Geoip losing type geo_point for location (v8.1)

fedora35 · March 14, 2022, 1:20pm

Hello,
I'm a beginner with ELK and i have the following problem:
I send apache's logs with filebeat to logstash. All is working except the fact when I check the location mapping in kibana, it has no type : it appears like this :

"location": {
                "properties": {
                  "lat": {
                    "type": "float"
                  },
                  "lon": {
                    "type": "float"
                  }
                }
              }

And when I want to create a map, I get the error "no geo_point" found.

My file for logstash is defined by:

input {
    beats {
        port => "5044"
        client_inactivity_timeout => "3600"
        ssl => true
        ssl_certificate_authorities => ["/etc/logstash/CA-cert.pem"]
        ssl_certificate => "/etc/logstash/elk-cert.pem"
        ssl_key => "/etc/logstash/elk.pkcs8.key"
        ssl_verify_mode => "force_peer"
    }
}

filter {
if "apache_access" in [tags] {
  grok {
        match => { "message" => "%{HTTPD_COMBINEDLOG}"}
    }
   date {
    match => [ "timestamp" , "dd/MMM/yyyy:HH:mm:ss Z" ]
  }
  useragent {
    source => "message"
  }
    geoip {
    source => "[source][address]"
    target => "client"
    }                                                                                             
}
if "apache_error" in [tags] {
  grok {
        match => { "message" => "%{HTTPD_ERRORLOG}"}
    }
   date {
    match => [ "timestamp" , "EEE MMM dd HH:mm:ss.SSSSSS yyyy" ]
  }
    geoip {
        source => "[source][address]"
        target => "client"
    }                                                                                             
}
}

output {

    elasticsearch {
        hosts => [ "https://elk.example.com:9200" ]
        cacert => "/etc/logstash/CA-cert.pem"
        user => "elastic"
        password => "XXXX"
        index => "logstash-eva-%{+YYYY.MM.dd}"
    }   
     # stdout { codec => rubydebug }                                                            
}

For the client sending logs the file /etc/filebeat/filebeat.yml is:

filebeat.inputs:
- type: filestream
  enabled: true
  paths:
    - /var/log/apache2/*access*log*
    - /var/log/apache2/eva/*access*log*
  tags: ["eva_access","eva","apache","apache_access"]
  prospector.scanner.exclude_files: ['.gz$']

- type: filestream
  enabled: true
  paths:
    - /var/log/apache2/*error*log*
    - /var/log/apache2/eva/*error*log*
  tags: ["eva_error","eva","apache","apache_error"]
  prospector.scanner.exclude_files: ['.gz$']

I also run where filebeat is running the command:

filebeat setup -e --pipelines --index-management --dashboards

I read on others topics involving such kind of problems, that index name in logstash output should start by logstash- (i also tried by filebeat- ) but the missing geo_point is always occuring. (the longitudianl and latitud are correctly filled by geoip).

I really dont' know what i messed up with my configurations. Any ideas how to solve this issue ?

Best regards

system · April 11, 2022, 1:21pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.