Hello,
I would like to obtain the geolocation of IP addresses using Filebeat and Elasticsearch. To sort the IP addresses, I am using a "dissect" schema as follows:
- dissect:
-
tokenizer: '%{+MMM d HH:mm:ss} %{nextcloud.host} %{nextcloud.hostname}[%{nextcloud.process_id}]: {"reqId":"%{nextcloud.reqId}","level":%{nextcloud.level},"time":"%{nextcloud.time}","remoteAddr":"%{nextcloud.IP}","user":"%{nextcloud.user}","app":"%{nextcloud.app}","method":"%{nextcloud.method}","url":"%{nextcloud.url}","message":"%{nextcloud.fileMessage}","userAgent":"%{nextcloud.userAgent}","version":"%{nextcloud.version}","data":{"app":"%{nextcloud.dataApp}"}'*
I would like to obtain the geolocation of the "nextcloud.IP" variable in the "dissect" schema, but I don't understand how to enrich the IP addresses. I have looked at this documentation, but it hasn't provided me with concrete solutions: Enrich events with geoIP information
Thank you for your help.