Logstash GeoIP filter (Tile map)

bishaka · June 10, 2016, 5:00pm

Hi,
I am trying to use GeoIP filter to display geographical location of IP addresses. I followed this tutorial https://www.digitalocean.com/community/tutorials/how-to-map-user-location-with-geoip-and-elk-elasticsearch-logstash-and-kibana

I am using ELK stack with Redis as the queue. I am not using Nginx or Filebeat or lumberjack as shown in this tutorial.
The problem i am facing is, I am seeing the geoIP field in kibana even though i added the following lines to my logstash-shipper conf file

geoip {
source => "clientip"
target => "geoip"
database => "/etc/logstash/GeoLiteCity.dat"
add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ]
}
mutate {
convert => [ "[geoip][coordinates]", "float"]
}

Can anyone tell me what's going on here?

anhlqn · June 11, 2016, 6:41am

Replace the config with this

geoip {
  source => "clientip"
  target => "geoip"
  fields => ["country_code2", "country_name", "continent_code", "region_name", "real_region_name", "city_name", "postal_code", "timezone", "location"]
}

Remove the fields => [...... line and you'll get all geo fields.
The mapping type of geoip.location should be geo_point as in

"geoip": {
  "dynamic": true,
  "type": "object",
  "properties": {
    "location": {
      "type": "geo_point"
    }
  }
}

You should then use geoip.location in your tile map. I'm not sure why I keep seeing this config from digitalocean with converting to float type.

For more info, you can check http://www.secureict.info/2015/11/process-netflow-with-nprobe-and_20.html