Add map to ELK with pfsense


(mega_robo) #1

i use ELK logstash 1.4 and kibana 3 and pfsense
my ELK work very good and show map that IP blocked by countries
i want to add map like this but with map countries with passed IP
i possible and witch configuration need to edit
i use this toutrial fully install
http://www.mediafire.com/view/j25mbohmmxvt7g4/Installing_ELK_on_Lubuntu_15.0.4_ON_HYPER-V.docx

anyone can help


(Mark Walkom) #2

Can you explain this a little more?


(mega_robo) #3

@warkolm thanks for replaying
see like this picture

i have map for ip block countries i need to add map that show ip passed by countries
i add map with configuration like my other map but its not work
this is my 11-pfsense.conf

filter {
if "PFSense" in [tags] {
grok {
add_tag => [ "firewall" ]
match => [ "message", "<(?.)>(?(?:Jan(?:uary)?|Feb(?:ruary)?|Mar(?:ch)?|Apr(?:il)?|May|Jun(?:e)?|Jul(?:y)?|Aug(?:ust)?|Sep(?:tember)?|Oct(?:ober)?|Nov(?:ember)?|Dec(?:ember)?)\s+(?:(?:0[1-9])|(?:[12][0-9])|(?:3[01])|[1-9]) (?:2[0123]|[01]?[0-9]):(?:[0-5][0-9]):(?:[0-5][0-9])) (?.?): (?.*)" ]
}
mutate {
gsub => ["datetime"," "," "]
}
date {
match => [ "datetime", "MMM dd HH:mm:ss" ]
}
mutate {
replace => [ "message", "%{msg}" ]
}
mutate {
remove_field => [ "msg", "datetime" ]
}
}
if [prog] =~ /^filterlog$/ {
mutate {
remove_field => [ "msg", "datetime" ]
}
grok {
patterns_dir => "/opt/logstash/patterns"
match => [ "message", "%{LOG_DATA}%{IP_SPECIFIC_DATA}%{IP_DATA}%{PROTOCOL_DATA}" ]
}
mutate {
lowercase => [ 'proto' ]
}
geoip {
add_tag => [ "GeoIP" ]
source => "src_ip"
target => "geoip"
database => "/opt/logstash/vendor/geoip/GeoLiteCity.dat"
add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ]
}
}
}

my elk work but geo ip showjust blocked ip i want to see block or pass ip in map


(mega_robo) #4

nobody can help ?


(Mark Walkom) #5

Do some of the passed events exist in Elasticsearch?


(mega_robo) #6

i dont understand what is mean ?!
i see pass event in my firewall and see it in ELK


(Mark Walkom) #7

It looks like your dashboard has been built around blocked events, what are the queries/filters you have applied?


(system) #8