I need help confirming the exact steps required to get geo-ip information to map to the SIEM network map in Kabana
My environment:
Windows and Linux hosts running either Auditbeat, Packetbeat or Winlogbeat, Packetbeat
All traffic from hosts is piped to an ON-prem Logstash server
current pipeline.conf file is a single conf file, meaning single pipeline. (Baby steps)......
What am I trying to accomplish:
I want to add the correct filter bits within my single pipeline that will convert any IP information received to geo-ip information so that when the detail is output to my Elastic Cloud, that information will be mapped the the SIEM network map without affecting any other log data that is received by that pipeline.
So, Is there an IP address in the log data received into my on-prem Logstash server?
Yes! then via the filter section, create the geo-ip detail and and output that data along with any other included log data to Elastic to be mapped to it's respective Kibana dashboard and SIEM network map.
No! then bypass this filter and just send the log data received out to Elastic to the respective Kibana dashboard.
There is ample documentation, however my issue is that a lot of the documentation does not have relevant outside context. You either already understand the context and if you don't, oh well....
I have yet to find within either the Elastic documentation or even a good real world example of a "HOW TO " document on how to set this up from scratch. Specifically if you are running a hybrid installation like mine where you are on-prem logstash piping data out to an Elastic cloud instance.
Any help/advice would be most appreciated.