<img src="//i.stack.imgur.com/RUiNP.png" height="16" width="18" alt="" class="sponsor tag img">elasticsearch Logstash geoip不为我工作_<img Src="//i.stack.imgur.com/RUiNP.png" Height="16" Width="18" Alt="" Class="sponsor Tag Img">elasticsearch_Logstash_Geoip_Kibana 4

elasticsearch Logstash geoip不为我工作

logstash

elasticsearch Logstash geoip不为我工作,elasticsearch,logstash,geoip,kibana-4,elasticsearch,Logstash,Geoip,Kibana 4,我正在尝试使用elasticsearch和logstash并获取geoip位置过滤器。我有一些日志文件，grok filter正在为其工作，但geoip filter不工作。我的conf文件是 input { stdin { } } filter { grok { match => [ "message" , "%{IP:ip} %{USER:ident} %{USER:

我正在尝试使用elasticsearch和logstash并获取geoip位置过滤器。我有一些日志文件，grok filter正在为其工作，但geoip filter不工作。我的conf文件是

input {

  stdin { }
}

filter { 

        grok {
                match => [ 
                            "message" , "%{IP:ip} %{USER:ident} %{USER:auth} \[%{HTTPDATE:timestamp}\] \"(?:%{WORD:verb} %{DATA:request}/%{UUID:tenant}\/%{WORD:ren}\/%{WORD:rem}\/%{WORD:component}?%{DATA:rest}(?: HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})\" %{NUMBER:response} (?:%{NUMBER:bytes}|-)" 
                        ]
        }
        geoip {
          source => "ip"
        }

}
output {
   stdout{codec => rubydebug }
}

当我运行这个

C:\A1-Kapil\B9-ELK\logstash\bin>logstash -f sample2.conf -l test.log --verbose
io/console not supported; tty will not be manipulated
Sending logstash logs to test.log.
10.45.32.9 - - [06/Jul/2014:06:44:35 -0700] "GET /NSDServices/odata/DiscoveryCon
fig?$format=JSON HTTP/1.1" 200 1556 0.020
{
       "message" => "10.45.32.9 - - [06/Jul/2014:06:44:35 -0700] \"GET /NSDServi
ces/odata/DiscoveryConfig?$format=JSON HTTP/1.1\" 200 1556 0.020\r",
      "@version" => "1",
    "@timestamp" => "2015-10-31T06:02:34.372Z",
          "host" => "LKUMAK7W7HYD",
            "ip" => "10.45.32.9",
         "ident" => "-",
          "auth" => "-",
     "timestamp" => "06/Jul/2014:06:44:35 -0700",
    "rawrequest" => "GET /NSDServices/odata/DiscoveryConfig?$format=JSON HTTP/1.
1",
      "response" => "200",
         "bytes" => "1556"
}

你可以看到我得到了ip，但没有得到geoip字段

同时，如果我使用这个conf文件：

input
{
   stdin { }
}

filter
{
   grok { match => ['message', '%{IP:ip}' ] }
   geoip
   {
     source => "ip"
   }
}

output
{
  stdout { codec => rubydebug }
}

如果我运行它，得到正确的输出

C:\A1-Kapil\B9-ELK\logstash\bin>logstash -f sample2.conf -l test.log --verbose
io/console not supported; tty will not be manipulated
Sending logstash logs to test.log.
8.8.8.8
{
       "message" => "8.8.8.8\r",
      "@version" => "1",
    "@timestamp" => "2015-10-31T05:57:10.252Z",
          "host" => "LKUMAK7W7HYD",
            "ip" => "8.8.8.8",
         "geoip" => {
                      "ip" => "8.8.8.8",
           "country_code2" => "US",
           "country_code3" => "USA",
            "country_name" => "United States",
          "continent_code" => "NA",
             "region_name" => "CA",
               "city_name" => "Mountain View",
             "postal_code" => "94043",
                "latitude" => 37.41919999999999,
               "longitude" => -122.0574,
                "dma_code" => 807,
               "area_code" => 650,
                "timezone" => "America/Los_Angeles",
        "real_region_name" => "California",
                "location" => [
            [0] -122.0574,
            [1] 37.41919999999999
        ]
    }
}

这就是它的工作原理。

这是因为您试图匹配一个私有IP地址（即

10.x.x.x

），而这些地址没有GeoIP数据。这看起来非常类似于，它还指出了如何为您自己的专用地址空间构建GeoIP DB。感谢这帮助我找到根本原因…这是因为您试图匹配专用IP地址（即

10.x.x.x

），而这些地址没有GeoIP数据。这看起来非常类似于，它还指出了如何为您自己的私有地址空间构建GeoIP数据库。感谢这帮助我找到根本原因。。。