geoip accuracy question

[benhank]

Hey guys how do I verify that the geoip plugin is updated with the latest geoip data?
A question arose regarding the accuracy of the geoip maps that I created, and I suddenly realized that I don't actually know how accurate it is nor do I know how to check.

[jdunitz]

Well, the files that ship with the Logserver are kind of old:

Code: Select all

[root@jpd-nagiosls2 vendor]# pwd
/usr/local/nagioslogserver/logstash/vendor/bundle/jruby/1.9/gems/logstash-filter-geoip-2.0.7/vendor
[root@jpd-nagiosls2 vendor]# ls -l
total 21404
-rwxrwxr-x. 1 nagios nagios  3545918 Jan 28 15:23 GeoIPASNum-2014-02-12.dat
-rwxrwxr-x. 1 nagios nagios 18370259 Jan 28 15:23 GeoLiteCity-2013-01-18.dat
[root@jpd-nagiosls2 vendor]#

You could download newer ones and replace them, however. If accuracy is your concern, that would be a good idea.

Hope that's helpful!
--Jeffrey

[benhank]

THANKS

[benhank]

but how do I do that?

[jdunitz]

The safest thing to do is to go to

https://dev.maxmind.com/geoip/geoip2/geolite2/

and sign up to download the latest file.

Then you can write a new filter that points to the new file, wherever you want to put it:

Code: Select all

geoip {
source => 'clientip'
database  => "/path/to/the/GeoLite2-City.mmdb"
}

more info is here:
https://www.elastic.co/guide/en/logstas ... geoip.html

You could also move the current file out of that directory (but keep it just in case...), put the new file in it's place, and restart logstash.
I don't know that that's 100% compatible with the version of the code that loads it, though. It should be, but it may not be.

Hope that's clearer.
--Jeffrey

[benhank]

Hey thanks! I appreciate the help! you can lock it up!

[scottwilkerson]

Hey thanks! I appreciate the help! you can lock it up!

great

Locking