GeoIP Troubles

Midnigh7 · August 20, 2020, 9:22pm

Trying to get geoip working from IIS log ingestion.
Current setup;
Elasticsearch v.7.9.0
Kibana v.7.9.0
Filebeat v.7.9.0

Output is set to Elasticsearch with geoip pipeline;

   output.elasticsearch:
      # Array of hosts to connect to.
      hosts: ["HOST:9200"]
      pipeline: geoip-info

geoip-info Pipeline is configured;

[
  {
    "geoip": {
      "field": "client.ip",
      "target_field": "client.geo",
      "ignore_missing": true
    }
  },
  {
    "geoip": {
      "field": "source.ip",
      "target_field": "source.geo",
      "ignore_missing": true
    }
  },
  {
    "geoip": {
      "field": "destination.ip",
      "target_field": "destination.geo",
      "ignore_missing": true
    }
  },
  {
    "geoip": {
      "field": "server.ip",
      "target_field": "server.geo",
      "ignore_missing": true
    }
  },
  {
    "geoip": {
      "field": "host.ip",
      "target_field": "host.geo",
      "ignore_missing": true
    }
  }
]

It's successfully harvesting IIS logs, and I show IP's. I also have a processor adding host_metadata for private networks that do not appear in any field.

stephenb · August 21, 2020, 5:25am

Hi @Midnigh7

I am not saying this is the issue but perhaps take at this similar issue. In short if your field name is source.ip on ingest and valid json is not created the rest of the ingest pipelines won't work. That is what the dot expander is for.

Filebeat json to Elasticsearch, error processing pipeline

system · September 18, 2020, 5:25am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.