Hello,
I have noticed that any map I have on a dashboard isn't showing the geolocations. For example, the sample dashboards from Filebeat showing attempted SSHs loads the dashboards, but it doesn't plot where any of the failed attempts are. I have no idea why this isn't working.
I have reindexed the indexes as I saw on previous threads. Could someone direct me to what I need to send to get assistance ?
Hi @sc1,
which version of the Elastic Stack are you using and the dashboard of which module are you referring to?
Hello @weltenwort,
Thanks for the swift response. I am currently using the latest version 6.6. The dashboard in question is the default "Filebeat System SSH Login Attempts" but I have noticed even with the Packetbeat dashboards, anytime there's geo coordinates, the map just shows with no activity. I've previously set it up before in a test environment and it worked, but for some reason now it doesn't work and the setup is relatively the same. I've reindexed the index to no avail.
Let me know if you require my logstash configs.
So you're ingesting the logs with filebeat via logstash? In that case, did you install the index templates so the indices get the correct mappings? It happens automatically when filebeat writes directly to elasticsearch, but not when writing to logstash.
Hi,
Is it possible that you did not install the geoip plugin in your ES yet?
Same thing happened to me a week ago, and that was the thing missing.
Good call - that is also worth checking 
As a side-note: from 6.7 onwards the geoip processor will be shipped with elasticsearch, which eliminates the need to install an extra plugin.
Thank you for the responses @weltenwort and @pup_seba.
I have two environments running separately. Both, in my opinion, were identical, but I have just noticed that after installing the geoip plugin as instructed, one environment is now showing the mapping data. I edited the visualizations on both and I can see on the map where it's accurately showing the data, it is pulling it from system.auth.ssh.geoip.location but when I looked on my staging environment where I am not seeing data, this field exists but it is split into two, like longitude and latitude. I'm not really sure why this has happened. I have deleted the index and rebuilt it to no avail.
That sounds like there's indeed a difference in ingestion and mapping between the two environments. The separate lat/lon fields suggest that it's a field of the geo-point type.
Could you show us the mapping for that fields in both environments and possibly the source of a document from each?
The first screenshot shows the logs from the environment where it is showing the mapping.
The second screenshot shows where I am not getting the mapping data.
Had to take screenshots as one of the environments is currently down for another purpose but let me know if you require anything else.
This looks like a the environment in the second screenshot is missing the correct filebeat index mappings.
Did you install the filebeat index templates there so the indices get the correct mappings? It happens automatically when filebeat writes directly to elasticsearch, but not when writing to logstash.
Yes I did install the Filebeat index templates but for whatever reason it wasn't working. To resolve this I deleted all the indexes, and pushed all incoming logs to Elasticsearch over Logstash. And I can now see what I need to see. As I only needed this as a proof of concept, this solution satisfies what I need.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.
