Hi everyone!
Semi-noob and first post 
Quick disclaimer and background: not a programmer, I am an analyst, so I became highly interested in Elastic when I came across it last year. Although I loved it when I started getting familiar with it on version 6 on , I was a bit discouraged because of the mapping and the syntax. I wanted to give it another shot and after installing Elastic stack 7.6.1 I noticed that the mapping has GUI. This makes it much more easier for those who are not programmers, but want to focus on the analytics.
With that out of the way, my setup involves windows 2019 server lab. I have Elastic and Logstash running to receive beats, and receive information from some endpoints just fine, but now I am trying to enrich packetbeat data with geoip data.
I loaded the dashboards, and index template, which has the the right mappings to geoip fields. However, the data is not being populated. I don't want use the packetbeat pipelines, since I would prefer everything to pass through Logstash.
I would like to get the destination ip data from Packetbeat to be sent to elastic enriched, so I believe that is in the destination.geo.location, so I am doing it using the following configuration in Logstash:
input {
beats {
port => 5044
}
}
filter{
geoip {
source => "[destination][ip]"
target => "[destination][geoip]"
}
}
output {
elasticsearch {
hosts => ["http://localhost:9200"]
index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
#user => "elastic"
#password => "changeme"
}
stdout {
codec => rubydebug
}
}
That is all I have done, as far as logstash is concerned.
Here a sample of the index template mappings:
Google search has not helped me find this data, so any help will be extremely appreciated. Again, I consider myself a noob and non-programmer, so take it easy on me