Not able to see the geo_point type fields in Kibana

Hi

I am using packetbeats to get the client location, But in kibana i see that all the geo_point type fields are missing.Please find the screenshot below

I did not find any much information in logs also,

Thanks
Ankit Rawat

Can you share your packetbeat version and configuration file?

My packetbeat version is 5.3 and the packetbeat.yml looks like

#################### Packetbeat Configuration Example #########################

This file is an example configuration file highlighting only the most common

options. The packetbeat.full.yml file from the same directory contains all the

supported options with more comments. You can use it as a reference.

You can find the full configuration reference here:

https://www.elastic.co/guide/en/beats/packetbeat/index.html

#============================== Network device ================================

Select the network interface to sniff the data. On Linux, you can use the

"any" keyword to sniff on all connected interfaces.

packetbeat.interfaces.device: any

#================================== Flows =====================================

Set enabled: false or comment out all options to disable flows reporting.

packetbeat.flows:

Set network flow timeout. Flow is killed if no packet is received before being

timed out.

timeout: 30s

Configure reporting period. If set to -1, only killed flows will be reported

period: 10s

#========================== Transaction protocols =============================

packetbeat.protocols.icmp:

Enable ICMPv4 and ICMPv6 monitoring. Default: false

enabled: true

packetbeat.protocols.amqp:

Configure the ports where to listen for AMQP traffic. You can disable

the AMQP protocol by commenting out the list of ports.

ports: [5672]

packetbeat.protocols.cassandra:
#Cassandra port for traffic monitoring.
ports: [9042]

packetbeat.protocols.dns:

Configure the ports where to listen for DNS traffic. You can disable

the DNS protocol by commenting out the list of ports.

ports: [53]

include_authorities controls whether or not the dns.authorities field

(authority resource records) is added to messages.

include_authorities: true

include_additionals controls whether or not the dns.additionals field

(additional resource records) is added to messages.

include_additionals: true

packetbeat.protocols.http:

Configure the ports where to listen for HTTP traffic. You can disable

the HTTP protocol by commenting out the list of ports.

ports: [80, 8080, 8000, 5000, 8002]

packetbeat.protocols.memcache:

Configure the ports where to listen for memcache traffic. You can disable

the Memcache protocol by commenting out the list of ports.

ports: [11211]

packetbeat.protocols.mysql:

Configure the ports where to listen for MySQL traffic. You can disable

the MySQL protocol by commenting out the list of ports.

ports: [3306]

packetbeat.protocols.pgsql:

Configure the ports where to listen for Pgsql traffic. You can disable

the Pgsql protocol by commenting out the list of ports.

ports: [5432]

packetbeat.protocols.redis:

Configure the ports where to listen for Redis traffic. You can disable

the Redis protocol by commenting out the list of ports.

ports: [6379]

packetbeat.protocols.thrift:

Configure the ports where to listen for Thrift-RPC traffic. You can disable

the Thrift-RPC protocol by commenting out the list of ports.

ports: [9090]

packetbeat.protocols.mongodb:

Configure the ports where to listen for MongoDB traffic. You can disable

the MongoDB protocol by commenting out the list of ports.

ports: [27017]

packetbeat.protocols.nfs:

Configure the ports where to listen for NFS traffic. You can disable

the NFS protocol by commenting out the list of ports.

ports: [2049]

#================================ General =====================================

The name of the shipper that publishes the network data. It can be used to group

all the transactions sent by a single shipper in the web interface.

shipper:
name: "my-shipper"
geoip:
paths:["/usr/share/GeoIP/GeoLiteCity.dat"]

The tags of the shipper are included in their own field with each

transaction published.

#tags: ["service-X", "web-tier"]

Optional fields that you can specify to add additional information to the

output.

#fields:

env: staging

#================================ Outputs =====================================

Configure what outputs to use when sending the data collected by the beat.

Multiple outputs may be used.

#-------------------------- Elasticsearch output ------------------------------
output.elasticsearch:

Array of hosts to connect to.

hosts: ["192.168.2.171:9200"]
pipeline: geoip-info

Optional protocol and basic auth credentials.

#protocol: "https"
#username: "elastic"
#password: "changeme"

#----------------------------- Logstash output --------------------------------
#output.logstash:

The Logstash hosts

#hosts: ["localhost:5044"]

Optional SSL. By default is off.

List of root certificates for HTTPS server verifications

#ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]

Certificate for SSL client authentication

#ssl.certificate: "/etc/pki/client/cert.pem"

Client Certificate Key

#ssl.key: "/etc/pki/client/cert.key"

#================================ Logging =====================================

Sets log level. The default log level is info.

Available log levels are: critical, error, warning, info, debug

#logging.level: debug

At debug level, you can selectively enable logging only for some components.

To enable all selectors use ["*"]. Examples of other selectors are "beat",

"publish", "service".

#logging.selectors: ["*"]

I have used ingest geoIP processor plugin as well as downloaded the database .

Thanks in Advance.

I have used Kibana dev tools to import the below pipeline.
PUT _ingest/pipeline/geoip-info
{
"description": "Add geoip info",
"processors": [
{
"geoip": {
"field": "client_ip",
"target_field": "client_geoip",
"properties": ["location"],
"ignore_failure": true
}
}
]
}

If the traffic is coming from localhost (client_ip: 127.0.0.1), then Packetbeat is not adding any Geoip location information. It might be that this is your case.

I have quickly tested on my laptop, and it works for public IPs:

client_geoip.location	   	{
  "lon": 9,
  "lat": 51
}
client_ip	   	85.xx.xx.xx

Hello

I have installed packetbeats in 2 different servers. I am getting the values for client_ip: but all the IPs are private ip like this ,, 192.168..

Can you please tell me how to get the public ips.
I can see some of the public ip in the dest.ip fields but i am not able to put the dest.ip field in the pipeline geoip-info.

My site is live now but all i am getting is private ips.

Thanks
Ankit Rawat

even i can see it working for the public ip.See the below screenshot.

but i am not getting the public ips in the client_ip field.Please let me know if you need any more information from my side.

Thanks
Ankit Rawat

here is the output from discovery tab.

This explains why you don't get the geoip information, as the client_ip(192.168.208.81) is a private IP, not a public IP. You can get geoip information only for public IPs.

Hi Monica,

Thanks for the quick responce.

Can you please tell me how do i configure packetbeats to give the Public ips.
When i browse the site externally (https://hostname.com) i dont even get the private Ips in the discover tab.
Please help me on how to configure it as my site is live and people are accessing the sites by domain name and over https.

Thanks
Ankit Rawat

You can configure Packetbeat to extract the real IP from an HTTP header. You can configure the header in the real_ip_header, and then the real IP will be exported under the real_ip field. You can use the real_ip instead of client_ip for the geoip information, but for that please don't forget to adjust the Ingest pipeline to use real_ip.

1 Like

Hi Monica

I am really happy to tell you that i am now able to see the location in the tileMap.

I include the line real_ip_header: "X-Forwarded-For" in packetbeat.yml
and i also adjust the ingest pipeline,instead of client_ip i used real_ip.
And waow i am getting the geolocation.

Thanks a lot.Really appreciate the support and help.

Issue resolved

Thanks
Ankit Rawat

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.