One of the selling points for us was the '5 minute dashboard' aka 'Better Apache Dashboard' by Scott Wilkerson', and the ease of applying geoip data to incoming logs.
Upon closer inspection it seems that logstash-filter-geoip plugin uses a fairly dated set of data from 2013. While that's a safe default, it would be nice to have something more up to date. Perhaps the NLS image could leverage this, or maybe other people would find it useful.
1) install geoip packages:
- CentOS 6.x (used by nagios log server VM)
yum install GeoIP GeoIP-GeoLite-data GeoIP-GeoLite-data-extra
- CentOS 7.x
yum install GeoIP GeoIP-update
2) In your grok filters when 'geoip' function is called, point it to the database managed by the geoip packages:
geoip {
database => "/usr/share/GeoIP/GeoLiteCity.dat"
source => 'some_field'
}
Feature request/recipe suggestion - up to date geoip data
Re: Feature request/recipe suggestion - up to date geoip dat
Thanks for the contribution! I created a FR for NLS to use the GeoIP packages, rather then the static file, so that upon updating the package the most recent information is displayed. I also put a note in there that if not that, then an option to specify which DB to use so if you wanted to download a new Maxmind database, and update manually, you could. The ID for it is #8934.
Former Nagios Employee