Hello,
I am trying to get the geoip working with my firewall
Logstash config, relevant part
udp {
tags => "cisco-asa"
type => "cisco-asa"
port => 5047
}
geoip {
source => "dst_ip"
target => "geoip"
#database => "/etc/logstash/GeoLiteCity.dat"
#add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
#add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ]
}
mutate {
convert => [ "[geoip][coordinates]", "float"]
}
else if [type] == "cisco-asa" {
elasticsearch { hosts=> ["http://localhost:9200"]
index => "cisco-asa-%{+YYYY.MM.dd}" #}
stdout { codec => rubydebug }
file { path => "/loggy/cisco-asa.log" }
When I check the cisco-asa index the geoip fields are created:
geoip.latitude number
geoip.location.lat number
geoip.location.lon number
geoip.longitude number
plus others (geoip.city_name, etc)
Default logstash containts these four only
geoip.ip ip
geoip.latitude number
geoip.location geo_point
geoip.longitude number
How do I add geoip.location with the geo_point type to cisco-asa index since it's missing?
This is what the file output looks like
{"src_interface":"inside","syslog_severity_code":5,"geoip":{"timezone":"America/Los_Angeles","ip":"XXXXXX","latitude":37.419200000000004,"continent_code":"NA","city_name":"Mountain View","country_name":"United States","country_code2":"US","dma_code":807,"country_code3":"US","region_name":"California","location":{"lon":-122.0574,"lat":37.419200000000004},"postal_code":"94043","region_code":"CA","longitude":-122.0574},"policy_id":"inside_access_in","syslog_facility":"user-level","syslog_facility_code":1,"message":"<164>Sep 21 2017 04:41:47: %ASA-4-106023: Deny tcp src inside:XXXXXXXX/62601 dst outside:XXXXXXX/5228 by access-group "inside_access_in" [0x0, 0x0]\n","type":"cisco-asa","dst_interface":"outside","syslog_severity":"notice","dst_ip":"XXXXXXXXX","tags":["cisco-asa","pre-processed","Firewall","ASA"],"src_ip":"XXXXXXXXX","src_port":"62601","protocol":"tcp","@timestamp":"2017-09-21T02:00:30.957Z","@version":"1","host":"XXXXXXXXXX","dst_port":"5228","action":"Deny","hashcode1":"0x0","hashcode2":"0x0"}