods? I briefly described two of them.


(Maile Halatuituia) #7

I guess it is the first i am using as Output Logstash set on my packetbeat config .....


(Maile Halatuituia) #8

Do you think this is what i am looking for ???
https://www.elastic.co/guide/en/beats/packetbeat/current/packetbeat-geoip.html


(Maile Halatuituia) #9

on this link i send above where i can out step number 2 ........


(Maile Halatuituia) #10

should i change anything on logstash config ???
appreciate your kind reply.
thanks
Maile.


(Maile Halatuituia) #11

anybody here ???


(Maile Halatuituia) #12

Hi Magnus
Can you reply to my email above ...
Thanks.


(Magnus Bäck) #13

I guess it is the first i am using as Output Logstash set on my packetbeat config .....

Then add a geoip filter to your Logstash configuration and point it at the field where you have the IP address you want to visualize, e.g. like this:

filter {
  geoip {
    source => "name-of-ip-address-field"
  }
}

Can you reply to my email above ...

Do you really expect me to respond to your questions at 21:30 on a Sunday night?


(Maile Halatuituia) #14

?Sorry Magnus

Appreciate your kind reply.

Will send you more mail tommorrow as i was away today.

Regards

Maile.


(system) #15

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.