Logstash + Fortinet + Kibana

Elastic Stack Kibana
3

Since LS v8+ is ECSv8 is by default, the geoip plugin will work if you set the field name in format: [source][ip], like this:

    geoip {
       source => "[source][ip]"
       ecs_compatibility => "v8" # default
       tag_on_failure => ["Location unknown or similar msg"]
    }

Similar is for [destination][ip] for the destination

If you set ecs_compatibility = disabled then you can lookup directly the
srcip or dstip fields.

  1. For custom geo data you have to create GeoJSON, ECS v8 which should look like this.
	if ([srcip] =~ /^10\./)  {
	    mutate {
         add_field => {
          "[src_geoip][city_name]" => "Baltimore"
          "[src_geoip][continent_code]" => "NA"
          "[src_geoip][continent_name]" => "North America"
          "[src_geoip][country_iso_code]" => "US"
          "[src_geoip][country_name]" => "USA"
          "[src_geoip][location][lon]" => -76.6348
          "[src_geoip][location][lat]" => 39.2851
          "[src_geoip][name]" => "Baltimore HQ"
          "[src_geoip][postal_code]" => "667"
          "[src_geoip][region_iso_code]" => "US-MD"
          "[src_geoip][region_name]" => "Maryland"
          "[src_geoip][timezone]" => "America/Detroit"
         }

        }
	}

ECS v1 looks very similar, check what your LS which the structure will generate.

  1. You must define mappings-dataview. FB is using dynamic structure
   "src_geoip": {
              "properties": {
                "region_iso_code": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "continent_name": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "city_name": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "country_iso_code": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "timezone": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "country_name": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "name": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "continent_code": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "region_name": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "location": {
                  "type": "geo_point"
                },
                "postal_code": {
                  "ignore_above": 1024,
                  "type": "keyword"
                }
              }
            },

For older versions,which include country_code2, country_code3 etc., you can use the structure:

        "src_geoip"  : {
		  "dynamic": true,
		  "properties" : {
			"ip": { "type": "ip" },
			"location" : { "type" : "geo_point" },
			"latitude" : { "type" : "half_float" },
			"longitude" : { "type" : "half_float" }
		  }
        },