Open pemontto opened 7 years ago
I can confirm, that it behaves strangely with asn/isp database (getting the same error).
This worked for me, though: Specify the fields you want like this:
geoip {
source => "id.resp_h"
target => "resp_isp"
database => "/opt/geoip/GeoIP2-ISP.mmdb"
fields => ["ISP", "AUTONOMOUS_SYSTEM_NUMBER", "AUTONOMOUS_SYSTEM_ORGANIZATION", "ORGANIZATION"]
}
Can confirm this happens for me too on logstash-filter-geoip (6.0.3)
I am using elasticsearch 7.9.3, and I have a new (not legacy) index template called logstash-*
.
If I comment out this line: #fields => [ as_org, asn ]
in my geoip filter, the error goes away.
Nov 17 21: 58: 34 elastic-srv logstash[1442798]: [2020 - 11 - 17 T21: 58: 34, 475][ERROR][logstash.agent] Failed to execute action {
: id =>: main,: action_type => LogStash::ConvergeResult::FailedAction,: message => "Could not execute action: PipelineAction::Reload<main>, action_result: false",: backtrace => nil
}
Nov 17 21: 58: 34 elastic-srv logstash[1442798]: [2020 - 11 - 17 T21: 58: 34, 501][INFO][logstash.outputs.elasticsearch][main] Attempting to install template {
: manage_template => {
"index_patterns" => "logstash-*", "version" => 60001, "settings" => {
"index.refresh_interval" => "5s", "number_of_shards" => 1
}, "mappings" => {
"dynamic_templates" => [{
"message_field" => {
"path_match" => "message", "match_mapping_type" => "string", "mapping" => {
"type" => "text", "norms" => false
}
}
}, {
"string_fields" => {
"match" => "*", "match_mapping_type" => "string", "mapping" => {
"type" => "text", "norms" => false, "fields" => {
"keyword" => {
"type" => "keyword", "ignore_above" => 256
}
}
}
}
}], "properties" => {
"@timestamp" => {
"type" => "date"
}, "@version" => {
"type" => "keyword"
}, "geoip" => {
"dynamic" => true, "properties" => {
"ip" => {
"type" => "ip"
}, "location" => {
"type" => "geo_point"
}, "latitude" => {
"type" => "half_float"
}, "longitude" => {
"type" => "half_float"
}
}
}
}
}
}
}
Logstash crashes when supplying valid fields for the ASN database.
{"src_ip": "2.8.8.8"}
I was expecting the code to allow any number of fields and do a best effort to extract them rather than have a static list which can get outdated.