I want to be able to use a more updated version of the GeoLiteCity Database. However, when running Logstash with this configuration I get what seems to be a permissions error and I'm not sure how to fix that because I'm running Logstash as an admin.
My second question pertains to the if statements within the filter. I want to use the IPv4 database if the ipAddress that I have is obviously of that type and same for IPv6. However, whenever I run Logstash I am unable to get the IPv6 addresses to be properly recognized and it always goes into the else statement. Could someone help me in determining where I am going wrong with my if statements.
I posted the filter option from my configuration file below.
filter { if ([Payload_ipAddress] =~ /:/ ){ geoip { source => "Payload_ipAddress" target => "geoip" database => "c:/Logstash/GeoLiteCityv6" add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ] add_field => [ "[geoip][coordinates]", "%{[geowhich ip][latitude]}"] } mutate { convert => [ "[geoip][coordinates]", "float"] } } else { geoip { source => "Payload_ipAddress" target => "geoip" database => "c:/Logstash/GeoLiteCityIPv4" add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ] add_field => [ "[geoip][coordinates]", "%{[geowhich ip][latitude]}" ] } mutate { convert => [ "[geoip][coordinates]", "float"] } } mutate { remove_field => [ "@timestamp", "@version" ] } }