From 34e6bc1968a3136871f43a29aa407425fb273e25 Mon Sep 17 00:00:00 2001
From: Mathieu Martin <mathieu.martin@elastic.co>
Date: Tue, 22 Jan 2019 22:25:19 -0500
Subject: [PATCH 1/2] Perform geoip on apache error logs too

---
 .../module/apache/error/ingest/pipeline.json    | 17 +++++++++++++++++
 .../apache/error/test/test.log-expected.json    | 13 +++++++++++--
 2 files changed, 28 insertions(+), 2 deletions(-)

diff --git a/filebeat/module/apache/error/ingest/pipeline.json b/filebeat/module/apache/error/ingest/pipeline.json
index 4891353c5435..3e8413033688 100644
--- a/filebeat/module/apache/error/ingest/pipeline.json
+++ b/filebeat/module/apache/error/ingest/pipeline.json
@@ -27,6 +27,23 @@
         "field": "apache.error.timestamp",
         "ignore_failure": true
       }
+    },
+
+    {
+        "grok": {
+            "field": "source.address",
+            "ignore_missing": true,
+            "patterns": [
+                "^(%{IP:source.ip}|%{HOSTNAME:source.domain})$"
+            ]
+        }
+    },
+    {
+        "geoip": {
+            "field": "source.ip",
+            "target_field": "source.geo",
+            "ignore_missing": true
+        }
     }
   ],
   "on_failure" : [{
diff --git a/filebeat/module/apache/error/test/test.log-expected.json b/filebeat/module/apache/error/test/test.log-expected.json
index ee0ed3f93d87..ebd4a7bd3358 100644
--- a/filebeat/module/apache/error/test/test.log-expected.json
+++ b/filebeat/module/apache/error/test/test.log-expected.json
@@ -10,7 +10,8 @@
         "log.offset": 0,
         "message": "File does not exist: /var/www/favicon.ico",
         "service.type": "apache",
-        "source.address": "192.168.33.1"
+        "source.address": "192.168.33.1",
+        "source.ip": "192.168.33.1"
     },
     {
         "@timestamp": "2016-12-26T16:15:55.103Z",
@@ -40,6 +41,14 @@
         "process.pid": 35708,
         "process.thread.id": 4328636416,
         "service.type": "apache",
-        "source.address": "72.15.99.187"
+        "source.address": "72.15.99.187",
+        "source.geo.city_name": "Newnan",
+        "source.geo.continent_name": "North America",
+        "source.geo.country_iso_code": "US",
+        "source.geo.location.lat": 33.3734,
+        "source.geo.location.lon": -84.8541,
+        "source.geo.region_iso_code": "US-GA",
+        "source.geo.region_name": "Georgia",
+        "source.ip": "72.15.99.187"
     }
 ]
\ No newline at end of file

From f6589463e2f3174ec79e2dda34de42428ea37869 Mon Sep 17 00:00:00 2001
From: Mathieu Martin <mathieu.martin@elastic.co>
Date: Tue, 22 Jan 2019 22:29:53 -0500
Subject: [PATCH 2/2] Changelog

---
 CHANGELOG.next.asciidoc | 1 +
 1 file changed, 1 insertion(+)

diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
index 88d43f80caa5..c71f45377f3d 100644
--- a/CHANGELOG.next.asciidoc
+++ b/CHANGELOG.next.asciidoc
@@ -160,6 +160,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Add support for iis 7.5 log format. {issue}9753[9753] {pull}9967[9967]
 - Add service.type field to all Modules. By default the field is set with the module name. It can be overwritten with `service.type` config. {pull}10042[10042]
 - Add support for MariaDB in the `slowlog` fileset of `mysql` module. {pull}9731[9731]
+- Apache module's error fileset now performs GeoIP lookup, like the access fileset. {pull}10273[10273]
 - Elasticsearch module's slowlog now populates `event.duration` (ECS). {pull}9293[9293]
 - HAProxy module now populates `event.duration` and `http.response.bytes` (ECS). {pull}10143[10143]
 - Teach elasticsearch/audit fileset to parse out some more fields. {issue}10134[10134] {pull}10137[10137]