How do i make mapping for geo_point?

Tal_Bar_Or · October 4, 2016, 10:28am

Hello,

I am using Logstash to index (index name "ids_sensors")Snort syslog events to Elsticsearch , all seems to work fine
In the logstash I have following input regarding "Geioip " input below , the stdout of log stash looks below ,
When i am trying to visualize in Kibana world map events i get

  > No Compatible Fields: The "ids_sensors" index pattern does not contain any of the following field types: geo_point

i probably missed something , any Idea ?
Please advice

 geoip {
      source => "[SrcIp]"
      target => "SrcGeo"
      
    }
      
    geoip {
      source => "[DstIp]"
      target => "DstGeo"
          
    }

{
            "@version" => "1",
          "@timestamp" => "2016-09-27T20:13:26.483Z",
                "type" => "snort",
                "host" => "172.17.37.2",
          "msg_source" => "SNORTIDS",
                 "msg" => "ALERT",
         "sensor_name" => "sntlv_lan_ips",
     "event_timestamp" => "2016-09-27 23:13:25.284+003",
      "event_priority" => 1,
                 "gid" => "1",
                 "sid" => "2012247",
                 "rev" => "2",
   "alert_description" => "ET P2P BTWebClient UA uTorrent in use ",
      "classification" => "policy-violation",
            "protocol" => "TCP",
               "SrcIp" => "172.17.37.15",
               "DstIp" => "80.94.76.5",
             "SrcPort" => 55309,
             "DstPort" => 80,
              "DstGeo" => {
                "ip" => "80.94.76.5",
     "country_code2" => "NL",
     "country_code3" => "NLD",
      "country_name" => "Netherlands",
    "continent_code" => "EU",
          "latitude" => 52.5,
         "longitude" => 5.75,
          "timezone" => "Europe/Amsterdam",
          "location" => [
        [0] 5.75,
        [1] 52.5
    ],
       "coordinates" => [
        [0] 5.75,
        [1] 52.5
    ]
},
                "tags" => [
    [0] "_grokparsefailure"
],
            "category" => nil,
           "rule_type" => "Emerging Threats",
            "severity" => "High",
   "ET_Signature_Info" => "http://doc.emergingthreats.net/2012247",
"Snort_Signature_Info" => "https://www.snort.org/search?query=1-2012247"

}
{
"@version" => "1",
"@timestamp" => "2016-09-27T20:13:26.483Z",
"type" => "snort",
"host" => "172.17.37.2",
"msg_source" => "SNORTIDS",
"msg" => "ALERT",
"sensor_name" => "sntlv_lan_ips",
"event_timestamp" => "2016-09-27 23:13:25.413+003",
"event_priority" => 1,
"gid" => "1",
"sid" => "2012247",
"rev" => "2",
"alert_description" => "ET P2P BTWebClient UA uTorrent in use ",
"classification" => "policy-violation",
"protocol" => "TCP",
"SrcIp" => "172.17.37.15",
"DstIp" => "173.254.195.58",
"SrcPort" => 55308,
"DstPort" => 80,
"DstGeo" => {
"ip" => "173.254.195.58",
"country_code2" => "US",
"country_code3" => "USA",
"country_name" => "United States",
"continent_code" => "NA",
"region_name" => "CA",
"city_name" => "Los Angeles",
"postal_code" => "90014",
"latitude" => 34.043800000000005,
"longitude" => -118.2512,
"dma_code" => 803,
"area_code" => 213,
"timezone" => "America/Los_Angeles",
"real_region_name" => "California",
"location" => [
[0] -118.2512,
[1] 34.043800000000005
],
"coordinates" => [
[0] -118.2512,
[1] 34.043800000000005
]
},
"tags" => [
[0] "_grokparsefailure"
],

warkolm · October 5, 2016, 10:12am

You will need to adapt the Logstash basic template and use that - https://github.com/logstash-plugins/logstash-output-elasticsearch/blob/master/lib/logstash/outputs/elasticsearch/elasticsearch-template-es2x.json

Tal_Bar_Or · October 9, 2016, 1:24pm

Thanks Warkolm for the answer,
Sorry but i am newbie with ELK ,Can you show me example how to adapt the Logstash basic template ?
Thanks