Displaying custom data into the SIEM map

ElasticLiver · March 19, 2021, 1:32am

Hi im trying to display data in the SIEM map, using ECS, Im getting the data from a database using logstash JDBC

this is the template for the index

PUT _template/ecs
{
  "mappings": {
    "properties": {
      "@timestamp": {
        "type": "date"
      },
      "destination.geo": {
        "type": "geo_point"
      },
      "source.geo": {
        "type": "geo_point"
      }
    }
  },
  "index_patterns": [
    "ecs-*"
  ]
}

and this is what I have tried to do in logstash to set the fields

add_field => { "[source][geo][location][lat]" => "%{src_lat}"}}
add_field => { "[source][geo][location][lon]" => "%{src_long}"}}
add_field => { "[destination][geo][location][lat]" => "%{dest_lat}"}}
 add_field => { "[destination][geo][location][lon]" => "%{dest_long}"}}

and logstash gives me this error: "field must be either [lat], [lon] or [geohash]"

I also tried to put this as a string in the pipeline:

add_field => { "[destination][geo][location]" => "%{dest_lat}, %{dest_long}"}}}

and as an array:

add_field => { "[destination][geo][location]" => ["%{dest_lat}", "%{dest_long}"]}}

but all of the above gives me te error "field must be either [lat], [lon] or [geohash]"

how can i solve this?

system · April 16, 2021, 1:33am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
SIEM Custom Data Logstash	2	309	November 18, 2019
Parsing Mapping and finding the right ECS fields for logs in general Logstash ecs-elastic-common-schema	2	754	March 2, 2021
Geo point for new ECS mapped Geo fields using JDBC Logstash	7	387	May 31, 2021
Elasticsearch Mapping to ECS Elasticsearch	1	340	November 2, 2020
Elastic Common Schema and Logstash and Ingest node processing tagging Logstash ecs-elastic-common-schema	3	458	November 29, 2019

Displaying custom data into the SIEM map

Related topics