Field geoip.location not created in index winlogbeat-*

Edouard_Fazenda · April 26, 2018, 11:49am

Dear Community,

I have put in place in my ELK Stack the collect of Windows Security Logs with the beat agent winlogbeat, this is working but now i want to create a coordinate or region map using geoip,

I put in my logstash configuration for beats the following :

filter {
    geoip {
        source => "[event_data][IpAddress]"
    }
}

Updating my winlogbeat-* template to support geoip

Following this documentation : https://www.elastic.co/blog/monitoring-windows-logons-with-winlogbeat

But unfortunatly i have the fields geoip.location.lat and geoip.location.lon but no geoip.location field of type geo_ip

Did I miss something ?

Thanks in advance.

Best Regards, Edouard Fazenda.

Igor_Motov · May 4, 2018, 3:23pm

@Edouard_Fazenda did you follow the part of Monitoring Windows Logons with Winlogbeat | Elastic Blog that starts with

And because we are indexing a new field in our events we need to enhance the Elasticserach index template used for the Winlogbeat data. Install this template to Elasticsearch before indexing events containing the geoip fields.

If you didn't, you will need to recreate this index or use another field. It looks like the geoip field is already mapped improperly, so you cannot fix it on existing index.

system · June 1, 2018, 3:23pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.