Logstash using the GeoIP library to display the map and display the browser via the UserAgent (iv)

The Nginx Access log we collected through Logstash already contains the data for the client IP (REMOTE_ADDR), but only this IP is not enough, the location of the Kibana to display the requested source needs to be implemented by GEOIP database. GeoIP is the most common free IP address classification query library, but also has a pay version can be purchased. GeoIP Library can provide the corresponding geographical information according to the IP address, including country, provinces and cities, latitude and longitude, etc., it is very useful for visual map and regional statistics.

In addition GeoIP data file accuracy and GeoIP plug-in performance is a headache, the performance requirements can be seen at the @ three Doushi write JRuby call Maxmind-java test.

First, download the GEOIP database

# cd/etc/logstash/wget http://geolite.maxmind.com/download/geoip/database/ GeoLiteCity.dat.gzgzip -D GeoLiteCity.dat.gz

The Linux system Maxmind provides an GEOIP update that automatically updates the database. CentOS can install geoipupdate through the Epel source.

Modify the configuration file/etc/geoip.conf productids geolite2-city , and then directly execute geoipupdate , the database file is downloaded and verified automatically. The default database file directory is: /usr/local/share/geoip , which allows you to change the database file directory by configuration item databasedirectory/etc/logstash/ .

Second, configure the Logstash, add the GeoIP configuration in the filter

" REMOTE_ADDR "    # set the field that resolves the IP address " GeoIP "    # save GeoIP data in a field " /etc/logstash/geolitecity.dat "    # IP address Database }

The results are as follows:

"GeoIP"= {                      "IP"="112.90.16.4",           "Country_code2"="CN",           "Country_code3"="CHN",            "country_name"=" China",          "Continent_code"=" as",             "Region_name"=" -",               "City_name"="Guangzhou",                "Latitude"=23.11670000000001,               "Longitude"=113.25,                "TimeZone"="asia/chongqing",        "Real_region_name"="Guangdong",                " Location"= [            [0]113.25,            [1]23.11670000000001        ]    }

GeoIP Library data is more, if you do not need so much content, you can use the fields option to specify what you need. The following example is all optional:

GeoIP { fields= ["City_name","Continent_code","Country_code2","Country_code3","country_name","Dma_code","IP","Latitude","Longitude","Postal_Code","Region_name","TimeZone"]}

It is important to note that Geoip.location is Logstash additional data generated by latitude and longitude. So, if you want latitude and longitude and do not want to repeat the data, you need to configure in GeoIP: Remove_field = ["[geoip][latitude]", " [Geoip][longitude] "] .

Logstash display the map with the GeoIP library and display the browser via useragent (iv)