GeoLite2 support
jordansissel opened this issue · 34 comments
(This issue was originally filed by @coder3000 at elastic/logstash#1709)
Will logstash support geolite2 in future? I am using geolite2 on server-side and there is some discrepancy caused by logstash. Specifying geolite2 db in geoip filter spits out errors.
I developed a Logstash-filter-geoip2 to support maxmindDB/geoip2.
Actually the code was based on logstash-filter-geoip, I replaced its main code with official maxmindDB Java API.
It currently only support city information by now, limited by the ruby code I wrote in geoip2.rb
Note:This plugin doesn't include any maxmindDB database file.My Company has it but it will not be open to external.
I hope we can improve this plugin together.
I was thinking of doing the same thing, could not see your code 404. Makes sense to build off the java api and support the various databases. Looking at geopip it should be a pretty trivial extension.
Voting for GeoIP2 support in logstash-filter-geoip
+1
+1
+1
+2
+1
https://github.com/hp197/logstash-filter-geoip2
This is a initial release and WILL contain bugs.
Also note that the output of this plugin is slightly different.
I'm thinking about adding a option to have legacy output (which makes it backward compatible).
{
"message" => "8.8.8.8",
"@version" => "1",
"@timestamp" => "2015-11-09T16:17:30.441Z",
"type" => "test",
"host" => "localhost",
"geoip" => {
"city" => "Mountain View",
"continent" => {
"code" => "NA",
"name" => "North America"
},
"country" => {
"iso_code" => "US",
"name" => "United States"
},
"location" => {
"latitude" => 37.386,
"longitude" => -122.0838,
"metro_code" => 807,
"time_zone" => "America/Los_Angeles"
},
"postal" => "94040",
"subdivisions" => [
[0] {
"iso_code" => "CA",
"name" => "California"
}
]
}
}
+1
Sorry for deleting my Logstash-filter-geoip2 project a year ago.Recently I recreated this project on Github, Your are free to use this logstash plugin.
- This plugin has been running in my company's logstash instance more than one year with 2TB+ data every day.
- GeoLite2-City.mmdb from official free maxmindDB database is included.
- I will publish a gem to rubygems.org to make installation as easy as other logstash plugins in the future.
Need your feedback!
@garyelephant thanks. Why not create a PR for this repo so we can update this plugin to GeoLite2? We can bump to major version then?
Its confusing to have 2 plugins for geoip
@suyograo Make sense.I'm going to do this.
Great new!
Why not this library https://github.com/yhirose/maxminddb? it's pure ruby i believe.
Thanks,
@garyelephant woot! let us know if you need help. We added caching in #40.. so that and your java implementation would improve the performance here.
@ebuildy we could, but at this time, LS does not work well with anything other than JRuby, so why not use the java implementation?
Ya agree, I don't know ;-)
I hope this new version will preload database like geoip can do (https://github.com/cjheath/geoip/blob/master/lib/geoip.rb#L239) I saw a big improvement with that.
Hello any update on this? cheers
@ebuildy nothing I'm aware of. I searched for geoip2 on open PRs in this repo and didn't find anything.
Just tested geoip2, works fine as expected.
BTW, a good point => https://github.com/maxmind/GeoIP2-java#multi-threaded-use , this mean we don't need the Thread.current[@threadkey] trick, isn'it? (and share maxmind build-in cache between threads)
@ebuildy Thanks for you advice, I will improve the codes.
@garyelephant I did a small fork (https://github.com/ebuildy/logstash-filter-geoip2), moved to 2.4.0 because they added built-in cache.
BTW 2.6.0 is not compatible with logstash 2.2 because jackson library conflict (should be fixed with logstash 3.0).
@ebuildy @garyelephant I am super excited to get this change into this plugin. Any ETA? :)
You can give a try to my or garyelephant fork, any advice about how to integrate Java JAR vendor?
I am finishing logstash-plugins/logstash-filter-useragent#23 PR, then I could spend some time on it.
@ebuildy Good, I'm going to make a pull request to logstash-filter-geoip this week.
Great!
Le 9 mars 2016 03:15, "Gary Gao" notifications@github.com a écrit :
@ebuildy https://github.com/ebuildy Good, I'm going to make a pull
request to logstash-filter-geoip this week.—
Reply to this email directly or view it on GitHub
#23 (comment)
.
Hello, I have almost finish to implement all former fields:
https://github.com/ebuildy/logstash-filter-geoip2/blob/master/lib/logstash/filters/geoip.rb
Still a few issues when running spec tests, but I am on it!
Maybe we could copy field names from:
?
People also use this plugin with the legacy ASN database. The ASN number and names lookups are now provided by same geoip2 database. Can these please also be considered in the legacy naming support?
e.g.
"dest_asn": {
"number": "AS16509",
"asn": "Amazon.com, Inc."
}+1
GeoIP2 and IPv6 support has been added in version 3.0.0 of this plugin for LS versions <= 2.x and 4.0.0 for LS version >= 5.x. Many thanks to @garyelephant and @ebuildy for helping out!