Feature request/recipe suggestion - up to date geoip data
Posted: Tue Jun 28, 2016 1:52 pm
One of the selling points for us was the '5 minute dashboard' aka 'Better Apache Dashboard' by Scott Wilkerson', and the ease of applying geoip data to incoming logs.
Upon closer inspection it seems that logstash-filter-geoip plugin uses a fairly dated set of data from 2013. While that's a safe default, it would be nice to have something more up to date. Perhaps the NLS image could leverage this, or maybe other people would find it useful.
1) install geoip packages:
- CentOS 6.x (used by nagios log server VM)
yum install GeoIP GeoIP-GeoLite-data GeoIP-GeoLite-data-extra
- CentOS 7.x
yum install GeoIP GeoIP-update
2) In your grok filters when 'geoip' function is called, point it to the database managed by the geoip packages:
geoip {
database => "/usr/share/GeoIP/GeoLiteCity.dat"
source => 'some_field'
}
Upon closer inspection it seems that logstash-filter-geoip plugin uses a fairly dated set of data from 2013. While that's a safe default, it would be nice to have something more up to date. Perhaps the NLS image could leverage this, or maybe other people would find it useful.
1) install geoip packages:
- CentOS 6.x (used by nagios log server VM)
yum install GeoIP GeoIP-GeoLite-data GeoIP-GeoLite-data-extra
- CentOS 7.x
yum install GeoIP GeoIP-update
2) In your grok filters when 'geoip' function is called, point it to the database managed by the geoip packages:
geoip {
database => "/usr/share/GeoIP/GeoLiteCity.dat"
source => 'some_field'
}