Hi Everyone,
Sorry if this is answered somewhere else and I would appreciate if you can help.
I'm sending logs from FortiGate to Logstash and I want to set geoip location to be sent to Elasticsearch. Since some traffic on the FortiGate is from internal private IPs, including external VPNs etc., I want to somehow tell Logstash that when the destination is not the Internet-facing interface it should use a public address (here for test 8.8.8.8), and when it sees the traffic comes from the internal interface (Port10), it should use the NAT IP
This is the filter I wrote, but it gives error
if "dstintf" != "port1" {
geoip {
default_database_type => "City"
source => "8.8.8.8"
tag_on_failure => ["_dst_city_geo_failure"]
target => "dst_ip"
}
} else {
default_database_type => "City"
source => "dstip"
tag_on_failure => ["_dst_city_geo_failure"]
target => "dst_ip"
}
if "srcintf" == "port10" {
geoip {
default_database_type => "City"
source => "transip"
tag_on_failure => ["_src_city_geo_failure"]
target => "src_ip"
}
} else {
default_database_type => "City"
source => "srcip"
tag_on_failure => ["_src_city_geo_failure"]
target => "src_ip"
}
This is the error I get:
[WARN ] 2023-09-22 16:19:10.754 [[main]>worker0] elasticsearch - Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"firewall-2023.09.22", :routing=>nil}, {HERE THE PAIR VALUES OF LOGS ARE, I REMOVED THEM FOR READABILITY PURPOSE}], :response=>{"index"=>{"_index"=>"fortigate-2023.09.22", "_id"=>"w9qKu4oBu3VwOasdztwD", "status"=>400, "error"=>{"type"=>"document_parsing_exception", "reason"=>"[1:717] failed to parse field [src_loc] of type [geo_point]", "caused_by"=>{"type"=>"parse_exception", "reason"=>"latitude must be a number"}}}}}