Logstash geoip filter no city name

Joel-Costamagna · January 22, 2019, 8:29am

Hello,
I try to use geoip for my source adresse, but sometimes it shows the correct city name, sometimes it shows a wrong location and there is no geoip.city_name field. However if i look up the ip i the maxmind demo (https://www.maxmind.com/en/geoip2-precision-demo) it shows the right location. How can I solve the problem ? is it possible to put "other" in the field so that it's never empty ?

here is the relevant part of config :

  1 filter {
  2     if [syslog_program] =~ "filterlog" {
  3             grok {
  4                 match => ["syslog_message", "(%{NONNEGINT:rule_number})?\,(%{NONNEGINT:sub_rule_number})?\,(%{DATA:anchor})?\,(%{NONNEGINT:tracker_id})?\,%{DATA:interface}\,%{DATA:reason}\,%{DATA:action}\,%{    DATA:direction}\,%{NONNEGINT:ip_version},%{GREEDYDATA:sub_msg}"]
  5         }
  6         if [ip_version] =~ "4" {
  7             csv {
  8                 source => [sub_msg]
  9                 columns => ["ipv4_tos","ipv4_ecn","ipv4_ttl","ipv4_id","ipv4_offset", "ipv4_flags","ipv4_protocol_id","ipv4_protocol","ipv4_protocol_length","source_ip","destination_ip","source_port","destin    ation_port","data_length","tcp_flags","sequence_number","ack","window","urg","options"]
 10                 separator => ","
 11             }
 12         }
 13         if [ip_version] =~ "6" {
 14             csv {
 15                 source => [sub_msg]
 16                 columns => ["class","flow_label","hop_limit","protocol","protocol_id","length","source_ip","destination_ip","source_port","destination_port","data_length","tcp_flags","sequence_number","ack",    "window","urg","options"]
 17                 separator => ","
 18             }
 19         }
 20         mutate {
 21             convert => [ "destination_port", "integer" ]
 22             convert => [ "source_port", "integer" ]
 23             convert => [ "ip_version", "integer" ]
 24             convert => [ "data_length", "integer" ]
 25             convert => [ "ipv4_protocol_length", "integer" ]
 26             convert => [ "ipv4_ttl", "integer" ]
 27             convert => [ "rule_number", "integer" ]
 28             replace => { "type" => "firewall" }
 29             add_tag=>  [ "pfsense" ]
 30             remove_field => [ "sub_msg", "syslog_message" ]
 31         }
 32         geoip {
 33             source => source_ip
 34             fields => ["city_name", "location"]
 35             database => "/etc/logstash/GeoLite2-City.mmdb"
 36             tag_on_failure => ["geoip_failed"] 
 37         }
 38     }
 39 }

Badger · January 22, 2019, 12:51pm

Something like

if ! [geoip][city_name] {
    mutate { add_field => { "[geoip][city_name]" => "other" } }
}

perhaps?

Joel-Costamagna · January 22, 2019, 1:06pm

thanks, that works as a temporary workaround, but i don't understand why geoip does not create the city_name field, since it have a location field with correct coordinates.

Badger · January 22, 2019, 1:10pm

My guess is that the database is missing the city name.

system · February 19, 2019, 1:11pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Geoip does not add "city" field Logstash	2	501	May 13, 2018
Logstash Geoip Filter with a Custom Database Logstash	1	811	September 27, 2018
Geoip filter reports incorrect location Logstash	4	1281	February 25, 2019
Problem with geoip plugin and IP whitelist filtering Logstash	3	378	November 4, 2022
Issue with GeoIP location Logstash	5	1494	March 9, 2017

Logstash geoip filter no city name

Related topics