Hello people.. sorry to bother , once again
ALL of my config is working and I mean it..
absolutely all of it. mostely ripped code from siemonster and other places, but all together " work "
EXCEPT GeoIP
Please gimme a hand, heres the config :
filter {
if [type] == "syslog" {
if "devname" in [message] {
mutate {
add_tag => [ "COUPEFEU", "FORTIGATE" ]
}
}
if "%ASA-" in [message] {
mutate {
add_tag => [ "Firewall", "ASA" ]
}
}
if "VPN" in [message] {
mutate {
add_tag => [ "VPN" ]
}
}
if "SOC" in [message] {
mutate {
add_tag => [ "SOC" ]
}
}
if "IPS" in [message] {
mutate {
add_tag => [ "IPS" ]
}
}
if "printer" in [message] {
mutate {
add_tag => [ "hp-printers" ]
}
}
#
#
#
# Parse Fortigate
if "FORTIGATE" in [tags] {
grok {
match => [ "message", "%{SYSLOG5424PRI}%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_host} %{GREEDYDATA:kv}" ]
remove_field => ["message"]
remove_field => ["syslog_timestamp"]
# remove_field => ["type"]
}
syslog_pri { }
kv {
source => "kv"
exclude_keys => [ "type", "subtype" ]
field_split => " "
value_split => "="
}
date {
match => [ "logtimestamp", "ISO8601" ]
locale => "en"
timezone =>"America/Montreal"
remove_field => [ "logtimestamp" ]
}
mutate {
convert => [ "rcvdbyte", "integer" ]
convert => [ "countdlp", "integer" ]
convert => [ "countweb", "integer" ]
convert => [ "countav", "integer" ]
convert => [ "countemail", "integer" ]
convert => [ "countips", "integer" ]
convert => [ "duration", "integer" ]
convert => [ "sentpkt", "integer" ]
convert => [ "rcvdpkt", "integer" ]
convert => [ "sentbyte", "integer" ]
convert => [ "shaperdroprcvdbyte", "integer" ]
convert => [ "shaperdropsentbyte", "integer" ]
convert => [ "filesize", "integer" ]
convert => [ "count", "integer" ]
convert => [ "total", "integer" ]
convert => [ "totalsession", "integer" ]
convert => [ "bandwidth", "integer" ]
#rename => { "type" => "ftg-type" }
}
#Geolocate logs that have SourceAddress and if that SourceAddress is a non-RFC1918 address or APIPA address
if [srcip] and [srcip] !~ "(^127\.0\.0\.1)|(^10\.)|(^172\.1[6-9]\.)|(^172\.2[0-9]\.)|(^172\.3[0-1]\.)|(^192\.168\.)|(^169\.254\.)" {
geoip {
database => "/etc/logstash/GeoLiteCity.dat"
source => "srcip"
target => "SourceGeo"
add_tag => [ "traffic-wan" ]
}
}
#filtrer le traffic RITM du traffic internet pour input dans un second index
if [srcip] and [srcip] =~ "(^127\.0\.0\.1)|(^10\.)|(^172\.1[6-9]\.)|(^172\.2[0-9]\.)|(^172\.3[0-1]\.)|(^192\.168\.)|(^169\.254\.)" {
mutate {
add_tag => [ "src-traffic-ritm" ]
["SourceGeo.location"] => "geo_point"
}
#Delete 0,0 in SourceGeo.location if equal to 0,0
#if ([srcip.location] and [srcip.location] =~ "0,0") {
#mutate {
# ["SourceGeo.location"] => "geo_point"
#}
#}
#}
#Geolocate logs that have DestinationAddress and if that DestinationAddress is a non-RFC1918 address or APIPA address
if [dstip] and [dstip] !~ "(^127\.0\.0\.1)|(^10\.)|(^172\.1[6-9]\.)|(^172\.2[0-9]\.)|(^172\.3[0-1]\.)|(^192\.168\.)|(^169\.254\.)" {
geoip {
database => "/etc/logstash/GeoLiteCity.dat"
source => "dstip"
target => "DestinationGeo"
add_tag => [ "traffic-wan" ]
}
}
#filtrer le traffic RITM du traffic internet pour input dans un second index
if [dstip] and [dstip] =~ "(^127\.0\.0\.1)|(^10\.)|(^172\.1[6-9]\.)|(^172\.2[0-9]\.)|(^172\.3[0-1]\.)|(^192\.168\.)|(^169\.254\.)" {
mutate {
add_tag => [ "dst-traffic-ritm" ]
["DestinationGeo.location"] => "geo_point"
}
#Delete 0,0 in DestinationGeo.location if equal to 0,0
#if ([dstip.location] and [dstip.location] =~ "0,0") {
#mutate {
# ["DestinationGeo.location"] => "geo_point"
# }
#}
}
}
#
#
#
#
STRIPPED LACK OF SPACE - pastebin here : https://pastebin.com/4DnmxDa1
somehow, it just.. doesnt populate the geoip.. dont know why nor where to look for an answer...
Thank you .. and sorry to bother :\