Why my geoip lookup is failing?

Blason · April 4, 2023, 6:24pm

Hi Team,

This is my logstash config and surprisingly my geoip lookup is failed, I am not sure why.
Can someone pls help?

input {
  stdin {}
}
filter {
        json {
        source => "message"
        remove_field => [ "message" ]
        remove_field => [ "policy_pct" ]
        remove_field => [ "policy_disposition" ]
        remove_field => [ "id" ]
        remove_field => [ "policy_p" ]
        }
        mutate {
        rename => { "source_ip" => "source.ip" }
        }
        geoip {
        cache_size => 10000
        source => "source.ip"
        database => "/usr/share/elasticsearch/modules/ingest-geoip/GeoLite2-City.mmdb"
        }
        geoip {
        cache_size => 10000
        source => "source.ip"
        database => "/usr/share/elasticsearch/modules/ingest-geoip/GeoLite2-ASN.mmdb"
        }

        if [auth_spf_result] == "pass" {
                mutate { add_field => { "Align" => "True" } }
          } else if
            [auth_dkim_result] == "pass" {
                mutate { add_field => { "Align" => "True" } }
          } else if
            [auth_dkim_result] == "pass" and [auth_spf_result] == "pass" {
                mutate { add_field => { "Align" => "True" } }
                }
            else {
                 mutate { add_field => { "Align" => "False" } }
                 }
        }
 output {
      stdout { codec => rubydebug }
    }

And here is message which is getting parsed

{
                     "count" => 1,
                "@timestamp" => 2023-04-04T18:20:55.822Z,
             "policy_domain" => "xxx.com",
               "policy_dkim" => "pass",
                 "submitter" => "yyyy.com",
                      "tags" => [
        [0] "_geoip_lookup_failure"
    ],
    "identifier_header_from" => "xxx.com",
                 "source.ip" => "103.161.42.21",
                "date_start" => "2022-01-19T05:30:00",
           "auth_spf_result" => "pass",
                     "geoip" => {},
           "auth_spf_domain" => "xxx.com",
                      "host" => "dnsamtrap",
                  "@version" => "1",
                  "org_name" => "Yahoo",
                 "org_email" => "dmarchelp@yahooinc.com",
          "auth_dkim_result" => "pass",
             "source_domain" => "test.com",
                     "Align" => "True",
                  "date_end" => "2022-01-20T05:29:59",
          "auth_dkim_domain" => "xxx.com",
                "policy_spf" => "pass"

Badger · April 4, 2023, 8:15pm

If you are running in ECS mode v8 (the default) then you should be getting an error message for each lookup

GeoIP Filter in ECS-Compatiblity mode requires a target when source is not an ip sub-field, eg. [client][ip]>,

If you change your mutate to

mutate { rename => { "source_ip" => "[source][ip]" } }

then you will get

    "source" => {
     "ip" => "103.161.42.21",
    "geo" => {
                "location" => {
            "lon" => 79.0011,
            "lat" => 21.9974
        },
        "country_iso_code" => "IN",
                "timezone" => "Asia/Kolkata",
          "continent_code" => "AS",
            "country_name" => "India"
    }

Blason · April 5, 2023, 12:52am

Yes - That worked. Thank you.

system · May 3, 2023, 12:52am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.