Hi,
ELK Setup : 7.0.1.
Ingesting Windows event logs using winlogbeat.
I am tagging my events with a tag : "src_public" and "dest_public".
Further, I am using geoip to get Lat/Lon information for these public IP.
Here is my geo IP config:
filter {
if [winlog][event_data][SourceAddress] and "src_public" in [tags] {
geoip {
source => "[winlog][event_data][SourceAddress]"
target => "src_geoip" }
}if [winlog][event_data][DestAddress] and "dest_public" in [tags] {
geoip {
source => "[winlog][event_data][DestAddress]"
target => "dest_geoip" }
}
}
Well, this is working and I am getting desired data to search.
When I try to map these events to Kibana Map visualization , I see below error:
No Compatible Fields: The winlogbeat-* index pattern does not contain any of the following field types: geo_point**
I understand this is because I am using custom target fields : "src_geoip" and "dest_geoip".
To fix this, I need to update the mapping in my index for these fields so that they have type geo_point.
However, I could not figure out how to do it.
I did following already:
PUT winlogbeat-7.0.1-2019/_mapping
{
"properties": {
"dest_geoip": {
"dynamic" : true,
"properties" : {
"ip" : {
"type" : "ip"
},
"latitude" : {
"type" : "float"
},
"location" : {
"type" : "geo_point"
},
"longitude" : {
"type" : "float"} } } } }
#This field is getting created automatically as logstash sends these events to ES.
**So, I deleted this index > Created a blank index > Put above mapping with result {ack : true} > restarted logstash to send logs to this event. **
But, this did not help. I went to where I started.
I listed my templates and could not figure out which template is getting applied to my index. None of template returned by below command apply to winlogbeat-* index.
curl localhost:9200/_cat/templates?v&s=name
name index_patterns order version
.logstash-management [.logstash] 0
.ml-notifications [.ml-notifications] 0 7000199
.watch-history-9 [.watcher-history-9*] 2147483647
.monitoring-es [.monitoring-es-7-] 0 7000199
.watches [.watches] 2147483647
.monitoring-kibana [.monitoring-kibana-7-] 0 7000199
.monitoring-logstash [.monitoring-logstash-7-] 0 7000199
.management-beats [.management-beats] 0 70000
.ml-meta [.ml-meta] 0 7000199
.kibana_task_manager [.kibana_task_manager] 0 7000199
.triggered_watches [.triggered_watches*] 2147483647
.monitoring-alerts-7 [.monitoring-alerts-7] 0 7000199
.ml-state [.ml-state*] 0 7000199
.monitoring-beats [.monitoring-beats-7-] 0 7000199
.ml-anomalies- [.ml-anomalies-] 0 7000199
.ml-config [.ml-config] 0 7000199
logstash [logstash-*] 0 60001
So, I am stuck on how to fix this.