Could not locate that index-pattern-field (id: geoip.location)

Elastic Stack Logstash
1

Hi,

Since I updated to Version: 6.1.1 (Logstash, Elasticsearch, Kibana) I recieve the following error. I searched today and read a few things about that.

I have the following lines in: 11-pfsense.conf

geoip {
  add_tag => [ "GeoIP" ]
  source => "src_ip"
  # Optional GeoIP database
  # Comment out the below if you do not wise to utilize and omit last three steps dealing with (recommended) suffix
  database => "/etc/logstash/GeoLite2-City.mmdb"
}

I recieve this output in Kibana:

{
  "_index": "logstash-2018.03.25",
  "_type": "doc",
  "_id": "0iNfXmIB3glQha35s4iQ",
  "_version": 1,
  "_score": null,
  "_source": {
    "@timestamp": "2018-03-25T18:15:52.000Z",
    "reason": "match",
    "dest_ip": "192.168.0.20",
    "action": "pass",
    "id": "48297",
    "ip_ver": "4",
    "host": "192.168.0.1",
    "proto_id": "6",
    "ttl": "55",
    "tags": [
      "PFSense",
      "firewall",
      "GeoIP"
    ],
    "type": "syslog",
    "dest_port": "XX881",
    "evtid": "134",
    "prog": "filterlog",
    "length": "60",
    "geoip": {
      "location": {
        "lon": 2.3387000000000002,
        "lat": 48.8582
      },
      "timezone": "Europe/Paris",
      "ip": "62.210.209.49",
      "country_name": "France",
      "continent_code": "EU",
      "country_code3": "FR",
      "latitude": 48.8582,
      "longitude": 2.3387000000000002,
      "country_code2": "FR"
    },
    "tracker": "1459961264",
    "proto": "tcp",
    "message": "93,,,1459961264,em0,match,pass,in,4,0x0,,55,48297,0,DF,6,tcp,60,XX.210.209.49,192.168.0.20,XX876,16881,0,S,74249952,,29200,,mss;sackOK;TS;nop;wscale",
    "@version": "1",
    "rule": "93",
    "src_ip": "XX.210.209.49",
    "src_port": "XX876",
    "data_length": "0",
    "iface": "em0",
    "tos": "0x0",
    "direction": "in",
    "flags": "DF",
    "offset": "0"
  },
  "fields": {
    "@timestamp": [
      "2018-03-25T18:15:52.000Z"
    ]
  },
  "sort": [
    1522001752000
  ]
}

Why I recieve geopi.location error in the Heatmap. I don't have a field in the index which is named geopip.location. How can I create that?

2

Nobody any idea? I would appreciate every idea which could help.

3

What does you mapping for that index look like? Do you perhaps have an error in an index template or mapping for an older index?

4

Hi Christian,

Thanks for your reply. I have already deleted all old indices. It's not a problem because it's just for me at home.

Here is my index from yesterday. I hope this helps you. I also have other index (winlogbeat) but this one shouldn't be the problem. All of the information I need are from Logstash indexes.
I had to use pastebin because it's very long.

https://pastebin.com/fYeQFeKt

5

Your mapping for the geoip.location field is incorrect. You need to specify this through an index template as this can not be identified through dynamic mapping. Look at the default Logstash template as an example.

6

You're right that was the problem. I have deleted in Kibana the mapping and added a new one actually that one from elasticsearch 7.
The mapping for Elasticsearch 6 includings default fields and those are not allowed anymore. So this default logstash template is not a good example. Same problem I have with the template for Winlogbeat.

So the base question:
which default logstash template should I use for 6.2 or 6.1?
which default logstash template for winlogbeat should I use for 6.2 or 6.1?

I think with this mapping it's a little bit confusing and not so easy to handle. I'm probably to stupid to add the template via: https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-template.html#load-template-manually because I always to that via Kibana DevTools. It's probably the most dirty way to handle that?

7

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.