Hallo, i'im using filebeat from my servers mainly to track access log via ssh, now I'm trying to add geoIP filter for Public Server, in order to create a map to track ssh attacks attempts,

this is my filter
filter {
if [type] == "syslog" {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{NOTSPACE:syslog_hostname} %{DATA:syslog_program}(?:[%{POSINT:syslog_pid}])?: %{DATA:Status}? %{DATA:Ktype}? (for)? %{GREEDYDATA:syslog_user} (from)? %{IP:ip_address}?%{GREEDYDATA:syslog_message_tail}?" }
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
geoip {
source => "ip_address"
target => "geoip"
date {
match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
When I go in discover section in Kibana, I can see the geoip parts, put I have no geoip.location, but two separate fields and Lon and when I try to create a visualization I have the common problem, Kibana (No geo_point type)

I output from filebeat using "filebeat-geo-*" index name in order to use filebeat/logstash template that should work, and also if I try tu get with curl the informations from my index patterns I can see the "location" field with the correct values, what else I'm missing? Im quite new to elastic search ...
Thanks in advance

wow, 23 views and no-one helping me even in finding a solution in some other post ?
I think it should be something connected with mappings, creating a custom index I succeed in creating a geo_point type mapping for geoip.location field, and even if I see it as a geo_point type, in discover he is treated as a float, If I add a visualization I can select the filed ( non error "No geo_point type) but my map remains empty !
Hope these more details can help someone in helping me...

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.