Unable to load geoip in elasticsearch/logstash

staodd · April 6, 2019, 8:26am

You do have both the beat.hostname and the host.name in your data. So you do know where it's from.

bharat1 · April 6, 2019, 10:08am

below are log formats
/var/log/secure:

Apr  2 16:41:16 examplehost1 polkitd[754]: Registered Authentication Agent for unix-process:8970:471160755 (system bus name :1.3387 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
Apr  2 16:41:14 examplehost1 su: pam_unix(su-l:session): session opened for user root by pentaho(uid=55684)
Apr  5 22:17:17 examplehost1 sshd[1653]: Accepted publickey for root from 192.168.1.2 port 28152 ssh2: RSA SHA256:12324341uUJDFJDJ
Apr  6 18:37:55 examplehost1 sshd[9262]: Accepted password for root from 192.168.1.2 port 49506 ssh2
Apr  6 18:37:55 examplehost1 sshd[9262]: pam_unix(sshd:session): session opened for user root by (uid=0)
Apr  6 18:38:12 examplehost1 sshd[9304]: Accepted publickey for root from 192.168.1.3 port 43284 ssh2: RSA SHA256: 12324341uUJDFJDJ
Apr  6 18:38:12 examplehost1 sshd[9304]: pam_unix(sshd:session): session opened for user root by (uid=0)
Apr  6 18:38:16 examplehost1 sshd[9304]: Received disconnect from 192.168.1.3 port 43284:11: disconnected by user
Apr  6 18:38:16 examplehost1 sshd[9304]: Disconnected from 192.168.1.3 port 43284
Apr  6 18:38:16 examplehost1 sshd[9304]: pam_unix(sshd:session): session closed for user root

/var/log/messages:

Apr  6 18:44:47 examplehost1 kernel: NFS: state manager: check lease failed on NFSv4 server 192.168.1.3 with error 93
Apr  6 18:44:52 examplehost1 kernel: NFS: state manager: check lease failed on NFSv4 server 192.168.1.3 with error 93
Apr  6 18:44:52 examplehost1 sshd[13264]: rexec line 108: Deprecated option UseLogin
Apr  6 18:44:52 examplehost1 systemd: Started Session 1771 of user root.
Apr  6 18:44:52 examplehost1 systemd-logind: New session 1771 of user root.

/var/log/audit/audit.log

type=USER_ACCT msg=audit(1552309261.343:14867): pid=19058 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:accounting grantors=pam_access,pam_unix,pam_localuser acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=CRED_ACQ msg=audit(1552309261.343:14868): pid=19058 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:setcred grantors=pam_env,pam_unix acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=LOGIN msg=audit(1552309261.343:14869): pid=19058 uid=0 old-auid=4294967295 auid=0 tty=(none) old-ses=4294967295 ses=1028 res=1
type=USER_START msg=audit(1552309261.346:14870): pid=19058 uid=0 auid=0 ses=1028 msg='op=PAM:session_open grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'

bharat1 · April 6, 2019, 10:29am

yes I do. However the problem is I am not able to

Load secure and audit logs
Not able to view GeoIP

dadoonet · April 6, 2019, 10:34am

There is nothing in those logs that is helpful to get a geo address. So I don't see how geoip could work.
How do you think elasticsearch could guess that?
Adding that the only addresses I can see are 192.168.1.* which are not public IPs. So no one can draw on a map where this is coming from IMHO.

That closes IMO the question that you initially asked: "Unable to load geoip in elasticsearch/logstash".

If you have other questions, please open a new discussion so we can more easily follow/answer it.

bharat1 · April 6, 2019, 12:52pm

I have modified the public IP's to private IP's so in that case the GeoIP should pick it up correct?

However not able to understand what parameters are required for GeoIP to work?
How to check whether GeoIP feature is already enabled/installed?

staodd · April 6, 2019, 3:36pm

GeoIP needs public IPs to be able to guess long/lat.. You say you have modified the public to privat.. Then it will never work unless you are planning to build you own GeoLite DB.

You need a field with the public IP in to run geoip on. Then you will get a geoip field added to the document. And yes, there is a built-in GeoIP database.

bharat1 · April 6, 2019, 5:44pm

What I mean was - the logs have public IP address and I changed those to private in the post but not in the servers. Hope I make sense now.
How to activate or check whether whether it's available or not and if it's available but working or not?

staodd · April 7, 2019, 1:44am

As you've already been told.. GeoIP is installed by default. But it can NEVER work as long as you don't have an IP to check.
You match against SYSLOGLINE, and then geoip against clientip. Did you check if SYSLOGLINE even sets a clientip field??

Would suggest you first start by looking into how you can get the IP into the document. A hint would be to look for some DNS filter to resolve the hostname

system · May 5, 2019, 1:48am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.