Logstash-oss:7.4.0 geoip reports wrong lat/lon

Long_Thai · November 23, 2019, 6:37pm

I found some incorrect results when performing geoip of IP addresses through the geoip filter in Logsstash-oss:7.4.0.

Two IP address in question are:
171.246.59.245
123.30.237.63

From logstash both IPs have the same latitude/longitude 16/106 which is not even in Vietnam (Laos)
geoip.ip 42.117.130.155
geoip.ip 123.30.237.63
geoip.country_name Vietnam
geoip.location { "lat": 16, "lon": 106 }

According to https://www.maxmind.com/en/geoip-demo or https://www.iplocation.net, these IPs do not have the same lat/lon as reported by logstash.

Badger · November 23, 2019, 6:51pm

Free geoip data is generally not very good. You could try updating the database used by the geoip filter with the latest free database from maxmind, but it may not help.

Long_Thai · November 23, 2019, 7:27pm

Thanks.
I performed logstash-plugin update but logstash-filter-geoip was already up-to-date so it was not updated.

Badger · November 24, 2019, 3:14pm

I was suggesting that you go to maxmind.com and download the latest available db.

Long_Thai · November 24, 2019, 9:48pm

I have downloaded the latest file GeoLite2-City.mmdb and comparing with the original database that comes with logstash-oss:7.4.2, there is no difference for the IPs that are in question.

-rw-rw-r-- 1 logstash root 61356751 Oct 28 22:53 /usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-geoip-6.0.3-java/vendor/GeoLite2-City.mmdb

-rw-r--r-- 1 root root 62852205 Nov 24 15:41 /data/data/GeoLite2-City.mmdb

However, if I follow this link https://www.elastic.co/blog/geoip-in-the-elastic-stack and replace the IPs in question, I find that the lat/lon has correct values. Not sure what Geoip database it is using ?

system · December 22, 2019, 9:48pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.