Hi!
I'm configuring an ELK with filebeat and Suricata (IDS).
By default, I setup my template like this:
filebeat setup -e -E output.logstash.enabled=false -E "output.elasticsearch.hosts=['localhost:9200']" -E setup.kibana.host=localhost
(It breaks otherwise)
I also added a filter in my /etc/logstash/conf.d/logstash.conf
filter { geoip { source => "[json][src_ip]" } } #I don't know why logstash put my eve.json data into a json named "json"
I get my geoip data, but no coordinates:
I can see my template by requesting this in the dev tool.
GET /_template/filebeat-7.1.1
Is my config messed up? or does filebeat does not have geoip config template by default?
I'm pretty new to the elastic environment, please be gentle ahah, it took me a very long time to understand how everything works together. I just want geo_point on my data!
I also find weird that the filebeat template has so much data, 1552 fields to be precise (saw on my index pattern)
thanks in advance