Filebeat Azure module not compatible with Maps visualisation

ankitdevnalkar · May 2, 2021, 5:02pm

I am using Filebeat Azure module to fetch activity logs and sign-in logs.
Logstash is running between Filebeat and Elasticsearch and pushing data to a custom index cloud-audit-azure. Using a custom index to store data purposefully as we want to use index pattern cloud-audit* having indexes such as cloud-audit-aws, cloud-audit-azure.
I copied its ingest pipeline and using the same to parse data.
after seeing source.geo.location.lat and source.geo.location.lon data type asnumber I tried changing it to geo_point from mapping but no luck
when changed to geo_point, cloud-audit-azure was visible in Maps visualization but it was letting me select only one of source.geo.location.lat or source.geo.location.lon.

Here is the pipeline file if you would like to see :

gist.github.com

https://gist.github.com/ankitdevnalkar/4cc274bc204f394beaec90ec968b3460

gistfile1.txt

PUT _ingest/pipeline/signals-azure-activitylogs-pipeline
{
    "description" : "Pipeline for parsing azure activity logs.",
    "processors" : [
      {
        "rename" : {
          "field" : "azure",
          "target_field" : "azure-eventhub",
          "ignore_missing" : true
        }

This file has been truncated. show original

ankitdevnalkar · May 3, 2021, 6:16am

Can anyone help ?

legoguy1000 · May 3, 2021, 1:11pm

source.geo.location should be geo_point, not the lat or long. What does you index mapping look like? How did you create it?

ankitdevnalkar · May 3, 2021, 1:18pm

hey @legoguy1000 thanks for your reply. I did not create the mapping, I tried changing type from ingest pipeline.

Index mapping is in the following gist :

gist.github.com

https://gist.github.com/ankitdevnalkar/04d89eb899c8661484728f85bd8c0695

azure_index_mapping

{
  "cloud-audit-azure-2021.04" : {
    "mappings" : {
      "properties" : {
        "@timestamp" : {
          "type" : "date"
        },
        "@version" : {
          "type" : "text",
          "fields" : {

This file has been truncated. show original

system · May 31, 2021, 3:19pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Filebeat Azure module not supporting geoip map visualisation Beats filebeat	1	193	May 27, 2021
Visualize Map Problems Kibana	7	1362	July 6, 2017
Unable to find source.geo.location filebeat aws module Beats filebeat	7	693	April 26, 2021
PaloAlto ingest pipeline and geoip lookup Beats filebeat	4	626	August 20, 2020
Filebeat - IIS Module - No geopoint Beats filebeat	5	1828	October 17, 2018

Filebeat Azure module not compatible with Maps visualisation

Related topics