CODEWITHSUNDEEP
elasticsearchlogstash
Daniel
Daniel

Reputation: 89

Could not able to use geo_ip in logstash 2.4

I'm trying to use geoip from apache access log with logstash 2.4, elasticsearch 2.4, kibna 4.6.

my logstash filter is...

input {
file {
path => "/var/log/httpd/access_log"
type => "apache"
start_position => "beginning"
}
}

filter {
grok {
match => { "message" => "%{COMBINEDAPACHELOG}" }
}
geoip {
source => "clientip"
target => "geoip"
database =>"/home/elk/logstash-2.4.0/GeoLiteCity.dat"
#add_field => { "foo_%{somefield}" => "Hello world, from %{host}" }
add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ]
}
mutate {
convert => [ "[geoip][coordinates]", "float" ]
}
}

output {
stdout { codec => rubydebug }
elasticsearch
{ hosts => ["192.168.56.200:9200"]
sniffing => true
manage_template => false
index => "apache-geoip-%{+YYYY.MM.dd}"
document_type => "%{[@metadata][type]}"
}
}

And if elasticsearch parsing some apache access log, the output is...

    {
       "message" => "xxx.xxx.xxx.xxx [24/Oct/2016:14:46:30 +0900] HTTP/1.1 8197 /images/egovframework/com/cmm/er_logo.jpg 200",
      "@version" => "1",
    "@timestamp" => "2016-10-24T05:46:34.505Z",
          "path" => "/NCIALOG/JBOSS/SMBA/default-host/access_log.2016-10-24",
          "host" => "smba",
          "type" => "jboss_access_log",
      "clientip" => "xxx.xxxx.xxx.xxx",
         "geoip" => {
                      "ip" => "xxx.xxx.xxx.xxx",
           "country_code2" => "KR",
           "country_code3" => "KOR",
            "country_name" => "Korea, Republic of",
          "continent_code" => "AS",
             "region_name" => "11",
               "city_name" => "Seoul",
                "latitude" => xx.5985,
               "longitude" => xxx.97829999999999,
                "timezone" => "Asia/Seoul",
        "real_region_name" => "Seoul-t'ukpyolsi",
                "location" => [
            [0] xxx.97829999999999,
            [1] xx.5985
        ],
             "coordinates" => [
            [0] xxx.97829999999999,
            [1] xx.5985
        ]
    }
}

I could not able to see geo_point field.

please help me. Thanks.

tile map error

I added my error in tile map .

It says "logstash-* index pattern does not contain any of the following field types: geo_point"

Upvotes: 0

Views: 196

Answers (1)

Renaud Michotte
Renaud Michotte

Reputation: 389

Mmmmm.... the geoip fields are already into you response !

Into the field "geoip" you can find all needed informations (ip, continent, country name, ...). The added field coordinates are present too. So, what's the problem ?

Upvotes: 1

Related Questions