Basically if the IP cannot be found in the database, I want to fill the geoip.city_name, geoip.region_name, and geoip.country_name with a custom value like "PRIVATE ADDRESS" or "IP NOT IN DATABASE" or something similar... is this possible?
You cannot do that using the geoip filter, but, if, after being processed by the geoip filter it has a _geoip_lookup_failure tag then you could try
if "_geoip_lookup_failure" in [tags] {
mutate {
add_field => {
"[geoip][city_name] => "Here?"
"[geoip][region_name]" => "West side? East side?"
"[geoip][country_name]" => "Whatever you want!"
}
}
}
1 Like
I'm trying this but Logstash is giving a syntax error and then failing. Can you fix it?
if [log][file][path]=="/opt/zimbra/log/audit.log"{
grok {
break_on_match => false
match => {
"message" => [
"cmd=%{WORD:cmd}",
"account=(?<account>[^;]*);",
"DeviceType=%{WORD:deviceType}",
"\[ip=%{IPV4:src-ip}",
"oip=%{IPV4:src-ip}",
"protocol=%{WORD:protocol}"
]
}
}
geoip {
source => "[src-ip]"
}
if "_geoip_lookup_failure" in [tags] {
mutate {
add_field => {
"[geoip][city_name] => "PRIVATE IP"
"[geoip][region_name]" => "PRIVATE IP"
"[geoip][country_name]" => "PRIVATE IP"
}
}
}
}
You are missing the closing quote on the field name.
1 Like
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.