stackoom
  简体   繁体   中英

How to fix “_geoip_lookup_failure” tag with logstash filter “geoip” when posting a json with http to logstash

 原文  2019-04-15 19:28:24       json/ logstash/ logstash-filter

Question

I am posting a json from an application to logstash wanting to get the location of an IP-adress with logstashes geoip plugin. However i get a _geoip_lookup_failure.

this is my logstash config 

    http {
        port => "4200"
        codec => json
    }
}
filter{
    geoip {
    source => "clientip"
  }
}
output {
  elasticsearch { hosts => ["localhost:9200"] }
  stdout { codec => rubydebug }
}

this is what I post to the port : 

{'used_credentials': [
    {'username': 'l', 'number_of_usages': 1, 'used_commands': {},
'get_access': 'false', 
'timestamps': {'1': '04/15/2019, 21:08:54'}, 'password': 'l'}],
 'clientip': '192.168.xxx.xx', 
'unsuccessfull_logins': 1}

and this is what i get in logstash: 

{
    "unsuccessfull_logins" => 1,
                "@version" => "1",
        "used_credentials" => [
        [0] {
                    "username" => "l",
               "used_commands" => {},
                    "password" => "l",
                  "timestamps" => {
                "1" => "04/15/2019, 21:08:54"
            },
            "number_of_usages" => 1,
                  "get_access" => "false"
        }
    ],
                "clientip" => "192.168.xxx.xx",
              "@timestamp" => 2019-04-15T19:08:57.147Z,
                    "host" => "127.0.0.1",
                 "headers" => {
           "request_path" => "/telnet",
             "connection" => "keep-alive",
        "accept_encoding" => "gzip, deflate",
           "http_version" => "HTTP/1.1",
         "content_length" => "227",
        "http_user_agent" => "python-requests/2.21.0",
         "request_method" => "POST",
            "http_accept" => "*/*",
           "content_type" => "application/json",
              "http_host" => "127.0.0.1:4200"
    },
                   "geoip" => {},
                    "tags" => [
        [0] "_geoip_lookup_failure"
    ]
}

I don't understand why the input is recognized corectly but goeip does not find it

1 answers

solution1
 0  2019-04-17 00:42:04

The problem is that your clientip is in the 192.168.0.0/16 network, which is a private network reserved for local use only, it is not present on the database used by the geoip filter.

The geoip filter will only work with public IP addresses.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question filter json in logstash In logstash, How to filter logs by json key and value? JSON request for Telize GeoIP Grep Json String for logstash filter How to use JSON filter plugin to seperate message in JSON in logstash? Logstash json filter parsed fields cannot be read within logstash How To change Links By GeoIP with angularjs? logstash json filter not parsing fields getting _jsonparsefailure Nested json objects in logstash aggregate filter plugin Logstash JSON filter with mutate to add new fields
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM