Hello,
Please i'm trying to integrate abuseipdb API to elasticsearch so i can have a reputation score of the IP adressess. When i searched on the internet i only found tutorials talking about integrating abuseipdb with ELK using Logstash. Is there any other way to do it without using Logstash? (Like the Addon of abuseipdb in Splunk SIEM) Or is there any other ip reputation api that i can use?
The only way is to get data enriched before ingesting to elasticsearch
So Yes Logstash or anyother third party tool that can enrich before ingesting
That should be easy task with logatsh and Http filter
It's theorically possible to update records stored in Elasticsearch, but it requires some custom programming using the raw API. The ELK stack is not designed to use this feature. In a nutshell, logstash ingests/enrich/transforms and kibana displays.
I would not advise using an IP reputation API in your log ingestion pipeline, as you are way too dependant on the reliability of the API provider and you take the risk of losing logging information.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.