How to setup logstash with geoip

(Maile Halatuituia) #1

I want to enable this

(Magnus Bäck) #2

Please explain better what you're trying to achieve and what you have so far. What does your data look like, for example?

(Maile Halatuituia) #3

Hi Magnus
I am collecting my DNS log and i am able to do so with packetbeat sending dns logs to the elk stack. All i want to do now is to add the geographical data for clients query to my dns server.
I can share with you my Kibana Webinterface if that will help provide more detail as i am new to this.
I just heard ELK Stack from somene else and google everything and am able to put things together just last week after 3 weeks of searching ... woohoo !!! i made it ...
Anyway the point is i am new and not a programmer but hopefully i will be able to get the most out of this Wonderfull Appliation.

Hope to hear you soon.


(Magnus Bäck) #4

If you're sending Packetbeat data via Logstash, use the geoip filter plugin to turn IP addresses into latitude/longitude values. If you're sending Packetbeat data directly to Elasticsearch (and you're using ES 5.0 or later) use the GeoIP ingest processor.

(Maile Halatuituia) #5

Yes I am using ES 5.1 .... Could you suggest a link or hint for proposed method above ....
Thanks in advance ..

(Magnus Bäck) #6

Which of the methods? I briefly described two of them.

(Maile Halatuituia) #7

I guess it is the first i am using as Output Logstash set on my packetbeat config .....

(Maile Halatuituia) #8

Do you think this is what i am looking for ???

(Maile Halatuituia) #9

on this link i send above where i can out step number 2 ........

(Maile Halatuituia) #10

should i change anything on logstash config ???
appreciate your kind reply.

(Maile Halatuituia) #11

anybody here ???

(Maile Halatuituia) #12

Hi Magnus
Can you reply to my email above ...

(Magnus Bäck) #13

I guess it is the first i am using as Output Logstash set on my packetbeat config .....

Then add a geoip filter to your Logstash configuration and point it at the field where you have the IP address you want to visualize, e.g. like this:

filter {
  geoip {
    source => "name-of-ip-address-field"

Can you reply to my email above ...

Do you really expect me to respond to your questions at 21:30 on a Sunday night?

(Maile Halatuituia) #14

?Sorry Magnus

Appreciate your kind reply.

Will send you more mail tommorrow as i was away today.



(system) #15

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.