Page 1 of 1
Better Apache Dashboard - no GeoIP info
Posted: Thu Oct 23, 2014 10:01 am
by eloyd
Do I need to do something special to enable GeoIP from our Apache 2.2 access logs? I'm not seeing any of it show up in Scott's otherwise fantastic Better Apache Dashboard.
Re: Better Apache Dashboard - no GeoIP info
Posted: Thu Oct 23, 2014 2:37 pm
by scottwilkerson
Add the filter as you see on slide 19
http://www.slideshare.net/nagiosinc/sco ... ith-nagios
Code: Select all
if [program] == 'apache_access' {
geoip {
source => 'clientip'
}
}
Then apply configuration
One caveat is it will not be retroactive but will start on all logs coming in after that is applied
Re: Better Apache Dashboard - no GeoIP info
Posted: Thu Oct 23, 2014 2:42 pm
by scottwilkerson
I edited the exchange listing to reflect the need for this filter
Better Apache Log Analysis
Re: Better Apache Dashboard - no GeoIP info
Posted: Thu Oct 23, 2014 3:18 pm
by eloyd
Okay, I do remember that now, but I am a total ELK newb. How do I get your JSON from two posts ago into my NLS?
Re: Better Apache Dashboard - no GeoIP info
Posted: Thu Oct 23, 2014 3:22 pm
by tmcdonald
Administration -> Global Configuration -> Add Filter. Make sure to save, verify, then apply.
Re: Better Apache Dashboard - no GeoIP info
Posted: Thu Oct 23, 2014 3:29 pm
by eloyd
Aaaah. Okay. I was trying to do it through "Manage queries" and importing. This works much better. In fact, it
works!!
Thanks!
See? Good thing you didn't click that eloyd button!
Re: Better Apache Dashboard - no GeoIP info
Posted: Thu Oct 23, 2014 3:55 pm
by tmcdonald
Queries are also JSON-encoded, so I can understand the mixup.
And hey, the eloyd button might come in handy later if we offer an iPad 3 next year
Re: Better Apache Dashboard - no GeoIP info
Posted: Fri Oct 24, 2014 8:03 am
by scottwilkerson
For clarity, the filter listed above isn't JSON. I know it looks like JSON, but it is actually a fragment of logstash configuration syntax.
In Nagios Log Server we give the ability to bust up logstash inputs, filters and outputs from normal logstash configurations into fragments or config blocks. These blocks can be rearranged by dragging and dropping them to reorder.
This can be useful because the order that the filter fragments run can be important, you could be adding tags in early filters to specific messages, and then using later filter to process the message in a different manner based on the tags you set.
Re: Better Apache Dashboard - no GeoIP info
Posted: Fri Oct 24, 2014 12:59 pm
by eloyd
I'm looking forward to the definitive guide to NLS for those that don't know ELK, but in the meantime, I've managed to do some pretty cool reporting things with our VoIP platform. I may even submit one of the dashboards to the contest...
Re: Better Apache Dashboard - no GeoIP info
Posted: Fri Oct 24, 2014 2:10 pm
by tmcdonald
Gonna close this one up for the sake of organization, but we love seeing stuff like this in use! Keep in touch with any other cool things you're doing, especially the VoIP stuff.