Field geoip.location not created in index winlogbeat-*

Edouard_Fazenda · April 26, 2018, 11:49am

Dear Community,

I have put in place in my ELK Stack the collect of Windows Security Logs with the beat agent winlogbeat, this is working but now i want to create a coordinate or region map using geoip,

I put in my logstash configuration for beats the following :

filter {
    geoip {
        source => "[event_data][IpAddress]"
    }
}

Updating my winlogbeat-* template to support geoip

Following this documentation : https://www.elastic.co/blog/monitoring-windows-logons-with-winlogbeat

But unfortunatly i have the fields geoip.location.lat and geoip.location.lon but no geoip.location field of type geo_ip

Did I miss something ?

Thanks in advance.

Best Regards, Edouard Fazenda.

Igor_Motov · May 4, 2018, 3:23pm

@Edouard_Fazenda did you follow the part of Monitoring Windows Logons with Winlogbeat | Elastic Blog that starts with

And because we are indexing a new field in our events we need to enhance the Elasticserach index template used for the Winlogbeat data. Install this template to Elasticsearch before indexing events containing the geoip fields.

If you didn't, you will need to recreate this index or use another field. It looks like the geoip field is already mapped improperly, so you cannot fix it on existing index.

system · June 1, 2018, 3:23pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Winlogbeat fails to add geotags Logstash	2	488	August 24, 2018
Unable to add geo_point mapping with sub lat/lon properties Elasticsearch	10	1556	September 16, 2019
Visualize Map Problems Kibana	7	1338	July 6, 2017
Geoip.location not being created Elasticsearch	9	2606	January 8, 2018
Geoip property into filebeat index template - help Elasticsearch	1	461	January 6, 2020

Field geoip.location not created in index winlogbeat-*

Related topics