Logstash + Fortinet + Kibana

Rios · January 19, 2023, 10:43pm

Since LS v8+ is ECSv8 is by default, the geoip plugin will work if you set the field name in format: [source][ip], like this:

    geoip {
       source => "[source][ip]"
       ecs_compatibility => "v8" # default
       tag_on_failure => ["Location unknown or similar msg"]
    }

Similar is for [destination][ip] for the destination

If you set ecs_compatibility = disabled then you can lookup directly the
srcip or dstip fields.

For custom geo data you have to create GeoJSON, ECS v8 which should look like this.

	if ([srcip] =~ /^10\./)  {
	    mutate {
         add_field => {
          "[src_geoip][city_name]" => "Baltimore"
          "[src_geoip][continent_code]" => "NA"
          "[src_geoip][continent_name]" => "North America"
          "[src_geoip][country_iso_code]" => "US"
          "[src_geoip][country_name]" => "USA"
          "[src_geoip][location][lon]" => -76.6348
          "[src_geoip][location][lat]" => 39.2851
          "[src_geoip][name]" => "Baltimore HQ"
          "[src_geoip][postal_code]" => "667"
          "[src_geoip][region_iso_code]" => "US-MD"
          "[src_geoip][region_name]" => "Maryland"
          "[src_geoip][timezone]" => "America/Detroit"
         }

        }
	}

ECS v1 looks very similar, check what your LS which the structure will generate.

You must define mappings-dataview. FB is using dynamic structure

   "src_geoip": {
              "properties": {
                "region_iso_code": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "continent_name": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "city_name": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "country_iso_code": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "timezone": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "country_name": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "name": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "continent_code": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "region_name": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "location": {
                  "type": "geo_point"
                },
                "postal_code": {
                  "ignore_above": 1024,
                  "type": "keyword"
                }
              }
            },

For older versions,which include country_code2, country_code3 etc., you can use the structure:

        "src_geoip"  : {
		  "dynamic": true,
		  "properties" : {
			"ip": { "type": "ip" },
			"location" : { "type" : "geo_point" },
			"latitude" : { "type" : "half_float" },
			"longitude" : { "type" : "half_float" }
		  }
        },

Topic		Replies	Views
Kibana how to get geo_point working? Kibana	4	1531	July 6, 2017
Logstash load of geo data from lat, long - Kibana not recognising geo Logstash	3	1703	July 6, 2017
Kibana: No Compatible Fields - GEOIP Kibana	2	388	November 19, 2018
GEOIP woes Logstash	7	646	February 21, 2019
Logstash 7.6 how to create geo_point field Logstash	4	2651	April 1, 2020

Logstash + Fortinet + Kibana

Related topics