i parsed syslog_message to extract ip address from my ADSL modem to check who's ringing and store it into a new text field Varx (of my logstash index). Varx is a IPV4 text value computed every hours by an update_by_query POST in a cron job. The query looks into the syslog_message string to set Varx. I developed the query in Kibana console and use the cUrl in a shell.
I would like later to use a service that fill geoip structure (using free maxmind DB) by using the IPv4 stored in Varx. Last step would be to display a MAP into kibana ?
My question is : I did not yet find a way to to that. Parsing all non empty VarX and set geoip.yyy to the appropriate value return by function(Varx).
Any accurate tips ? thanks for the help
Please note : i am completely new running ELK 5.6.4 on RPI3
Hi, Varx are string IPV4 WAN address as 'text' like xxx.xxx.xxx.xxx
Mostly it's bot who perform port scanning. One value could be Varx = 222.186.129.68 (this one is in china )
As explained, once Varx has been computed (by the update_by_query running each hour) i would like to compute the geoip fields from a DB or services using Varx as parameter to display a map with stats (count).
Sorry, to bother but if the answer was easy in the doc we might not ask. From my perspective doc and info are really confusing not representative of the possibilities of the solution.
Anyway, we will try to make it run.
thanks i did a filter source => "Varx" and got a geoip failure parsing output how ever Varx is not filled at that time (empty string) . you mention that i need to reprocess once Varx is Filled but i don't know how.
Hi Thanks Christian, I read your answer again and installed the pipeline geoip. Perfect (need to increase heap space to avoid crash on the PI). Then it's complicated. I tried as in the doc this
I was able to get google IP using this syntax
PUT logstash-2017.12.24/syslog/_all/?pipeline=geoip
{
"Varx": "8.8.8.8"
}
and GET logstash-2017.12.24/syslog/_all returned
I ran POST /%3Clogstash-%7Bnow%2Fd%7D%3E/syslog/_update_by_query?pipeline=geoip
It's start to sounds good.. but is GeoIP case sensitive '???' what should be VarX format ?
Does the space at the end is an issue ?
"failures": [
{
"index": "logstash-2017.12.24",
"type": "syslog",
"id": "AWCG2d79MywR9Y3-E7vT",
"cause": {
"type": "exception",
"reason": "java.lang.IllegalArgumentException: java.lang.IllegalArgumentException: '191.101.167.235 ' is not an IP string literal.",
"caused_by": {
"type": "illegal_argument_exception",
"reason": "java.lang.IllegalArgumentException: '191.101.167.235 ' is not an IP string literal.",
"caused_by": {
"type": "illegal_argument_exception",
"reason": "'191.101.167.235 ' is not an IP string literal."
}
},
PS: when default value is '0' the filter crash. so i set the default to 8.8.8.8 mostly when the syslog message is not related to intrusion i.e Varx has no real value.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.