将带有http的json发布到logstash时,如何使用logstash过滤器“ geoip”修复“ _geoip_lookup_failure”标签

时间:2019-04-15 19:28:25

标签: json logstash logstash-filter

我正在将一个应用程序中的json发布到logstash,希望通过logstashes geoip插件获取IP地址的位置。但是我得到了_geoip_lookup_failure。

这是我的logstash配置

    http {
        port => "4200"
        codec => json
    }
}
filter{
    geoip {
    source => "clientip"
  }
}
output {
  elasticsearch { hosts => ["localhost:9200"] }
  stdout { codec => rubydebug }
}

这就是我发布到端口的内容:

{'used_credentials': [
    {'username': 'l', 'number_of_usages': 1, 'used_commands': {},
'get_access': 'false', 
'timestamps': {'1': '04/15/2019, 21:08:54'}, 'password': 'l'}],
 'clientip': '192.168.xxx.xx', 
'unsuccessfull_logins': 1}

这就是我在logstash中得到的:

{
    "unsuccessfull_logins" => 1,
                "@version" => "1",
        "used_credentials" => [
        [0] {
                    "username" => "l",
               "used_commands" => {},
                    "password" => "l",
                  "timestamps" => {
                "1" => "04/15/2019, 21:08:54"
            },
            "number_of_usages" => 1,
                  "get_access" => "false"
        }
    ],
                "clientip" => "192.168.xxx.xx",
              "@timestamp" => 2019-04-15T19:08:57.147Z,
                    "host" => "127.0.0.1",
                 "headers" => {
           "request_path" => "/telnet",
             "connection" => "keep-alive",
        "accept_encoding" => "gzip, deflate",
           "http_version" => "HTTP/1.1",
         "content_length" => "227",
        "http_user_agent" => "python-requests/2.21.0",
         "request_method" => "POST",
            "http_accept" => "*/*",
           "content_type" => "application/json",
              "http_host" => "127.0.0.1:4200"
    },
                   "geoip" => {},
                    "tags" => [
        [0] "_geoip_lookup_failure"
    ]
}

我不明白为什么输入会被完全识别,但是goeip找不到它

1 个答案:

答案 0 :(得分:0)

The problem is that your clientip is in the 192.168.0.0/16 network, which is a private network reserved for local use only, it is not present on the database used by the geoip filter.

The geoip filter will only work with public IP addresses.