GeoIP Troubles

Elastic Stack Elasticsearch
1

Trying to get geoip working from IIS log ingestion.
Current setup;
Elasticsearch v.7.9.0
Kibana v.7.9.0
Filebeat v.7.9.0

Output is set to Elasticsearch with geoip pipeline;

   output.elasticsearch:
      # Array of hosts to connect to.
      hosts: ["HOST:9200"]
      pipeline: geoip-info

geoip-info Pipeline is configured;

[
  {
    "geoip": {
      "field": "client.ip",
      "target_field": "client.geo",
      "ignore_missing": true
    }
  },
  {
    "geoip": {
      "field": "source.ip",
      "target_field": "source.geo",
      "ignore_missing": true
    }
  },
  {
    "geoip": {
      "field": "destination.ip",
      "target_field": "destination.geo",
      "ignore_missing": true
    }
  },
  {
    "geoip": {
      "field": "server.ip",
      "target_field": "server.geo",
      "ignore_missing": true
    }
  },
  {
    "geoip": {
      "field": "host.ip",
      "target_field": "host.geo",
      "ignore_missing": true
    }
  }
]

It's successfully harvesting IIS logs, and I show IP's. I also have a processor adding host_metadata for private networks that do not appear in any field.

2

Hi @Midnigh7

I am not saying this is the issue but perhaps take at this similar issue. In short if your field name is source.ip on ingest and valid json is not created the rest of the ingest pipelines won't work. That is what the dot expander is for.

Filebeat json to Elasticsearch, error processing pipeline

3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.