Coaxing geoip data from logstash

ethrbunny · December 3, 2018, 12:41pm

I have logstash setup to convert ip -> geoip. Im getting latitude/longitude coordinates from apache2/filebeat now. What I don't seem to have is whatever is required to create a visualization from this data.

I've read through various posts on this (here and here) but haven't yet found the secret sauce to make kibana happy yet.

Relevant entry from logstash:

geoip {
    source => "clientip"
}

mutate {
  convert => { "[geoip][longitude]" => "float" }
  convert => { "[geoip][latitude]" => "float" }
}
mutate {
  rename => {
    "[geoip][longitude]" => "[location][lon]"
    "[geoip][latitude]" => "[location][lat]"
  }
}

So now Im getting [geoip][location][lon]/[lat] in my data with type "float". How do I get this saved (consistentl) as "geoip"?

ethrbunny · December 7, 2018, 12:33pm

Some additional info: Im trying to parse apache2 logs to see who is abusing / probing it. Ive got the files parsed out using logstash and can see the geoip.[country|region|etc] fields in the 'discover' window in kibana.

The logs are parsed into a new index "apache2-*". This is probably where my issues begin. I don't have a template defined for this and am not sure how to create one.

system · January 4, 2019, 12:33pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.