Auditbeat not getting the host's public address

curiousmind · July 30, 2020, 10:21am

Beats and Elasticsearch Version 7.8.0

We have 50+ sources in which auditbeat version 7.8.0 is installed. The OS used is predominantly Windows in all these sources.
These 50+ sources are sending the logs directly to a 2 node Elasticsearch cluster (there is no Kafka-Logstash pipeline involved in between beats and the ES cluster)
Now I have the following setup configured in my auditbeat.yml
output.elasticsearch.pipeline: geoip-info
Also the pipeline processor named geoip-info is existing in the cluster.
Now my issue is that I can see host.ip fields populated for all the machines in most of the documents. But they are not the public ips, they are just the private ips .
But to make things complex, for some hosts, the public ips are being captured by the auditbeat.
My requirement is to get the geographic location by using the IP addresses.
Is this the expected behaviour?. If yes, this method of getting geo information is inconsistent and I would like to know what are the alternatives that I can employ here?

Can anyone comment on this.

Btw, I tried all the beats too other that Auditbeat, just to make sure that this is not an Auditbeat specific issue.

adrisr · July 30, 2020, 2:29pm

Are those public IPs directly assigned to an interface in your Windows box? Do they show up when you run ipconfig /all ?

curiousmind · August 4, 2020, 2:54am

@adrisr
i dont think its shown.
This is the output of ipconfig /all for one of the machines which is not showing its public IP in the auditbeat data (host.ip field should ideally contain it. But to make sure, i checked that along with "source.ip" and "destination.ip" too)

Windows IP Configuration

   Host Name . . . . . . . . . . . . : DESKTOP-7O6TOJT
   Primary Dns Suffix  . . . . . . . :
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Ethernet:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Realtek PCIe GbE Family Controller
   Physical Address. . . . . . . . . : 8C-16-45-CE-7F-8B
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Ethernet adapter VirtualBox Host-Only Network:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : VirtualBox Host-Only Ethernet Adapter
   Physical Address. . . . . . . . . : 0A-00-27-00-00-10
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::307b:d6b1:9f06:cebe%16(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.56.1(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . :
   DHCPv6 IAID . . . . . . . . . . . : 688521255
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-26-AF-16-AE-8C-16-45-CE-7F-8B
   DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
                                       fec0:0:0:ffff::2%1
                                       fec0:0:0:ffff::3%1
   NetBIOS over Tcpip. . . . . . . . : Enabled

Wireless LAN adapter Local Area Connection* 1:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft Wi-Fi Direct Virtual Adapter
   Physical Address. . . . . . . . . : 32-D1-6B-E5-66-6F
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

Wireless LAN adapter Local Area Connection* 2:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft Wi-Fi Direct Virtual Adapter #2
   Physical Address. . . . . . . . . : 42-D1-6B-E5-66-6F
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

Wireless LAN adapter Wi-Fi:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Qualcomm Atheros QCA9377 Wireless Network Adapter
   Physical Address. . . . . . . . . : 30-D1-6B-E5-66-6F
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::75d7:12b1:8d96:af03%7(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.1.4(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : 04 August 2020 07:01:06
   Lease Expires . . . . . . . . . . : 05 August 2020 07:01:40
   Default Gateway . . . . . . . . . : fe80::1%7
                                       192.168.1.1
   DHCP Server . . . . . . . . . . . : 192.168.1.1
   DHCPv6 IAID . . . . . . . . . . . : 87085419
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-26-AF-16-AE-8C-16-45-CE-7F-8B
   DNS Servers . . . . . . . . . . . : 192.168.1.1
   Primary WINS Server . . . . . . . : 192.168.1.1
   Secondary WINS Server . . . . . . : 192.168.1.1
   NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Bluetooth Network Connection:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Bluetooth Device (Personal Area Network)
   Physical Address. . . . . . . . . : 30-D1-6B-E5-66-70
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

The strange thing is that, for some machines the public IPs are captured and for some they are not.

Btw,this is not restricted to "auditbeat". I tried installing "packetbeat","winlogbeat" too. Results are the same.

Btw my intention is to gather geo information from the public IPs provided from the auditbeat/packetbeat/winlogbeat.

adrisr · August 4, 2020, 9:44am

@curiousmind Beats will only add to host.ip the addresses that are assigned to your interfaces. That's the same addresses that show up in ipconfig /all. In the above case you'll get:

"host.ip": [
  "192.168.56.1",
  "192.168.1.4"
]

(Maybe also fe80::307b:d6b1:9f06:cebe%16 and fe80::1%7, I'm not sure if link-local IPv6 are added or not).

If by public IPs you mean an address that is added after NAT by some outside router, then Beats cannot possibly know about this address.

system · September 1, 2020, 11:44am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.