Displaying custom data into the SIEM map

ElasticLiver · March 19, 2021, 1:32am

Hi im trying to display data in the SIEM map, using ECS, Im getting the data from a database using logstash JDBC

this is the template for the index

PUT _template/ecs
{
  "mappings": {
    "properties": {
      "@timestamp": {
        "type": "date"
      },
      "destination.geo": {
        "type": "geo_point"
      },
      "source.geo": {
        "type": "geo_point"
      }
    }
  },
  "index_patterns": [
    "ecs-*"
  ]
}

and this is what I have tried to do in logstash to set the fields

add_field => { "[source][geo][location][lat]" => "%{src_lat}"}}
add_field => { "[source][geo][location][lon]" => "%{src_long}"}}
add_field => { "[destination][geo][location][lat]" => "%{dest_lat}"}}
 add_field => { "[destination][geo][location][lon]" => "%{dest_long}"}}

and logstash gives me this error: "field must be either [lat], [lon] or [geohash]"

I also tried to put this as a string in the pipeline:

add_field => { "[destination][geo][location]" => "%{dest_lat}, %{dest_long}"}}}

and as an array:

add_field => { "[destination][geo][location]" => ["%{dest_lat}", "%{dest_long}"]}}

but all of the above gives me te error "field must be either [lat], [lon] or [geohash]"

how can i solve this?

system · April 16, 2021, 1:33am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Parsing Mapping and finding the right ECS fields for logs in general Logstash ecs-elastic-common-schema	2	746	March 2, 2021
Geo point for new ECS mapped Geo fields using JDBC Logstash	7	386	May 31, 2021
Elasticsearch Mapping to ECS Elasticsearch	1	339	November 2, 2020
Unable to create geo points Logstash	3	310	May 10, 2022
Kibana SIEM application is not displaying proper AS and GeoIP fields SIEM	1	298	April 14, 2020

Displaying custom data into the SIEM map

Related Topics