I'm using Logstash 7.6.0 with Elasticsearch & Kibana, and I figured out we need to change a couple of things to have geoip work with SIEM UI:
The Logstash config sample:
input {
generator {
count => 1
message => "See 83.202.178.93 in SIEM UI"
}
}
filter {
dissect {
mapping => { "message" => "See %{devicehostip} in SIEM UI" }
}
geoip {
source => "devicehostip"
target => "[source][geo]"
default_database_type => "City"
}
}
filter { mutate { rename => {
"host" => "[logstash][host]"
"devicehostip" => "[source][ip]"
"[source][geo][country_code2]" => "[source][geo][country_iso_code]"
} } }
output {
elasticsearch {
hosts => ["https://aaa.europe-west1.gcp.cloud.es.io:9243"]
index => "geoip-siem-%{+YYYY.MM.dd}"
user => "elastic"
password => "bbb"
manage_template => true
template => "C:\Users\maury\Documents\tech\logstash-7.6.0\config\test-geoip-siem-template.json"
template_name => "geoip-siem-template"
template_overwrite => true
}
stdout {
codec => rubydebug
}
}
and the es mapping file:
{
"index_patterns" : "geoip-siem*",
"settings" : {
"number_of_shards" : "1",
"number_of_replicas" : "0",
"index.refresh_interval" : "5s"
},
"mappings" : {
"properties" : {
"@timestamp" : { "type" : "date" },
"@version" : { "type" : "keyword" },
"source": {
"properties": {
"geo": {
"properties": {
"location": {
"type": "geo_point"
},
"country_iso_code": {
"type": "keyword"
}
}
},
"ip": { "type" : "ip" }
}
}
}
}
}