Hi Team,
This is my logstash config and surprisingly my geoip lookup is failed, I am not sure why.
Can someone pls help?
input {
stdin {}
}
filter {
json {
source => "message"
remove_field => [ "message" ]
remove_field => [ "policy_pct" ]
remove_field => [ "policy_disposition" ]
remove_field => [ "id" ]
remove_field => [ "policy_p" ]
}
mutate {
rename => { "source_ip" => "source.ip" }
}
geoip {
cache_size => 10000
source => "source.ip"
database => "/usr/share/elasticsearch/modules/ingest-geoip/GeoLite2-City.mmdb"
}
geoip {
cache_size => 10000
source => "source.ip"
database => "/usr/share/elasticsearch/modules/ingest-geoip/GeoLite2-ASN.mmdb"
}
if [auth_spf_result] == "pass" {
mutate { add_field => { "Align" => "True" } }
} else if
[auth_dkim_result] == "pass" {
mutate { add_field => { "Align" => "True" } }
} else if
[auth_dkim_result] == "pass" and [auth_spf_result] == "pass" {
mutate { add_field => { "Align" => "True" } }
}
else {
mutate { add_field => { "Align" => "False" } }
}
}
output {
stdout { codec => rubydebug }
}
And here is message which is getting parsed
{
"count" => 1,
"@timestamp" => 2023-04-04T18:20:55.822Z,
"policy_domain" => "xxx.com",
"policy_dkim" => "pass",
"submitter" => "yyyy.com",
"tags" => [
[0] "_geoip_lookup_failure"
],
"identifier_header_from" => "xxx.com",
"source.ip" => "103.161.42.21",
"date_start" => "2022-01-19T05:30:00",
"auth_spf_result" => "pass",
"geoip" => {},
"auth_spf_domain" => "xxx.com",
"host" => "dnsamtrap",
"@version" => "1",
"org_name" => "Yahoo",
"org_email" => "dmarchelp@yahooinc.com",
"auth_dkim_result" => "pass",
"source_domain" => "test.com",
"Align" => "True",
"date_end" => "2022-01-20T05:29:59",
"auth_dkim_domain" => "xxx.com",
"policy_spf" => "pass"