Hi,
I'm having trouble visualizing my sysmon DNS logs with GeoIP resolved location on coordinate map in kibana.
Following info is being added by geoip to each log entry:
so it looks like longtitude and latitude is added, but so called destination_geo.location itself isn't there.
index mapping contains following:
"destination" : { "properties" : { "address" : { "type" : "keyword", "ignore_above" : 1024 }, "bytes" : { "type" : "long" }, "domain" : { "type" : "keyword", "ignore_above" : 1024 }, "geo" : { "properties" : { "city_name" : { "type" : "keyword", "ignore_above" : 1024 }, "continent_name" : { "type" : "keyword", "ignore_above" : 1024 }, "country_iso_code" : { "type" : "keyword", "ignore_above" : 1024 }, "country_name" : { "type" : "keyword", "ignore_above" : 1024 }, "latitude" : { "type" : "half_float" }, "location" : { "type" : "geo_point" }, "longitude" : { "type" : "half_float" }, "name" : { "type" : "keyword", "ignore_above" : 1024 }, "region_iso_code" : { "type" : "keyword", "ignore_above" : 1024 }, "region_name" : { "type" : "keyword", "ignore_above" : 1024 } } }, "ip" : { "type" : "ip" }, "mac" : { "type" : "keyword", "ignore_above" : 1024 }, "packets" : { "type" : "long" }, "port" : { "type" : "long" }, "user" : { "properties" : { "email" : { "type" : "keyword", "ignore_above" : 1024 }, "full_name" : { "type" : "keyword", "ignore_above" : 1024 }, "group" : { "properties" : { "id" : { "type" : "keyword", "ignore_above" : 1024 }, "name" : { "type" : "keyword", "ignore_above" : 1024 } } }, "hash" : { "type" : "keyword", "ignore_above" : 1024 }, "id" : { "type" : "keyword", "ignore_above" : 1024 }, "name" : { "type" : "keyword", "ignore_above" : 1024 } } } } }, "destination_geo" : { "properties" : { "city_name" : { "type" : "text", "fields" : { "keyword" : { "type" : "keyword", "ignore_above" : 256 } } }, "continent_code" : { "type" : "text", "fields" : { "keyword" : { "type" : "keyword", "ignore_above" : 256 } } }, "country_code2" : { "type" : "text", "fields" : { "keyword" : { "type" : "keyword", "ignore_above" : 256 } } }, "country_code3" : { "type" : "text", "fields" : { "keyword" : { "type" : "keyword", "ignore_above" : 256 } } }, "country_name" : { "type" : "text", "fields" : { "keyword" : { "type" : "keyword", "ignore_above" : 256 } } }, "dma_code" : { "type" : "long" }, "ip" : { "type" : "text", "fields" : { "keyword" : { "type" : "keyword", "ignore_above" : 256 } } }, "latitude" : { "type" : "half_float" }, "location" : { "type" : "geo_point" }, "longitude" : { "type" : "half_float" }, "postal_code" : { "type" : "text", "fields" : { "keyword" : { "type" : "keyword", "ignore_above" : 256 } } }, "region_code" : { "type" : "text", "fields" : { "keyword" : { "type" : "keyword", "ignore_above" : 256 } } }, "region_name" : { "type" : "text", "fields" : { "keyword" : { "type" : "keyword", "ignore_above" : 256 } } }, "timezone" : { "type" : "text", "fields" : { "keyword" : { "type" : "keyword", "ignore_above" : 256 } } } } },
When I go to new visualization edit, I can only select destination.geo.location which actually wasn't created above (there was destination.geo.location.lat and *.lon). and therefore it draws nothing:
Any idea how to make it work?!
