Configuring GeoIP information in Logstash for Kibana SIEM Network Map

Hello All,

I am working with a previous ELK stack that was setup to just use beats to go to Elasticsearch. I have upgraded he cluster and now using Logstash. Previously the SIEM Network Map worked because a "geoip-info" pipeline was created in the beats, and then the geoip-info ingestion was created in ES (identical to the example in the documentation")

But, now with Logstash, this doesn't work anymore. Of course, I have to remove pipeline: geoip-info from the beats setup, and we are ingesting data and that is working.

I turned on Logstash geo-ip filter, but in discovery, lots of fields are missing including the geo related ones.

How do I capture geo-ip info from the beats and make it go through Logstash to my indexes? (filebeat-, auditbeat-) and will show up in the SIEM network map?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.