How to configure ELK for geoip

root_linux · November 18, 2021, 1:08pm

Hi,
I want to configure ELK stack. Elasticsearch, Kibana and Logstash will configure at one server and there will be multiple filebeat client. How can I configure for geoip? What need to configure in Elasticsearch, Kibana and Logstash for the same? I am beginner in ELK, please guide me.

dadoonet · November 18, 2021, 2:11pm

I'm not sure. What do you mean by "How can I configure for geoip?".

What do you want to do exactly? What kind of data you want to collect?

root_linux · November 18, 2021, 3:44pm

@dadoonet , thanks for your response.
I want to visualize IP on map in kibana visualization. For that what will be configuration in Elasticsearch, logstash and filebeat.

dadoonet · November 18, 2021, 8:54pm

IP comes from?

root_linux · November 19, 2021, 5:56am

Logs will come from filebeat client which will contain public IP, to logstash. Then I want to visualize these IPs in kibana. Here is the sample log:

SID [183733] Send Length [15595] through PROTOCOL_PSEUDO_SSL_SOCKET to [/173.98.56.1:40606]

dadoonet · November 19, 2021, 8:50am

Is that a known/standard log format or something which is built internally?

root_linux · November 19, 2021, 8:52am

It is built internally.

dadoonet · November 19, 2021, 9:07am

So the first step is to ask filebeat to collect each line of your logs. And send to Elasticsearch.
Did you do that yet?

root_linux · November 19, 2021, 9:20am

yes, have done it.

root_linux · November 19, 2021, 9:22am

I have sent logs from filebeat to logstash

dadoonet · November 19, 2021, 10:40am

I don't think you need Logstash for a simple use case like this.
So send directly to Elasticsearch.

You can use this option in filebeat to dissect the content of the log line.

But I'd recommend creating an ingest pipeline in Elasticsearch and use the Dissect processor | Elasticsearch Guide [7.15] | Elastic

Then, once you have extracted the IP address in a field, you can apply a GeoIP processor | Elasticsearch Guide [7.15] | Elastic

Let me know when it's done.

ylasri · November 20, 2021, 12:29pm

You will need to define field geoip.location as type of geo_point in your index mapping before ingestion

root_linux · November 20, 2021, 1:10pm

@ylasri thanks for your response.
Could you guide me how can I do that ( define field geoip.location as type of geo_point in your index mapping before ingestion)? Because I am beginner.
Thanks in advance.

ylasri · November 20, 2021, 1:47pm

Something like this to define an index template

PUT _template/filebeat-geoip
{
  "index_patterns": [
    "filebeat*"
  ],
  "mappings": {
    "properties": {
      "geoip": {
        "properties": {
          "location": {
            "type": "geo_point"
          },
          "ip": {
            "type": "ip"
          }
        }
      }
    }
  }
}

ylasri · November 20, 2021, 1:48pm

root_linux · November 20, 2021, 4:04pm

I was gettiing this error in Chrome browser but it is working fine in Firefox. Thank you so much @ylasri and @dadoonet for your support

root_linux · November 20, 2021, 4:07pm

I have another query. Suppose if I want to get ISP for that IP then, is there any way to do that?

ylasri · November 20, 2021, 5:01pm

root_linux · November 20, 2021, 6:21pm

Hi @ylasri , should I have to pay to get to know ISP?

ylasri · November 20, 2021, 6:35pm

No,
You can use geoip filter twice
First time with default value of default_database_type to get Lat/Lon
Second with the default_database_type to ASN ti get ISP ASN