Issues with geoip data logstash and filebeat using iis logs

Having a hard time getting geoip to work. I have the latest current verion of filebeat and logstash.
filebeat 7.7.7
template is loaded.

one strange thing also I get like 6 ip addresses when I use geoip but nothing else seems to work.
also 6 different mac addresses.

filter {

if [agent][type] == "filebeat" {
grok {
match => { "message" => "%{TIMESTAMP_ISO8601:log_timestamp} %{WORD:sitename} %{WORD:host-hostname} %{IPORHOST:host-ip} %{WORD:method} %{URIPATH:page} %{NOTSPACE:querystring} %{NUMBER:host-port} %{NOTSPACE:username} %{IPORHOST:client-ip} %{NOTSPACE:client-version} %{NOTSPACE:useragent} %{NOTSPACE:cs-cookie} (-|%{URI:cs_refrer}) %{NOTSPACE:cs-host} %{NUMBER:sc-status} %{NUMBER:sc-sub-status} %{NUMBER:win32-status} %{NUMBER:sc-bytes} %{NUMBER:cs-bytes} %{NUMBER:duration} %{IPORHOST:forwarder-ip}"}
}
date {
match => [ "log_timestamp", "yyyy-MM-dd HH:mm:ss" ]
}
mutate {
convert => {
"cs-bytes" => "integer"
"duration" => "integer"
"host-port" => "integer"
"sc-bytes" => "integer"
"sc-status" => "integer"
"sc-sub-status" => "integer"
"win32-status" => "integer"
}
remove_field => "message"
}
geoip { source => ["client-ip"] }
}}

What is your question?

I cant figure out why it is not working, The error in tags just says geoipparsefailure

If you are getting a _geoip_lookup_failure tag then enable log.level debug. @geoipfilter.handleEvent may then log what exception it caught.

either use [client-ip] or “client-ip”

My issue appears to be that I have multiple ip addresses showing up in the ip field. I am getting ipv4 and ipv6.

I found my issue, first rule is know your data. I needed to get the XFORWARDED ip instead of client-ip

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.