How to use geoip logstash filter?

DharaniKumar · July 18, 2017, 7:12am

In my log file i've lat and lon values in separate fields. I cant able to use tile map in kibana.

I have these details in my log file. Can some one guide me how to use it in to tilemap in kibana.

Thanks in advance.

magnusbaeck · July 18, 2017, 7:17am

In short you have to

make sure the mapping of your index configures a designated field as a geo_point field (this is typically done via an index template), and
store your lat and lon values in that field in one of the formats that ES will recognize as geo_point (this is described in the ES documentation for geo_point).

DharaniKumar · July 18, 2017, 7:20am

"geoip": {
"dynamic": "true",
"properties": {
"location": {
"type": "geo_point"
}

this is my index template @magnusbaeck.

magnusbaeck · July 18, 2017, 10:04am

What do the actual mappings of your index look like? What does an example event look like (copy/paste from Kibana's JSON tab in the Discover panel, no screenshots please)?

DharaniKumar · August 4, 2017, 6:50am

Do we need to download any database and place it in a specified path or kibana itself locate the lat and longi fields?

magnusbaeck · August 4, 2017, 7:26am

Kibana will locate the fields by itself. Just make sure the index mappings are correct.

DharaniKumar · August 4, 2017, 7:28am

yeah @magnusbaeck. What about the database?
Do i need to download it from my side or its inbuilt in kibana(5.5.0).
I'm using logstash 5.5.0 too.

magnusbaeck · August 4, 2017, 7:32am

What database are you talking about?

DharaniKumar · August 4, 2017, 7:34am

GeoLite2 database?!?!?! A city database to locate geolocation.

magnusbaeck · August 4, 2017, 7:59am

As documented the geoip filter ships with a GeoIP database so you don't have to do anything about it, although the bundled database might be out of date. The documentation contains a paragraph or two about it.

DharaniKumar · August 4, 2017, 10:37am

"passcodeEnabled": "false",
"currentTimestamp": "2017-08-04 15:52:00.449",
"name": "Micromax-CBE",
"location": {
"latitude": "11.0130009",
"longitude": "76.9829831"
},

These are some datas that i inserted in location field. Lat and long fields as string.

DharaniKumar · August 4, 2017, 10:38am

but kibana does not recognise it as geopoints internally.

magnusbaeck · August 4, 2017, 10:44am

According to your index template geoip.location is the name of your geo_point field.

DharaniKumar · August 5, 2017, 6:58am

Yeah @magnusbaeck i did set location to geoip.location like as follows:
PUT /filebeat-*/?pretty
{
"mappings": {
"syslog": {
"properties": {
"geoip.location": {
"type": "geo_point"
}
}
}
}
}

and i got this error:
{
"error": {
"root_cause": [
{
"type": "invalid_index_name_exception",
"reason": "Invalid index name [filebeat-], must not contain the following characters [ , ", , \, <, |, ,, >, /, ?]",
"index_uuid": "na",
"index": "filebeat-"
}
],
"type": "invalid_index_name_exception",
"reason": "Invalid index name [filebeat-], must not contain the following characters [ , ", , \, <, |, ,, >, /, ?]",
"index_uuid": "na",
"index": "filebeat-"
},
"status": 400
}

DharaniKumar · August 5, 2017, 7:02am

i loaded my filebeat index pattern with timestamp field, so that i dont have to create filebeat index each time(eg. if i start filebeat today it will create filebeat-2017.08.04 index and so on when i start filebeat each day) when filebeat is reading some log files from my machine.

magnusbaeck · August 5, 2017, 3:26pm

My point is: If geoip.location is the field you've mapped as geo_point it's not surprising that the location field isn't recognized as geo_point. If you want location to be a geo_point you need to make sure that field is mapped as geo_point.

PUT /filebeat-*/?pretty

you're trying to create an index named, literally, filebeat-*. That's obviously not legal and isn't want you want to do anyway.

{
“mappings”: {
“syslog”: {
“properties”: {
“geoip.location”: {
“type”: “geo_point”
}
}
}
}
}

That's not how the mapping of a nested field is set. Consult the ES documentation for details.

DharaniKumar · August 7, 2017, 4:06am

@magnusbaeck as you said it’s not surprising that the location field isn’t recognized as geo_point, i do set location field as geo_point earlier. When i referred in someother disucssion thread someone said that map location as geoip.location and it still not working well as when i had geo_point in location field.

DharaniKumar · August 7, 2017, 4:12am

And also when use GET _template/filebeat command, im getting
"filebeat": {
"order": 0,
"template": "filebeat-",
"settings": { .....
..............
.............}}
If index pattern template name is filebeat-, then index name must be filebeat right?
if so when i used filebeat as index name kibana throws an error like invalid index name .

magnusbaeck · August 7, 2017, 5:19am

i do set location field as geo_point earlier.

What do the actual mappings of the index look like? Use the get mapping API.

If index pattern template name is filebeat-*, then index name must be filebeat right?

It must begin with "filebeat-", yes, but anything can follow after that. It's a wildcard pattern.

DharaniKumar · August 7, 2017, 6:00am

I tried get mapping api in 2 different ways.

GET filebeat/_mapping and it throws an error:

{
"error": {
"root_cause": [
{
"type": "index_not_found_exception",
"reason": "no such index",
"resource.type": "index_or_alias",
"resource.id": "filebeat",
"index_uuid": "na",
"index": "filebeat"
}
],
"type": "index_not_found_exception",
"reason": "no such index",
"resource.type": "index_or_alias",
"resource.id": "filebeat",
"index_uuid": "na",
"index": "filebeat"
},
"status": 404
}

GET filebeat-*/_mapping and it shows nothing than {}.