Custom template for logstash

Elastic Stack Logstash
1

My custom logs are sent from filebeat (ingest pipeline) -> logstash -> elasticsearch . Now i need to make custom index for retention period purpose. when i try the custom index my geo_ip not mapping correct one.

Logstash output pipeline

elasticsearch {
hosts => ["http://ese0001:9200"]
index => "ftppipelinefields-%{[@metadata][version]}-%{+YYYY.MM.dd}"
pipeline => "%{[@metadata][pipeline]}"
}

if i don't use the index setting then it's using the filebeat template and geo_ip filter working fine. Now what is the solution for this ?

  1. New template and use the template parameter?
  2. mutate filter ?
2

If your problem is that [geoip][location] is not a geo_point then yes, you need to supply a template that matches your index name that tells ES that it should be.

3

how do i create one template?

My current mapping .

 "properties": {

      "ftp": {
        "properties": {
          "vsftpd": {
            "properties": {
              "eventtime": {
                "type": "keyword",
                "ignore_above": 1024
              },
              "eventyear": {
                "type": "keyword",
                "ignore_above": 1024
              },
              "sylogpid": {
                "type": "keyword",
                "ignore_above": 1024
              },
              "username": {
                "type": "keyword",
                "ignore_above": 1024
              },
              "loginstatus": {
                "type": "keyword",
                "ignore_above": 1024
              },
              "action": {
                "ignore_above": 1024,
                "type": "keyword"
              },
              "hostname": {
                "type": "keyword",
                "ignore_above": 1024
              },
              "day": {
                "type": "keyword",
                "ignore_above": 1024
              },
              "clientip": {
                "type": "keyword",
                "ignore_above": 1024
              },
              "filename": {
                "ignore_above": 1024,
                "type": "keyword"
              },
              "filesize": {
                "type": "long"
              },
              "clientgeoip": {
                "properties": {
                  "location": {
                    "type": "geo_point"
                  },
                  "region_name": {
                    "type": "keyword",
                    "ignore_above": 1024
                  },
                  "city_name": {
                    "type": "keyword",
                    "ignore_above": 1024
                  },
                  "continent_name": {
                    "type": "keyword",
                    "ignore_above": 1024
                  },
                  "country_iso_code": {
                    "type": "keyword",
                    "ignore_above": 1024
                  }
                }
              }
            }
          }
        }
      }
        }
4

The default template can be found here. You could edit the second line and merge that into any other template you want to use.