How to get internal ip address from filebeat?

NerdSec · March 4, 2019, 3:59am

Hi Varun,

I believe you are using Logstash to ingest and parse the data that you receive from FileBeat.

Could you please answer a few questions?

Are you using the GeoIP filter in Logstash?
Have you defined any specific mappings in Elasticsearch as defined in this blog post for GeoIP?
GeoIP in the Elastic Stack - Elasticsearch, Logstash, Ingest API | Elastic Blog
What is the field structure for the IP address field?
I ask you this because you mentioned this:

I believe the fields are populated by the GeoIP filter (Logstash, Beats or any other ETL on the planet), and if so, it does not work if the IP address is a private IP.

varun1992 · March 7, 2019, 12:55pm

i think filebeat iis using geoip filter
i didn't do anything. all default to iis filebeat
ip address field will be like 10.0.0.1

varun1992 · March 27, 2019, 2:40pm

what is the solution for that ?

NerdSec · April 1, 2019, 7:20am

Hi Varun,

As mentioned earlier. GeoIP cannot work on a private IP. You will have to do the enrichment yourself.

system · April 29, 2019, 7:20am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.