Using geoip properly


(Brandon Yap) #1

Hi,

I'm using geoip but would like to make sure i'm implementing it correctly.
So my config looks like this:
filter {
geoip {
source => "ip"
database => "/usr/share/GeoIP/GeoLite2-City.mmdb"
}
geoip {
source => "client_ip"
database => "/usr/share/GeoIP/GeoLite2-City.mmdb"
}
geoip {
source => "fail2ban_ip"
database => "/usr/share/GeoIP/GeoLite2-City.mmdb"
}
geoip {
source => "dovecot_auth_fail_rip"
database => "/usr/share/GeoIP/GeoLite2-City.mmdb"
}
geoip {
source => "system_auth_ip"
database => "/usr/share/GeoIP/GeoLite2-City.mmdb"
}
geoip {
source => "system_auth_srcip"
database => "/usr/share/GeoIP/GeoLite2-City.mmdb"
}
}

When logstash starts, this shows in the log files:
[2018-06-21T19:32:11,583][INFO ][logstash.filters.geoip ] Using geoip database {:path=>"/usr/share/GeoIP/GeoLite2-City.mmdb"}
[2018-06-21T19:32:11,716][INFO ][logstash.filters.geoip ] Using geoip database {:path=>"/usr/share/GeoIP/GeoLite2-City.mmdb"}
[2018-06-21T19:32:11,726][INFO ][logstash.filters.geoip ] Using geoip database {:path=>"/usr/share/GeoIP/GeoLite2-City.mmdb"}
[2018-06-21T19:32:11,733][INFO ][logstash.filters.geoip ] Using geoip database {:path=>"/usr/share/GeoIP/GeoLite2-City.mmdb"}
[2018-06-21T19:32:11,736][INFO ][logstash.filters.geoip ] Using geoip database {:path=>"/usr/share/GeoIP/GeoLite2-City.mmdb"}
[2018-06-21T19:32:11,741][INFO ][logstash.filters.geoip ] Using geoip database {:path=>"/usr/share/GeoIP/GeoLite2-City.mmdb"}

Is there a way I can specify ONCE where the GeoLite database is and have geoip use it for all sources?


(Magnus B├Ąck) #2

Is there a way I can specify ONCE where the GeoLite database is and have geoip use it for all sources?

No.


(system) #3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.