Here is a snip-it of my filter.
filter {
if "ASA" in [tags] {
grok {
patterns_dir => ["/etc/logstash/patterns"]
match => [
"message", "%{CISCOFW106023}",
"message", "%{CISCOFW313005}",
"message", "%{CISCOFW733100}"
]
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
tag_on_failure => [Unknown_event]
}
if [src_ip] != "%{RFC1918}" {
geoip {
source => "src_ip"
target => "geoip"
add_tag => [ "Cisco-src-geoip" ]
add_field => [ "[geoip][location]", "%{[geoip][longitude]}" ]
add_field => [ "[geoip][location]", "%{[geoip][latitude]}" ]
}
mutate {
convert => [ "[geoip][location]", "float"]
}
}
if [dst_ip] != "%{RFC1918}" {
geoip {
source => "dst_ip"
target => "geoip"
add_tag => [ "Cisco-dst-geoip" ]
add_field => [ "[geoip][location]", "%{[geoip][longitude]}" ]
add_field => [ "[geoip][location]", "%{[geoip][latitude]}" ]
}
mutate {
convert => [ "[geoip][location]", "float"]
}
}
if "_geoip_lookup_failure" in [tags] {
mutate {
remove_tag => [ "_geoip_lookup_failure" ]
}
}
}
For some reason the second geoip does not work correctly. when the first fails to trigger, the second fails to trigger. When the first one triggers, the second one triggers. I've been trying to wrap my brain around why it is not working. I know I could force it to close out the first geoip by doing an elseif and some sort of null command, but I would rather fix it the right way.