Hi everyone,
to start, I'm running Logstash, elasticsearch and kibana 6.3.1 and multiple beats that are all on 6.3.2. I have loaded the various default beats index templates as outlined in https://www.elastic.co/guide/en/beats/packetbeat/current/packetbeat-template.html (as well as auditbeat, metricbeat, and winlogbeat). all of my beats are using the Logstash output.
#----------------------------- Logstash output --------------------------------
output.logstash:
# The Logstash hosts
hosts: ["10.x.x.x:5044"]
# Optional SSL. By default is off.
# List of root certificates for HTTPS server verifications
#ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
# Certificate for SSL client authentication
#ssl.certificate: "/etc/pki/client/cert.pem"
# Client Certificate Key
#ssl.key: "/etc/pki/client/cert.key"
The issue I am having is that i cannot get the Geoip filter to work with packetbeat. Here is my .conf file that handles the beats input
# The # character at the beginning of a line indicates a comment. Use
# comments to describe your configuration.
input {
beats {
type => beats
port => 5044
ssl => false
}
}
filter {
geoip {
source => "[dest][ip]"
target => "[dest][ip_location]"
}
geoip {
source => "[source][ip]"
target => "[source][ip_location]"
}
}
output {
elasticsearch {
hosts => ["10.x.x.x:9200", "10.x.x.x:9200", "10.x.x.x:9200"]
index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
manage_template => false
}
}
I'm pretty sure I'm using the geoip filter wrong, but I'm not sure how. If you need more info please let me know, and Thank you for all that you do!