Trying to get geoip working from IIS log ingestion.
Current setup;
Elasticsearch v.7.9.0
Kibana v.7.9.0
Filebeat v.7.9.0
Output is set to Elasticsearch with geoip pipeline;
output.elasticsearch:
# Array of hosts to connect to.
hosts: ["HOST:9200"]
pipeline: geoip-info
geoip-info Pipeline is configured;
[
{
"geoip": {
"field": "client.ip",
"target_field": "client.geo",
"ignore_missing": true
}
},
{
"geoip": {
"field": "source.ip",
"target_field": "source.geo",
"ignore_missing": true
}
},
{
"geoip": {
"field": "destination.ip",
"target_field": "destination.geo",
"ignore_missing": true
}
},
{
"geoip": {
"field": "server.ip",
"target_field": "server.geo",
"ignore_missing": true
}
},
{
"geoip": {
"field": "host.ip",
"target_field": "host.geo",
"ignore_missing": true
}
}
]
It's successfully harvesting IIS logs, and I show IP's. I also have a processor adding host_metadata for private networks that do not appear in any field.