Logstash AWS ElasticSearch geoip not shows up

Kok_How_Teh · April 21, 2017, 9:30am

I have the following logstash pipeline configuration:
input {
beats {
port => "5044"
}
}

The filter part of this file is commented out to indicate that it is

optional.

filter {
grok {
match => { "message" => "%{COMBINEDAPACHELOG}" }
}
date {
match => [ "timestamp" , "dd/MMM/yyyy:HH:mm:ss Z" ]
}
geoip {
source => "clientip"
target => "geoip"
database => "/etc/logstash/GeoLite2-City.mmdb"
add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ]
}
mutate {
convert => [ "[geoip][coordinates]", "float"]
}
}
output {
elasticsearch {

hosts => [ "localhost:9200" ]

            hosts => [ "<foo>:80" ]
            index => "weeloy.asia"
    }   
    stdout { codec => rubydebug }

}

This is one of the log message that shows up at the ElasticSearch:
@timestamp:April 21st 2017, 17:22:42.033 offset:19,804 @version:1 input_type:log beat.hostname:9667b2238b44 beat.name:9667b2238b44 beat.version:5.3.0 host:9667b2238b44 source:/var/log/apache2/dev.weeloy.asia-error_log message:[Fri Apr 21 09:22:32.161233 2017] [:error] [pid 23634] [client 118.200.155.89:52099] LOGIN member, referer: http:// type:apache-access tags:beats_input_codec_plain_applied, _grokparsefailure, _geoip_lookup_failure _id:AVuP0iWx4iBeUK45wU1T _type:apache-access _index:weeloy.asia _score: -

I just cannot get geoip to work. Any advice and insight is appreciated.

system · May 19, 2017, 9:34am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.