Fluentd Output plugin to add information about geographical location of IP addresses with Maxmind GeoIP databases.

fluent-plugin-geoip has bundled cost-free GeoLite City database by default.
Also you can use purchased GeoIP City database (lang:ja) which costs starting from $50.

The accuracy details for GeoLite City (free) and GeoIP City (purchased) has described at the page below.


before use, install dependent library as:

# for RHEL/CentOS
$ sudo yum install geoip-devel --enablerepo=epel

# for Ubuntu/Debian
$ sudo apt-get install libgeoip-dev


install with gem or td-agent provided command as:

# for fluentd
$ gem install fluent-plugin-geoip

# for td-agent
$ sudo /usr/lib64/fluent/ruby/bin/fluent-gem install fluent-plugin-geoip

# for td-agent2
$ sudo td-agent-gem install fluent-plugin-geoip


<match access.apache>
  type geoip

  # Specify one or more geoip lookup field which has ip address (default: host)
  # in the case of accessing nested value, delimit keys by dot like 'host.ip'.
  geoip_lookup_key  host

  # Specify optional geoip database (using bundled GeoLiteCity databse by default)
  geoip_database    "/path/to/your/GeoIPCity.dat"

  # Set adding field with placeholder (more than one settings are required.)
    city            ${city["host"]}
    latitude        ${latitude["host"]}
    longitude       ${longitude["host"]}
    country_code3   ${country_code3["host"]}
    country         ${country_code["host"]}
    country_name    ${country_name["host"]}
    dma             ${dma_code["host"]}
    area            ${area_code["host"]}
    region          ${region["host"]}

  # Settings for tag
  remove_tag_prefix access.
  tag               geoip.${tag}

  # Set log_level for fluentd-v0.10.43 or earlier (default: warn)
  log_level         info

  # Set buffering time (default: 0s)
  flush_interval    1s

Tips: how to geolocate multiple key

<match access.apache>
  type geoip
  geoip_lookup_key  user1_host, user2_host
    user1_city      ${city["user1_host"]}
    user2_city      ${city["user2_host"]}
  remove_tag_prefix access.
  tag               geoip.${tag}

Advanced config samples

It is a sample to get friendly geo point recdords for elasticsearch with Yajl (JSON) parser.

<match access.apache>
  type                   geoip
  geoip_lookup_key       host
    # lat lon as properties
    # ex. {"lat" => 37.4192008972168, "lon" => -122.05740356445312 }
    location_properties  { "lat" : ${latitude["host"]}, "lon" : ${longitude["host"]} }

    # lat lon as string
    # ex. "37.4192008972168,-122.05740356445312"
    location_string      ${latitude["host"]},${longitude["host"]}

    # lat lon as array (it is useful for Kibana's bettermap.)
    # ex. [-122.05740356445312, 37.4192008972168]
    location_array       [${longitude["host"]},${latitude["host"]}]
  remove_tag_prefix      access.
  tag                    geoip.${tag}

On the case of using td-agent2 (v1-config), it have to quote { ... } or [ ... ] block with quotation like below.

<match access.apache>
  type                   geoip
  geoip_lookup_key       host
    location_properties  '{ "lat" : ${latitude["host"]}, "lon" : ${longitude["host"]} }'
    location_string      ${latitude["host"]},${longitude["host"]}
    location_array       '[${longitude["host"]},${latitude["host"]}]'
  remove_tag_prefix      access.
  tag                    geoip.${tag}



  type forward

<match test.geoip>
  type copy
    type stdout
    type    geoip
    geoip_lookup_key  host
      city  ${city["host"]}
      lat   ${latitude["host"]}
      lon   ${longitude["host"]}
    remove_tag_prefix test.
    tag     debug.${tag}

<match debug.**>
  type stdout


# forward record with Google's ip address.
$ echo '{"host":"","message":"test"}' | fluent-cat test.geoip

# check the result at stdout
$ tail /var/log/td-agent/td-agent.log
2013-08-04 16:21:32 +0900 test.geoip: {"host":"","message":"test"}
2013-08-04 16:21:32 +0900 debug.geoip: {"host":"","message":"test","city":"Mountain View","lat":37.4192008972168,"lon":-122.05740356445312}

For more details of geoip data format is described at the page below in section GeoIP City Edition CSV Database Fields.


Provides these placeholders for adding field of geolocate results.

  • $city[lookup_field]
  • $latitude[lookup_field]
  • $longitude[lookup_field]
  • $country_code3[lookup_field]
  • $country_code[lookup_field]
  • $country_name[lookup_field]
  • $dma_code[lookup_field]
  • $area_code[lookup_field]
  • $region[lookup_field]


  • include_tag_key (default: false)
  • tag_key

Add original tag name into filtered record using SetTagKeyMixin.
Further details are written at http://docs.fluentd.org/articles/in_exec

  • remove_tag_prefix
  • remove_tag_suffix
  • add_tag_prefix
  • add_tag_suffix

Set one or more option are required unless using tag option for editing tag name. (HandleTagNameMixin feature)

  • tag

On using this option with tag placeholder like tag geoip.${tag} (test code is available at test_out_geoip.rb), it will be overwrite after these options affected. which are remove_tag_prefix, remove_tag_suffix, add_tag_prefix and add_tag_suffix.

  • flush_interval (default: 0 sec)

Set buffering time to execute bulk lookup geoip.



Copyright (c) 2013- Kentaro Yoshida (@yoshi_ken)


Apache License, Version 2.0

This product includes GeoLite data created by MaxMind, available from http://www.maxmind.com.