Auditbeat IP metadata missing

mozam · August 7, 2020, 11:22am

Hello,

I'm using the below pipeline to index data to Elasticsearch (Elastic 7.8.0 is used).

Auditbeat -> Logstash -> Elasticsearch

Using the below mutate filter I'm able to copy the IP address from metadata to a new field called test.ip which is working fine.

	mutate {
		copy => {"[@metadata][ip_address]" => "[test][ip]"}
	}

But, when I introduced a Kafka into the pipeline as shown below.

Auditbeat -> Kafka -> Logstash -> Elasticsearch

I'm not getting the IP address in test.ip field, instead my metadata field contains only below fields.

"@metadata": {
    "beat": "auditbeat",
    "type": "_doc",
    "version": "7.8.0"
  }

The ip_address from metadata field exist only if the pipeline is Auditbeat -> Logstash ?
How I can capture the host ip address, since my Auditbeat -> Elasticsearch pipeline data does not contain my public ip for geo ip informations ?

system · September 4, 2020, 1:22pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Auditbeat not getting the host's public address Beats auditbeat	4	695	September 1, 2020
Need help in sending Geo Ip data from beats through logstash Beats	1	260	July 24, 2020
Beat meta info how to show ip? Beats	5	897	July 5, 2017
IP address in filebeat Beats	4	3996	July 3, 2018
Search for IP address does not return results Kibana docker	7	2965	May 25, 2020

Auditbeat IP metadata missing

Related topics