Skip to content

Latest commit

 

History

History
65 lines (48 loc) · 3.71 KB

geoip.md

File metadata and controls

65 lines (48 loc) · 3.71 KB
Raw

Geoip filter

Status : core plugin, unit tested and maintained.

The geoip filter is used to perform a geoip lookup from a given field, and store teh result into current object.

There are two mode :

  • node-geoip-lite plugin : the database is automatically fetch when you run npm install. To update the geoip database from maxmind, go to node_modules/geoip-lite/ and execute npm run-script updatedb. This mode does not resolve ASN.
  • node-maxmind plugin. You have to provide the maxmind_dir param to specify the directory in which you deployed the Geolite db files. This mode support ASN resolving. You can use the node module maxmind-geolite-mirror to fill up the geolite directory. The plugin needs two file in the maxmind directory : GeoIPCity.dat and GeoIPASNum.dat.

The reverse dns filter can be used before geop filter to resolve hostname.

Example 1: will lookup for ip field in the geoip database, using node-geoip-lite. The resulting object will contains following fields: ip_geo_country, ip_geo_region, ip_geo_city, ip_geo_lonlat, filled with geoip lookup result. Config using url: filter://geoip://ip

Config using logstash format:

filter {
  geoip {
    field => ip
  }
}

Example 2: will lookup for http_remote_ip field in provided maxmind directory, using node-maxmin. The resulting object will contains following fields: http_remote_ip_geo_country, http_remote_ip_geo_region, http_remote_ip_geo_city, http_remote_ip_geo_lonlat, http_remote_ip_geo_asn filled with geoip lookup result. Config using url: filter://geoip://http_remote_ip?maxmind_dir=/var/db/maxmind&cache_size=1000

Config using logstash format:

filter {
  geoip {
    field => http_remote_ip
    cache_size => 1000
    maxmind_dir => /var/db/maxmind
  }
}

Parameters:

  • field: which field to work on.
  • country_field: field in which to store the geo ip country result. Default value : ip_geo_country, if the field containing the ip is ip. If you specify none, the geo ip country result will not be stored.
  • region_field: field in which to store the geo ip region result. Default value : ip_geo_region, if the field containing the ip is ip. If you specify none, the geo ip region result will not be stored.
  • city_field: field in which to store the geo ip city result. Default value : ip_geo_city, if the field containing the ip is ip. If you specify none, the geo ip city result will not be stored.
  • lonlat_field: field in which to store the geo ip longitude and latitude result. Default value : ip_geo_lonlat, if the field containing the ip is ip. If you specify none, the geo ip longitude and latitude result will not be stored.
  • asn_field: field in which to store the asn result. Default value : ip_geo_asn, if the field containing the ip is ip. If you specify none, the geo ip asn result will not be stored.
  • cache_*: cache configuration. More doc at cache.

Note if you are using the native package

For reduce the size of the package, the native package does not contains any geoip database. The recommended mode is node-maxmind.

To enable it, just type

node-logstash config:set MAXMIND_DB_DIR=/var/db/node-logstash/maxmind/
node-logstash run node_modules/.bin/maxmind-geolite-mirror
service node-logstash restart

The geoip plugin will use the env var MAXMIND_DB_DIR be auto configured (the maxmind_diris not needed.).

To refresh the database, just add a weekly cron

2 2 0 * * node-logstash run node_modules/.bin/maxmind-geolite-mirror