I am having some issues with the logstash geoip plugin that I think stem from a lack of understanding with respect to how the elasticsearch output plugin and index mappings interact. Specifically, I need to ensure that source.geo.location
and destination.geo.location
are both recgonized as the geo_point datatype, and I'm having a hard time figuring out exactly what is wrong.
How do I properly format destination.geo.location
so the data will be mapped as geo_point without me having to create a separate index/mapping in elasticsearch? The index I want to use already has a mapping for this field of the correct type, but when I send these events to it a new field is created for destination.geo.location.lat
and destination.geo.location.long
instead of the expected behavior of populating the appropriate field with the geo_point data I need. I'm assuming I need a mutate
filter here to rearrange some fields so they'll be correctly interpreted, but I'm not sure and could use some pointers.
Here is the configuration for the geoip plugin in logstash:
....
if "WAN" in [rule.name] {
geoip {
source => "source.ip"
target => "source.geo"
}
}
if "LAN" in [rule.name] {
geoip {
source => "destination.ip"
target => "destination.geo"
}
}
And here's some example output of the contents of destination.geo:
"destination.geo" => {
"region_name" => "Washington",
"region_code" => "WA",
"city_name" => "Seattle",
"ip" => "76.223.92.165",
"country_code2" => "US",
"longitude" => -122.3032,
"location" => {
"lon" => -122.3032,
"lat" => 47.54
},
"timezone" => "America/Los_Angeles",
"dma_code" => 819,
"country_name" => "United States",
"latitude" => 47.54,
"country_code3" => "US",
"continent_code" => "NA",
"postal_code" => "98108"
}