Logstash-oss:7.4.0 geoip reports wrong lat/lon

I found some incorrect results when performing geoip of IP addresses through the geoip filter in Logsstash-oss:7.4.0.

Two IP address in question are:
171.246.59.245
123.30.237.63

From logstash both IPs have the same latitude/longitude 16/106 which is not even in Vietnam (Laos)
geoip.ip 42.117.130.155
geoip.ip 123.30.237.63
geoip.country_name Vietnam
geoip.location { "lat": 16, "lon": 106 }

According to https://www.maxmind.com/en/geoip-demo or https://www.iplocation.net, these IPs do not have the same lat/lon as reported by logstash.

Free geoip data is generally not very good. You could try updating the database used by the geoip filter with the latest free database from maxmind, but it may not help.

Thanks.
I performed logstash-plugin update but logstash-filter-geoip was already up-to-date so it was not updated.

I was suggesting that you go to maxmind.com and download the latest available db.

I have downloaded the latest file GeoLite2-City.mmdb and comparing with the original database that comes with logstash-oss:7.4.2, there is no difference for the IPs that are in question.

-rw-rw-r-- 1 logstash root 61356751 Oct 28 22:53 /usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-geoip-6.0.3-java/vendor/GeoLite2-City.mmdb

-rw-r--r-- 1 root root 62852205 Nov 24 15:41 /data/data/GeoLite2-City.mmdb

However, if I follow this link https://www.elastic.co/blog/geoip-in-the-elastic-stack and replace the IPs in question, I find that the lat/lon has correct values. Not sure what Geoip database it is using ?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.