ok looks like I figured it out. after fixing the bad JSON I can now add the geoip data to apache access
here is my apache code block
if [fileset][module] == "apache2" {
if [fileset][name] == "access" {
## remove after debug
mutate {
copy => { "message" => "original_message" }
}
grok {
match => { "message" => ["%{IPORHOST:[apache2][access][remote_ip]} - %{DATA:[apache2][access][user_name]} \[%{HTTPDATE:[apache2][access][time]}\] \"%{WORD:[apache2][access][method]} %{DATA:[apache2][access][url]} HTTP/%{NUMBER:[apache2][access][http_version]}\" %{NUMBER:[apache2][access][response_code]} %{NUMBER:[apache2][access][body_sent][bytes]}( \"%{DATA:[apache2][access][referrer]}\")?( \"%{DATA:[apache2][access][agent]}\")?",
"%{IPORHOST:[apache2][access][remote_ip]} - %{DATA:[apache2][access][user_name]} \\[%{HTTPDATE:[apache2][access][time]}\\] \"-\" %{NUMBER:[apache2][access][response_code]} -" ] }
remove_field => "message"
}
mutate {
add_field => { "read_timestamp" => "%{@timestamp}" }
}
date {
match => [ "[apache2][access][time]", "dd/MMM/YYYY:H:m:s Z" ]
remove_field => "[apache2][access][time]"
}
useragent {
source => "[apache2][access][agent]"
target => "[apache2][access][user_agent]"
remove_field => "[apache2][access][agent]"
}
mutate {
copy => { "[apache2][access][remote_ip]" => "remote_ip" }
}
}
else if [fileset][name] == "error" {
grok {
match => { "message" => ["\[%{APACHE_TIME:[apache2][error][timestamp]}\] \[%{LOGLEVEL:[apache2][error][level]}\]( \[client %{IPORHOST:[apache2][error][client]}\])? %{GREEDYDATA:[apache2][error][message]}",
"\[%{APACHE_TIME:[apache2][error][timestamp]}\] \[%{DATA:[apache2][error][module]}:%{LOGLEVEL:[apache2][error][level]}\] \[pid %{NUMBER:[apache2][error][pid]}(:tid %{NUMBER:[apache2][error][tid]})?\]( \[client %{IPORHOST:[apache2][error][client]}\])? %{GREEDYDATA:[apache2][error][message1]}" ] }
pattern_definitions => {
"APACHE_TIME" => "%{DAY} %{MONTH} %{MONTHDAY} %{TIME} %{YEAR}"
}
remove_field => "message"
}
mutate {
rename => { "[apache2][error][message1]" => "[apache2][error][message]" }
}
date {
match => [ "[apache2][error][timestamp]", "EEE MMM dd H:m:s YYYY", "EEE MMM dd H:m:s.SSSSSS YYYY" ]
remove_field => "[apache2][error][timestamp]"
}
}
}
here is my dictionary code block
if [remote_ip] {
translate {
exact => true
regex => true
override => true
field => "[remote_ip]"
destination => "geo_point"
dictionary_path => "/usr/share/logstash/mutate/static-ip-geoip-mapping.yml"
fallback => '{"timezone":"America/Anchorage","continent_code":"NA","country_name":"United States","region_code":"AK","country_code2":"US","country_code3":"US","region_name":"Alaska","city_name":"Anchorage","latitude":61.19,"longitude":-149.8938,"location":[61.19,-149.8938],"dma_code":"743","postal_code":"99503"}'
refresh_behaviour => "replace"
}
json {
source => "geo_point"
target => "[apache2][access][geoip]"
add_field => { "[apache2][access][geoip][ip]" => "%{remote_ip}" }
add_tag => [ "private-ip" ]
remove_field => [ "geo_point" ]
}
mutate {
remove_tag => [ "_geoip_lookup_failure" ]
}
}
now off to improve this so I can have private and public for all geoip lookups