Map User Location with GeoIP and ELK

RustuGurkan · March 10, 2017, 10:18am

Hi
I'm having troubles with mapping user locations with GeoIP.
Could someone help me please I followed the tutorial on:

my config on /etc/logstash/12-apache.conf looks like this:
geoip {
source => "clientip"
target => "geoip"
database => "/etc/logstash/GeoLiteCity.dat"
add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ]
}
mutate {
convert => [ "[geoip][coordinates]", "float"]
}

I also tried this:

geoip {
  source => "clientip"
  target => "geoip"
}
mutate {
  convert => [ "[geoip][coordinates]", "float"]
}

But is isn't working the only thing that I can see is the IP address

theuntergeek · March 10, 2017, 12:23pm

Please be careful and selective when following examples you find online. The example you were following is dated nearly 2 years ago (31 March 2015), and many things have changed in the GeoIP plugin since that time. You no longer need to manually create a lon-lat field (coordinates in the linked example), as Logstash now automatically does this for you. The auto-generated field is called location. You also do not have to convert the field to a float, and the default target is already called geoip, so adding it (unless different from the default) is redundant.

With this simple config:

input { stdin {}}
filter { geoip { source => "message" } }
output { stdout { codec => rubydebug } }

I run Logstash, and paste 8.8.8.8 like this:

$ bin/logstash -f geo.conf
Sending Logstash's logs to /Users/buh/logstash-5.2.2/logs which is now configured via log4j2.properties
[2017-03-10T04:08:31,709][INFO ][logstash.filters.geoip   ] Using geoip database {:path=>"/Users/buh/logstash-5.2.2/vendor/bundle/jruby/1.9/gems/logstash-filter-geoip-4.0.4-java/vendor/GeoLite2-City.mmdb"}
[2017-03-10T04:08:31,734][INFO ][logstash.pipeline        ] Starting pipeline {"id"=>"main", "pipeline.workers"=>8, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>5, "pipeline.max_inflight"=>1000}
[2017-03-10T04:08:31,744][INFO ][logstash.pipeline        ] Pipeline main started
The stdin plugin is now waiting for input:
[2017-03-10T04:08:31,778][INFO ][logstash.agent           ] Successfully started Logstash API endpoint {:port=>9600}
8.8.8.8
{
    "@timestamp" => 2017-03-10T12:08:36.852Z,
         "geoip" => {
              "timezone" => "America/Los_Angeles",
                    "ip" => "8.8.8.8",
              "latitude" => 37.386,
        "continent_code" => "NA",
             "city_name" => "Mountain View",
         "country_code2" => "US",
          "country_name" => "United States",
              "dma_code" => 807,
         "country_code3" => "US",
           "region_name" => "California",
              "location" => [
            [0] -122.0838,
            [1] 37.386
        ],
           "postal_code" => "94035",
             "longitude" => -122.0838,
           "region_code" => "CA"
    },
      "@version" => "1",
          "host" => "localhost.local",
       "message" => "8.8.8.8"
}

It is the message field in this config because that's the field that contains the input from STDIN (from the stdin input plugin).

If you know your source field, clientip, contains an IP address, is it a standard routable internet address? The non-routable or private network blocks 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16 will not resolve to a location as they can be used by anyone, anywhere.

There may be other IP addresses not covered by the database.

RustuGurkan · March 10, 2017, 1:09pm

Thank you very much for your replay. I am doing this for a school project and this is the first time I've worked with ELK, My server and my client are both vm's running on my own laptop I guess that's why I can't see any location since I gave them a static IP the server has 192.168.154.100 and the client 101.
Thank you for your help I was wondering as I understood it I have to replace my config in /etc/logstash/conf.D/12-apache.conf
with
input { stdin {}}
filter { geoip { source => "message" } }
output { stdout { codec => rubydebug } }

Is there any more recent guide that I can follow?
I'm really sorry for these questions but I'm just trying to figure out how logstash works
But thanks for your response

theuntergeek · March 10, 2017, 1:50pm

RustuGurkan:

Thank you for your help I was wondering as I understood it I have to replace my config in /etc/logstash/conf.D/12-apache.conf
with
input { stdin {}}
filter { geoip { source => "message" } }
output { stdout { codec => rubydebug } }

No, you do not have to replace your code with the above. You should only need

geoip {
  source => "clientip"
}

in your filter block. Any definition for geoip should be replaced by this. If the clientip field contains non-private IPs, then that should work.

system · April 7, 2017, 1:50pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.