Logstash problems with fields (Point to Point)

Elastic Stack Logstash
1

I have a problem, I have two IPs one source and one destination, for the source IP Logstash automatically creates a field called "geoip.location" that contains the latitude and longitude of the specific IP, but for the destination IP it does not create any field like the "geoip.location" of the source and I do not know how to perform for example a Point to Point in Kibana without a field with the geolocation of the destination IP.

Logstash code:

input {
    file {
        path => "/var/log/snort/alert_fast.txt"
        start_position => "beginning"
    }
}

filter {
  dissect { mapping => { "message" => '%{ts} [%{trash}] [%{fd1}] "%{alert}" [%{fd2}} %{ip_ori}:%{port_ori} %{fd3} %{ip_dest}:%{port_dest}' } }
  geoip { source => "ip_ori" }
  geoip { source => "ip_dest" target => "dest" }
}

output {
    elasticsearch {
        hosts => "http://localhost:9200"
        index => "logstash-snort3a"
    }
    stdout { codec => rubydebug }
}
2

The default target for a geoip filter is geoip (assuming ECS compatability is disabled). The default template for an elasticsearch output configures [geoip][location] to be a geo_point. If you want any other fields to be of type geo_point then you must supply your own template.

3

But it is a field that can be used as origin and destination for the kibana "Point to Point" map?

4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.