Logstash service crash 6.6 (geoip) filter

Hi,
I using filebeat with elk stack 6.6.3
Logstash service crash when getting json log with remote address fo Geoip filter.

here is my configuration file:

input {
  beats {
    port => 5044
  }
}




filter {
        grok{
                 overwrite => ["message"]
        }

        json {
         source => "message"

        }


        geoip {
         source => "[host]"
        }

        date {
                match => [ "timestamp", "dd/MMM/YYYY:HH:mm:ss Z" ]
                locale => en
                remove_field => "timestamp"
        }
        mutate{
                convert => { "bytes" => "integer" }
                remove_field => ["prospector","tags","@version","input","beat","log"]
        }
}


output {
        stdout {
                codec => dots
        }
        elasticsearch {
                        hosts => ["http://localhost:9200"]
                        index => "logs-%{[verticle]}-%{[log_origin]}-log-%{[@metadata][version]}-%{+YYYY.MM.dd}"
        }
}

I am getting the next error:

Exception in thread "[main]>worker0" java.lang.IllegalArgumentException: Expected input field value to be String or List type
at org.logstash.filters.GeoIPFilter.handleEvent(org/logstash/filters/GeoIPFilter.java:125)

can someone help me, what is wrong with this config? it used to work before..

For some time now, beats have set [host] to be an object. Generally beats will not send an IP address, they send a hostname.

here is how my json string (message) looks like:

{"UID":xxx,"AID":xxx,"log_origin":"client","response_code":0,"description":"Rout to: /user/logout","duration":0,"remote_details":{"uri":"/user/logout","port":15481,"local_Address":"111.11.11.111:111","remote_address":"111.111.111.111:16666","Host":"*****.com","Connection":"keep-alive","Content-Length":"65","Accept":"application/json, text/plain, */*","UID":"240","Origin":"https://*****.com","User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Safari/537.36","AID":"xxx","Content-Type":"application/json","Referer":"https://www.*****r.com","Accept-Encoding":"gzip, deflate, br","Accept-Language":"en-US,en;q=0.9"},"host":"111.111.111.111","id":"INFO (6270) 13:10:45:872","time":"2019-03-14 13:10:45:872","host_name":"ip-111-11-11-111.eu-west-1.compute.internal","server_port":"443","level":"INFO","verticle":"xxx","remote_address":"111.11.11.111"}

If the event is JSON that contains a host field then that will overwrite the host object added by the beat, and the geoip will work. If it does not contain a host field then you should expect to get the error message that you got.

Thank you!

i changed the key ("host") name and it solved everything

Yes changing the host name worked..Cheers.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.