Hello to All,
I'm trying to create Kibana map using data from Fortinet syslog and Logstash.
I was able to load geoip data to kibana, however geo.location field had to be created from Logstash because it was not created automatically.
My Logstash config looks like this at the moment:
input {
udp {
port => 5004
type => fortinet
}
}
filter {
if [type] == "fortinet" {
grok {
match => {"message" => "%{SYSLOG5424PRI}%{GREEDYDATA:message}" }
overwrite => [ "message" ]
}
mutate {
remove_field => ["@timestamp","@version","event","log"]
}
kv {
source => "message"
value_split => "="
field_split => ","
remove_field => "message"
}
mutate {
rename => { "type" => "ftg_type" }
rename => { "subtype" => "ftg_subtype" }
add_field => { "type" => "fortinet" }
add_field => { "logdate" => "%{date} %{time}" }
convert => { "rcvdbyte" => "integer" }
convert => { "sentbyte" => "integer" }
}
date {
match => [ "logdate", "yyyy-MM-dd HH:mm:ss" ]
timezone => "Europe/Paris"
target => "@timestamp"
}
mutate {
remove_field => ["date","time"]
}
date_formatter {
source => "@timestamp"
target => "log_day"
pattern => "YYYY.MM.dd"
}
if [srcip] {
if [srcip] !~ /^(10.|[a-f])/ {
geoip {
source => "srcip"
target => "src_geoip"
}
if [src_geoip] {
mutate {
add_field => [ "[src_geoip][location]", "%{[src_geoip][geo][location][lat]}, %{[src_geoip][geo][location][lon]}" ]
}
}
}
}
if [dstip] {
if [dstip] !~ /^(10.|[a-f])/ {
geoip {
source => "dstip"
target => "dst_geoip"
}
if [dst_geoip] {
mutate {
add_field => [ "[dst_geoip][location]", "%{[dst_geoip][geo][location][lat]}, %{[dst_geoip][geo][location][lon]}" ]
}
}
}
}
}
}
output {
if [type] == "fortinet" {
elasticsearch {
hosts => ["https://localhost:9200"]
user => "logstash_internal"
password => ""
ssl => true
ssl_certificate_verification => false
index => "fortinet-%{+YYYY.MM.dd}"
}
file {
path => "/log/%{log_day}/fortinet/%{devname}/%{devname}-%{[host][ip]}.gzip"
gzip => true
}
}
}
Also modified template for this index in Kibana:
{
"properties": {
"dst_geoip.location": {
"ignore_malformed": false,
"type": "geo_point",
"ignore_z_value": false
},
"src_geoip.location": {
"ignore_malformed": false,
"type": "geo_point",
"ignore_z_value": false
}
}
}
Anyway, I can see this fields in Kibana:
But when I see mappings in specific index it is mapped twice:
And field is still displayed as text and can't be selected as geopoint in the MAP:
Can anyone help me with that issue?
Best regards.