Try to enable geoip on logstash

rocanelo · May 28, 2020, 2:19pm

Hi everyone,

I'm try to enable geoip on my logstash but have a message say the database is corrupted, I suscribe to maxmind and get the last database, I upgdate with command "geoupdate" but not working.
I dont now what more see or do to solve the issue.

Thanks a lot.

*********config *********
input {
syslog {
port => 2514
}
}

filter {
kv {
field_split => "|"
}

geoip {
source => "src"
target => "geoip"
database => "/usr/share/GeoIP/GeoIP.dat"
add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ]
}
}

output {
elasticsearch { hosts => ["127.0.0.1:9200"]
hosts => "127.0.0.1:9200"
manage_template => false
index => "[cp_cena]-%{+YYYY.MM.dd}"
}
file {
path => "/tmp/output.log"
codec => rubydebug
}
}

***Message LOG
[2020-05-28T02:04:10,206][INFO ][logstash.filters.geoip ][main] Using geoip database {:path=>"/usr/share/GeoIP/GeoIP.dat"}
[2020-05-28T02:04:10,291][ERROR][logstash.javapipeline ][main] Pipeline aborted due to error {:pipeline_id=>"main", :exception=>java.lang.IllegalArgumentException: The database provided is invalid or corrupted., :backtrace=>["org.logstash.filters.GeoIPFilter.(org/logstash/filters/GeoIPFilter.java:72)", "java.lang.reflect.Constructor.newInstance(java/lang/reflect/Constructor.java:423)", "org.jruby.javasupport.JavaConstructor.newInstanceDirect(org/jruby/javasupport/JavaConstructor.java:253)", "org.jruby.RubyClass.newInstance(org/jruby/RubyClass.java:939)", "org.jruby.RubyClass$INVOKER$i$newInstance.call(org/jruby/RubyClass$INVOKER$i$newInstance.gen)", "usr.share.logstash.vendor.bundle.jruby.$2_dot_5_dot_0.gems.logstash_minus_filter_minus_geoip_minus_6_dot_0_dot_3_minus_java.lib.logstash.filters.geoip.register(/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-geoip-6.0.3-java/lib/logstash/filters/geoip.rb:103)", "org.jruby.RubyClass.finvoke(org/jruby/RubyClass.java:572)", "org.jruby.RubyBasicObject.callMethod(org/jruby/RubyBasicObject.java:354)", "org.logstash.config.ir.compiler.FilterDelegatorExt.doRegister(org/logstash/config/ir/compiler/FilterDelegatorExt.java:88)", "org.logstash.config.ir.compiler.AbstractFilterDelegatorExt.register(org/logstash/config/ir/compiler/AbstractFilterDelegatorExt.java:75)", "usr.share.logstash.logstash_minus_core.lib.logstash.java_pipeline.register_plugins(/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:216)", "org.jruby.RubyArray.each(org/jruby/RubyArray.java:1809)", "usr.share.logstash.logstash_minus_core.lib.logstash.java_pipeline.register_plugins(/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:215)", "usr.share.logstash.logstash_minus_core.lib.logstash.java_pipeline.RUBY$method$register_plugins$0$VARARGS(usr/share/logstash/logstash_minus_core/lib/logstash//usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb)", "usr.share.logstash.logstash_minus_core.lib.logstash.java_pipeline.maybe_setup_out_plugins(/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:521)", "usr.share.logstash.logstash_minus_core.lib.logstash.java_pipeline.RUBY$method$maybe_setup_out_plugins$0$VARARGS(usr/share/logstash/logstash_minus_core/lib/logstash//usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb)", "usr.share.logstash.logstash_minus_core.lib.logstash.java_pipeline.start_workers(/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:228)", "usr.share.logstash.logstash_minus_core.lib.logstash.java_pipeline.RUBY$method$start_workers$0$VARARGS(usr/share/logstash/logstash_minus_core/lib/logstash//usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb)", "usr.share.logstash.logstash_minus_core.lib.logstash.java_pipeline.run(/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:170)", "usr.share.logstash.logstash_minus_core.lib.logstash.java_pipeline.RUBY$method$run$0$VARARGS(usr/share/logstash/logstash_minus_core/lib/logstash//usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb)", "usr.share.logstash.logstash_minus_core.lib.logstash.java_pipeline.start(/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:125)", "org.jruby.RubyProc.call(org/jruby/RubyProc.java:318)", "java.lang.Thread.run(java/lang/Thread.java:748)"], "pipeline.sources"=>["/etc/logstash/conf.d/udp2514.conf"], :thread=>"#<Thread:0x6f08f4db run>"}
[2020-05-28T02:04:10,320][ERROR][logstash.agent ] Failed to execute action {:id=>:main, :action_type=>LogStash::ConvergeResult::FailedAction, :message=>"Could not execute action: PipelineAction::Create, action_result: false", :backtrace=>nil}
[2020-05-28T02:04:10,685][INFO ][logstash.agent ] Successfully started Logstash API endpoint {:port=>9600}
[2020-05-28T02:04:15,566][INFO ][logstash.runner ] Logstash shut down.

warkolm · May 29, 2020, 1:31am

We do support the MaxMind databases, as per the docs, but perhaps there's a change in their format we aren't aware of? It might be worth raising an issue on the plugin GitHub repo

rocanelo · May 29, 2020, 4:33am

Thanks for the info. I apply the next config and solve the problem:

database => "/usr/share/GeoIP/GeoLite2-City.mmdb"

system · June 26, 2020, 4:33am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
GeoIP error: "The database provided is invalid or corrupted" Logstash	2	2883	August 23, 2017
How to solve _geoip_expired_database Logstash	7	401	December 5, 2023
GeoIP Maxmind Database Question Logstash	2	528	February 1, 2019
Logstash 2.3 Geoip Filter Returning Invalid Coordinates Logstash	1	862	July 6, 2017
Geoip expired_database error Logstash	3	141	April 1, 2024

Try to enable geoip on logstash

Related topics