Logstash problems with fields (Point to Point)

Michael_Dylan_McAloo · June 28, 2021, 10:01am

I have a problem, I have two IPs one source and one destination, for the source IP Logstash automatically creates a field called "geoip.location" that contains the latitude and longitude of the specific IP, but for the destination IP it does not create any field like the "geoip.location" of the source and I do not know how to perform for example a Point to Point in Kibana without a field with the geolocation of the destination IP.

Logstash code:

input {
    file {
        path => "/var/log/snort/alert_fast.txt"
        start_position => "beginning"
    }
}

filter {
  dissect { mapping => { "message" => '%{ts} [%{trash}] [%{fd1}] "%{alert}" [%{fd2}} %{ip_ori}:%{port_ori} %{fd3} %{ip_dest}:%{port_dest}' } }
  geoip { source => "ip_ori" }
  geoip { source => "ip_dest" target => "dest" }
}

output {
    elasticsearch {
        hosts => "http://localhost:9200"
        index => "logstash-snort3a"
    }
    stdout { codec => rubydebug }
}

Badger · June 28, 2021, 4:28pm

The default target for a geoip filter is geoip (assuming ECS compatability is disabled). The default template for an elasticsearch output configures [geoip][location] to be a geo_point. If you want any other fields to be of type geo_point then you must supply your own template.

Michael_Dylan_McAloo · July 1, 2021, 11:23am

But it is a field that can be used as origin and destination for the kibana "Point to Point" map?

system · July 29, 2021, 11:23am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.