Geo ip in tile map

bm1391 · October 9, 2017, 8:28pm

Good afternoon,

I continue to receive the error " index pattern does not contain any of the following field types: geo_point " when trying to map via tile map. Here is what my data looks like:

{
  "_index": "combine-inbound-2017.10.09",
  "_type": "IPv4",
  "_id": "AV8CyL9uPzFVCkQYAsCd",
  "_score": null,
  "_source": {
    "message": "\"216.218.206.90\",\"IPv4\",\"inbound\",\"http://www.ciarmy.com/list/ci-badguys.txt\",\"\",\"2017-10-09\"\r",
    "@version": "1",
    "@timestamp": "2017-10-09T20:17:11.202Z",
    "path": "/opt/threatintel/combine/harvest.csv",
    "host": "atropos",
    "entity": "216.218.206.90",
    "type": "IPv4",
    "direction": "inbound",
    "source": "http://www.ciarmy.com/list/ci-badguys.txt",
    "notes": "",
    "date": "2017-10-09",
    "geoip": {
      "ip": "216.218.206.90",
      "country_code2": "US",
      "country_code3": "USA",
      "country_name": "United States",
      "continent_code": "NA",
      "region_name": "CA",
      "city_name": "Fremont",
      "postal_code": "94539",
      "latitude": 37.5497,
      "longitude": -121.96209999999999,
      "dma_code": 807,
      "area_code": 510,
      "timezone": "America/Los_Angeles",
      "real_region_name": "California",
      "location": [
        -121.96209999999999,
        37.5497
      ]
    }
  },
  "fields": {
    "date": [
      1507507200000
    ],
    "@timestamp": [
      1507580231202
    ]
  },
  "sort": [
    1507580231202
  ]
}

Here is logstash conf

input {
 file {
   path => "/opt/threatintel/combine/harvest.csv"
   start_position => "beginning"
   sincedb_path => "/dev/null"
 }
}
filter {
 csv {
     separator => ","
     columns => ["entity","type","direction","source","notes","date"]
 }
     geoip {
        source => "entity" 
#        target => "geoip" 
        database => "/etc/logstash/GeoLiteCity.dat" 
#        add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ] 
#        add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ] 
     }
#     mutate {
#        convert => [ "[geoip][coordinates]", "float"] 
#     } 
}

output {
if [direction] == "inbound" {
elasticsearch {
hosts => "http://localhost:9200"
index => "combine-inbound-%{+YYYY.MM.dd}"
}
stdout {}
}
if [direction] == "outbound" {
   elasticsearch {
    hosts => "http://localhost:9200"
    index => "combine-outbound-%{+YYYY.MM.dd}"
 }
stdout {}
}
}

top of csv file:

"entity","type","direction","source","notes","date"
"118.97.147.26","IPv4","inbound","http://www.projecthoneypot.org/list_of_ips.php?rss=1","","2017-10-08"

Thanks in advance

warkolm · October 9, 2017, 8:49pm

What's the mapping of the field?
Do you have an index template for combine-outbound- that will match and map the field?

bm1391 · October 9, 2017, 9:03pm

curl -XGET http://localhost:9200/combine-inbound-*/_mapping/

{
  "combine-inbound-2017.10.09" : {
    "mappings" : {
      "IPv4" : {
        "properties" : {
          "@timestamp" : {
            "type" : "date",
            "format" : "strict_date_optional_time||epoch_millis"
          },
          "@version" : {
            "type" : "string"
          },
          "date" : {
            "type" : "date",
            "format" : "strict_date_optional_time||epoch_millis"
          },
          "direction" : {
            "type" : "string"
          },
          "entity" : {
            "type" : "string"
          },
          "geoip" : {
            "properties" : {
              "area_code" : {
                "type" : "long"
              },
              "city_name" : {
                "type" : "string"
              },
              "continent_code" : {
                "type" : "string"
              },
              "country_code2" : {
                "type" : "string"
              },
              "country_code3" : {
                "type" : "string"
              },
              "country_name" : {
                "type" : "string"
              },
              "dma_code" : {
                "type" : "long"
              },
              "ip" : {
                "type" : "string"
              },
              "latitude" : {
                "type" : "double"
              },
              "location" : {
                "type" : "double"
              },
              "longitude" : {
                "type" : "double"
              },
              "postal_code" : {
                "type" : "string"
              },
              "real_region_name" : {
                "type" : "string"
              },
              "region_name" : {
                "type" : "string"
              },
              "timezone" : {
                "type" : "string"
              }
            }
          },
          "host" : {
            "type" : "string"
          },
          "message" : {
            "type" : "string"
          },
          "notes" : {
            "type" : "string"
          },
          "path" : {
            "type" : "string"
          },
          "source" : {
            "type" : "string"
          },
          "type" : {
            "type" : "string"
          }
        }
      }
    }
  }
}

Is This what I am looking for?

bm1391 · October 9, 2017, 9:29pm

I Need something like this in order to change location to:
"type" : "geo_point" , is this correct?

PUT /combine-inbound-*/_mapping/IPv4 {"properties":{"geoip":{"properties": {"location": { "type": "geo_point"}}}}}

warkolm · October 9, 2017, 9:36pm

You really need a template to handle it for you. You cannot update existing mappings in this manner without a reindex.

https://www.elastic.co/blog/geoip-in-the-elastic-stack has some info on this problem, under the Custom Index Names section

bm1391 · October 9, 2017, 9:40pm

Got it, i was looking for this link. Thank you

system · November 6, 2017, 9:40pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.