Can someone provide a geoip example for logstash with a log file?
filter {
if [fileset][module] == "apache2" or [event][module] == "apache2" {
if [fileset][name] == "access" {
grok {
match => {
"message" => [
"%{IPORHOST:[apache2][access][remote_ip]} - %{DATA:[apache2][access][user_name]} \[%{HTTPDATE:[apache2][access][time]}\] \"(?:%{WORD:apache2.access.method} %{DATA:apache2.access.url} HTTP/%{NUMBER:apache2.access.http_version}|-)?\" %{NUMBER:apache2.access.response_code} (?:%{NUMBER:apache2.access.body_sent.bytes}|-)( \"%{DATA:[apache2][access][referrer]}\")?( \"%{DATA:[apache2][access][agent]}\")?",
"%{IPORHOST:[apache2][access][remote_ip]} - %{DATA:[apache2][access][user_name]} \[%{HTTPDATE:[apache2][access][time]}\] \"-\" %{NUMBER:[apache2][access][response_code]} -",
"\[%{HTTPDATE:[apache2][access][time]}\] %{IPORHOST:[apache2][access][remote_ip]} %{DATA:[apache2][access][ssl][protocol]} %{DATA:[apache2][access][ssl][cipher]} \"%{WORD:[http][request][method]} %{DATA:[apache2][access][url]} HTTP/%{NUMBER:[apache2][access][http_version]}\" %{NUMBER:[apache2][access][body_sent][bytes]}"
]
}
}
mutate {
rename => {
"@timestamp" => "read_timestamp"
}
}
date {
match => [
"[apache2][access][time]",
"dd/MMM/yyyy:H:m:s Z"
]
target => "@timestamp"
}
mutate {
rename => {
"[apache2][access][agent]" => "[apache2][access][user_agent][original]"
}
}
geoip {
source => "[apache2][access][remote_ip]"
target => "[apache2][access][geoip]"
}
if ![@timestamp] {
mutate {
rename => { "read_timestamp" => "@timestamp" }
id => "fix @timestamp when missing"
}
}
}
....snip....
And of course you will need a mapping template.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.