How to convert src_ip to ip

Elastic Stack Logstash
1

Just succesfull read my Cisco ASA logs, but I am now looking for a way to convert my src_ip (string) in a way that I am able to use it as a geo_point on the Coordinate Map. Can anyone tell me how my filter section should look like? I already installed the ingest-geoip within Elasticsearch. Using version 6.1.0.

2

If you are using Logstash then just use https://www.elastic.co/guide/en/logstash/current/plugins-filters-geoip.html :slight_smile:

3

I added following to my filter:

geoip {
source => "src_ip"
target => "geoip"
}
mutate {
convert => [ "geoip", "float"]
}

But this results in a:
"geoip": {
"type": "object"

4

You do not need this bit, so try it without.

5

But I now only see the src_ip as a string within my map. So, no geoip.

"src_ip": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256

6

Please show your entire config.

Please also make sure you format it with the code button - </>.

7 
input {
    udp {
            port => 9996
            type => "cisco-fw"
    }

}

filter {

    # Extract fields from the each of the detailed message types
    # The patterns provided below are included in core of LogStash 1.4.2.
    grok {
            match => [
                    "message", "%{CISCOFW106001}",
                    "message", "%{CISCOFW106006_106007_106010}",
                    "message", "%{CISCOFW106014}",
                    "message", "%{CISCOFW106015}",
                    "message", "%{CISCOFW106021}",
                    "message", "%{CISCOFW106023}",
                    "message", "%{CISCOFW106100}",
                    "message", "%{CISCOFW110002}",
                    "message", "%{CISCOFW302010}",
                    "message", "%{CISCOFW302013_302014_302015_302016}",
                    "message", "%{CISCOFW302020_302021}",
                    "message", "%{CISCOFW305011}",
                    "message", "%{CISCOFW313001_313004_313008}",
                    "message", "%{CISCOFW313005}",
                    "message", "%{CISCOFW402117}",
                    "message", "%{CISCOFW402119}",
                    "message", "%{CISCOFW419001}",
                    "message", "%{CISCOFW419002}",
                    "message", "%{CISCOFW500004}",
                    "message", "%{CISCOFW602303_602304}",
                    "message", "%{CISCOFW710001_710002_710003_710005_710006}",
                    "message", "%{CISCOFW713172}",
                    "message", "%{CISCOFW733100}"
            ]
    }

    # Parse the syslog severity and facility
    syslog_pri { }

Do a DNS lookup for the sending host

Otherwise host field will contain an

IP address instead of a hostname

dns {
reverse => [ "host" ]
action => "replace"
}
}

output {

if [type] == "netflow" {

stdout  { codec => dots }
 elasticsearch
    {
     hosts => ["localhost:9200"]
     index => "netflow-%{+YYYY.MM.dd}"
    }

}

}

8

I am not familiar with a code button, sorry :frowning:.

9

It's probably because you don't have a template that matches that field so it isn't being mapped. Have a read through https://www.elastic.co/blog/geoip-in-the-elastic-stack, it'll help.

10

It's literally in the formatting bar above where you type.

11

I will read the blog, thnx! Indeed I do not have a template.

12

Problem solved. Thnx!

13

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.