GeoIP

[billy_strath]

Can we use the geoIP command that is in elastic search to give the country location? https://www.elastic.co/blog/geoip-in-the-elastic-stack. If so is it already packaged or do we need to install it somehow? Thanks

[cdienger]

All you need to do to enable it is create a filter using geoip. See https://www.youtube.com/watch?v=xj4GnpMyjc0.

[billy_strath]

thanks - done that and its awesome!

Just one thing though - when I go to export to a CSV the field "geoip.country_name" is blank, although it has data when viewed in the web GUI. We are running version 2.0.7.

Any thoughts?

Thanks

[ssax]

Please send us what you have set for your filter, I'm going to lab this up and see if I'm able to replicate it.

[ssax]

This is a bug, the CSV export functionality doesn't support subarrays, the developers will need to fix this, I've created a bug report here:

Code: Select all

NEW TASK ID 14353 created - Nagios Log Server Bug Report: LS - Add subarray CSV output support, currently subarray values show as blank

You can edit this file:

Code: Select all

/var/www/html/nagioslogserver/application/controllers/Dashboard.php

And at the bottom, change this:

Code: Select all

    // Output CSV format
        print implode(',', $fields) . "\n";
        foreach ($data['hits']['hits'] as $hit) {
            $tmp = array();
            foreach ($fields as $i) {
                $field = "";
                        if (@isset($hit['_source'][$i])) {
                        $field = $hit['_source'][$i];
                    } else {
                        $field = $hit[$i];
                    }
                }

                $tmp[] = '"'.trim(str_replace(array("\r", "\n", "'"), array(" ", " ", "'"), html_entity_decode($field))).'"';
            }
            print implode(',', $tmp) . "\n";

To this:

Code: Select all

        // Output CSV format
        print implode(',', $fields) . "\n";
        foreach ($data['hits']['hits'] as $hit) {
            $tmp = array();
            foreach ($fields as $i) {

                $field = "";
                if (!strpos($i, '.')) {
                    // If strpos is zero, we really don't know how to handle that, fall through to this anyways.

                    if (@isset($hit['_source'][$i])) {
                        $field = $hit['_source'][$i];
                    } else {
                        $field = $hit[$i];
                    }
                }
                else {

                    $keys = explode('.', $i);
                    $field = $hit['_source'];
                    for ($j = 0; $j < count($keys); $j++) {
                        if (@isset($field[$keys[$j]])) {
                            $field = $field[$keys[$j]];
                        }
                    }
                }

                $tmp[] = '"'.trim(str_replace(array("\r", "\n", "&apos;"), array(" ", " ", "'"), html_entity_decode($field))).'"';
            }
            print implode(',', $tmp) . "\n";

Now it should work.

[billy_strath]

cheers - will just wait for a fix

[scottwilkerson]

cheers - will just wait for a fix

Great!

Locking