Logstash service crash 6.6 (geoip) filter


(Naftalin N) #1

Hi,
I using filebeat with elk stack 6.6.3
Logstash service crash when getting json log with remote address fo Geoip filter.

here is my configuration file:

input {
  beats {
    port => 5044
  }
}




filter {
        grok{
                 overwrite => ["message"]
        }

        json {
         source => "message"

        }


        geoip {
         source => "[host]"
        }

        date {
                match => [ "timestamp", "dd/MMM/YYYY:HH:mm:ss Z" ]
                locale => en
                remove_field => "timestamp"
        }
        mutate{
                convert => { "bytes" => "integer" }
                remove_field => ["prospector","tags","@version","input","beat","log"]
        }
}


output {
        stdout {
                codec => dots
        }
        elasticsearch {
                        hosts => ["http://localhost:9200"]
                        index => "logs-%{[verticle]}-%{[log_origin]}-log-%{[@metadata][version]}-%{+YYYY.MM.dd}"
        }
}

I am getting the next error:

Exception in thread "[main]>worker0" java.lang.IllegalArgumentException: Expected input field value to be String or List type
at org.logstash.filters.GeoIPFilter.handleEvent(org/logstash/filters/GeoIPFilter.java:125)

can someone help me, what is wrong with this config? it used to work before..


#3

For some time now, beats have set [host] to be an object. Generally beats will not send an IP address, they send a hostname.


(Naftalin N) #4

here is how my json string (message) looks like:

{"UID":xxx,"AID":xxx,"log_origin":"client","response_code":0,"description":"Rout to: /user/logout","duration":0,"remote_details":{"uri":"/user/logout","port":15481,"local_Address":"111.11.11.111:111","remote_address":"111.111.111.111:16666","Host":"*****.com","Connection":"keep-alive","Content-Length":"65","Accept":"application/json, text/plain, */*","UID":"240","Origin":"https://*****.com","User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Safari/537.36","AID":"xxx","Content-Type":"application/json","Referer":"https://www.*****r.com","Accept-Encoding":"gzip, deflate, br","Accept-Language":"en-US,en;q=0.9"},"host":"111.111.111.111","id":"INFO (6270) 13:10:45:872","time":"2019-03-14 13:10:45:872","host_name":"ip-111-11-11-111.eu-west-1.compute.internal","server_port":"443","level":"INFO","verticle":"xxx","remote_address":"111.11.11.111"}


#5

If the event is JSON that contains a host field then that will overwrite the host object added by the beat, and the geoip will work. If it does not contain a host field then you should expect to get the error message that you got.


(Naftalin N) #6

Thank you!

i changed the key ("host") name and it solved everything


#7

Yes changing the host name worked..Cheers.