Logstash Geoip plugin

RAM_NATHAN · March 8, 2022, 6:55am

Hi

Im using Logstash Geoip Plugin as below

  geoip 
         {
            source => "sourceIP"
            target => "geoIP"
            add_field => { "countryCode" => "%{[geoIP][country_code2]}" }
         }

But at times, this plugin result doesnt have country_code2 as below

   "geoIP": {
      "ip": "**.**.**.**",
      "location": {
        "lat": **,
        "lon": *
      },
      "longitude": *,
      "latitude": **,
      "timezone": "Europe/Vaduz",
      "continent_code": "EU"
    }

So my parsing is failed for countryCode. How to fix this? This is occurring only for few IP's, not all.

Badger · March 8, 2022, 5:59pm

How do you want to fix it? One option would be to make the add_field conditional.

if [geoIP][country_code2] { mutate { add_field => { "countryCode" => "%{[geoIP][country_code2]}" } } }

but you might want something else.

RAM_NATHAN · March 9, 2022, 3:12am

That is what I did. But I need to know why its not able to fetch country code for selective Ip's. Is it a bug?

Badger · March 9, 2022, 4:04am

By far the most likely explanation is that the country code is missing from the database. The logstash filter will return whatever the MaxMind .getIsoCode method returns.

You can lookup an address on the MaxMind web site here. Note that it may show a country code and an accuracy radius. If the longitude and latitude place an IP address in (let's say) Belgium, with a 1000 km accuracy that could be in any one of a dozen or more countries.

A lot of free GeoIP data are basically warmed over whois data. Many IP addresses will resolve to the location of the corporate headquarters of a cable company that has long since been rolled up by a larger one.

Similarly a lot of web sites appear to be in Cambridge, MA, because there is a large CDN headquartered there. I have seen other hot-spots that make no sense to me at all.

Less of a problem now is what to do with unallocated addresses. If a block was assigned to RIPE (the European registry) but not delegated to a customer, where is an IP in that block? RIPE's HQ is in Amsterdam, and a surprisingly large number of address resolve to that city.

RAM_NATHAN · March 9, 2022, 9:09am

Thanks for the update. I'm getting COUNTRYCODE as US in MaxMind portal,but accuracy is 1000 Km. Was that the issue?

Badger · March 9, 2022, 6:15pm

Maybe. It is really a question for MaxMind. logstash just uses what their API returns.

RAM_NATHAN · March 10, 2022, 6:14am

Right now, there is no real fix.correct?. Can I tune some MaxMind config to get rid of this issue? or Can I upgrade MaxMind , if that is possible?

RAM_NATHAN · March 16, 2022, 3:12am

Can I use anyother db instead of maxmind?

Badger · March 16, 2022, 3:39am

The filter imports a lot of MaxMind classes to interpret the database. If anyone else has the ability to create MaxMind compatible databases then I would expect they would work, but I doubt anyone else actually does that.

I believe I have seen blog posts about how to do it, but I also doubt anyone is doing that with high quality data.

RAM_NATHAN · March 16, 2022, 4:38am

Thanks for the update. what would be the solution in this case? We need MaxMind to fix this or upgrade maxmind?

Badger · March 16, 2022, 12:55pm

It would be up to MaxMind to fix this.

system · April 13, 2022, 12:55pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.