Is there a GeoIP constraint?

Wondering if the new GeoIP DB with Ver 5* is constrained to only allowing 2 active GeoIP lookups in a Logstash Filter?

I have a Logstash conf file processing Winlogbeats, Syslog, Squid Logs, Apache Logs and DNS logs. In this conf file I am trying to use the GeoIP filter to return information on Winlogbeats data, Squid data, Syslog data and Apache data. However I can only get 2 of the data sources to actually return data from GeoIP.

It does not matter which 2 sources as I have tested all sources and as soon as I uncomment a 3rd data source for processing, all GeoIP processing stops. Upon restoring the .conf file to only process 2 data sources everything work. I can change which data sources are processed and it does not make a difference as long as there is only 2 active GeoIP data sources being processed.

Prior to upgrading to Ver 5* of Logstash this was not a problem and all data sources worked.

This is the section of the .conf file for Syslog. All GeoIP configs are exactly the same except for the field to process. The new GeoLIte2-City.mmdb exists in the prescribed location.

Does anyone have any suggestions as to why this no longer works in Ver 5* ?

Thank you for the help

#203 syslog filter to process syslog data from our asus router
filter {
if [type] == "syslog" {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{DATA:syslog_program}(?:[%{POSINT:syslog_pid}])?: %{GREEDYDATA:syslog_message}" }
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
kv {
value_split => "="
geoip {
source => ["SRC"]
database => "/var/local/geoip/GeoLite2-City.mmdb"

syslog_pri { }
      date {
	  match => [ "syslog_timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]


This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.