Palo Alto Networks - Logstash > Elastic > Kibana

thunt · June 6, 2023, 8:38pm

Hello Everyone - Hoping I have a simple solution.

Testing out Elastic Stack with Palo Alto syslogs, and running into issues with GeoIP's and combining the lon/lat to use Maps in Kibana. Not sure what else needs to be done in order to get this to work. It's been a few months and I've moved away from it, but now I'm trying to fix it again and it's driving me crazy.

input {
        syslog {
                host => "0.0.0.0"
                port => 5144
                tags => ["PANOS-SYSLOG"]
        }
}

filter {
        if "PANOS-SYSLOG" in [tags] {
           if ([message] =~ /TRAFFIC/) {
        csv {
                separator => ","
                columns => [ "FUTURE_USE", "Receive Time", "Serial Number", "Type", "Threat Content Type", "FUTURE_USE", "Generated Time", "SourceIP",
                "DestinationIP", "NAT Source IP", "NAT Destination IP", "Rule Name", "Source User", "Destination User", "Application", "VSYS",
                "Source Zone", "Destination Zone", "Inbound Interface", "Outbound Interface", "Log Action", "FUTURE_USE", "Session ID", "Repeat Count", "Source Port",
                "Destination Port", "NAT Source Port", "NAT Destination Port", "Flags", "Protocol", "Action", "Bytes", "Bytes Sent", "Bytes Received", "Packets", "Start Time",
                "Elapsed Time", "Category", "FUTURE_USE", "Sequence Number", "Action Flags", "Source Country", "Destination Country", "FUTURE_USE", "Packets Sent",
                "Packets Received", "Session End Reason", "Device Group Hierarchy Level 1", "Device Group Hierarchy Level 2", "Device Group Hierarchy Level 3",
                "Device Group Hierarchy Level 4", "VSYS Name", "Device Name", "Action Source", "Source VM UUID", "Destinatin VM UUID", "Tunnel ID IMSI", "Monitor Tag IMEI",
                "Parent Session ID", "Parent Start Time", "Tunnel Type", "SCTP Association ID", "SCTP Chunks", "SCTP Chunks Sent", "SCTP Chunks Received", "Rule UUID", "HTTP2 Connection",
                "App Flap Count", "Policy ID", "Link Switches", "SDWAN Cluster", "SDWAN Device Type", "SDWAN Cluster Type", "SDWAN Site", "Dynamic User Group Name", "XFF Address",
                "Source Device Category", "Source Device Profile", "Source Device Model", "Source Device Vendor", "Source Device OS Family", "Source Device OS Version",
                "Source Hostname", "Source Mac Address", "Destination Device Category", "Destination Device Profile", "Destination Device Model", "Destination Device Vendor",
                "Destination Device OS Family", "Destination Device OS Version", "Destination Hostname", "Destination Mac Address", "Container ID", "POD Namespace",
                "POD Name", "Source External Dynamic List", "Destination External Dynamic List", "Host ID", "Serial Number", "Source Dynamic Address Group",
                "Destination Dynamic Address Group", "Session Owner", "Timestamp", "A Slice Service Type", "A Slice Differentiator", "Application Subcategory",
                "Application Category", "Application Technology", "Application Risk", "Application Characteristic", "Application Container", "Tunneled Application",
                "Application SaaS", "Application Sanctioned State", "Offloaded", "Flow Type", "Cluster Name" ]
        }
        mutate {
                convert => [ "Bytes", "integer" ]
                convert => [ "Bytes Received", "integer" ]
                convert => [ "Bytes Sent", "integer" ]
                convert => [ "Elapsed Time", "integer" ]
                convert => [ "geoip.area_code", "integer" ]
                convert => [ "geoip.dma_code", "integer" ]
                convert => [ "geoip.latitude", "float" ]
                convert => [ "geoip.longitude", "float" ]
                convert => [ "NAT Destination Port", "integer" ]
                convert => [ "NAT Source Port", "integer" ]
                convert => [ "Packets", "integer" ]
                convert => [ "Packets Received", "integer" ]
                convert => [ "Packets Sent", "integer" ]
                convert => [ "Sequence Number", "integer" ]
                convert => [ "Application SaaS", "boolean" ]
                convert => [ "Application Sanctioned State", "boolean" ]
                add_tag => [ "PANOS-TRAFFIC" ]
        }
          }
        if [SourceIP] and [SourceIP] !~ "(^127\.0\.0\.1)|(^10\.)|(^172\.1[6-9]\.)|(^172\.2[0-9]\.)|(^172\.3[0-1]\.)|(^192\.168\.)|(^169\.254\.)" {
                geoip {
                        source => "SourceIP"
                        target => "SourceIPGeo"
                }
                if ([SourceIPGeo.location] and [SourceIPGeo.location] =~ "0,0") {
                        mutate {
                                replace => [ "SourceIPGeo.location", "" ]
                        }
                }
        }
        if [DestinationIP] and [DestinationIP] !~ "(^127\.0\.0\.1)|(^10\.)|(^172\.1[6-9]\.)|(^172\.2[0-9]\.)|(^172\.3[0-1]\.)|(^192\.168\.)|(^169\.254\.)" {
                geoip {
                        source => "DestinationIP"
                        target => "DestinationIPGeo"
                }
                if ([DestinationIPGeo.location] and [DestinationIPGeo.location] =~ "0,0") {
                        mutate {
                                replace => [ "DestinationIPGeo.location", "" ]
                        }
                }
        }
        if [SourceIP] and [DestinationIP] {
                fingerprint {
                concatenate_sources => true
                method => "SHA1"
                key => "logstash"
                source => [ "SourceIP", "Source Port", "DestinationIP", "Destination Port", "Protocol" ]
                }
        }
    }
}

output {
        if "PANOS-TRAFFIC" in [tags] {
                elasticsearch {
                hosts => ["https://ElasticIPAddress:9200"]
                index => "firewall-traffic-%{+YYYY.MM.dd}"
                user => "username-for-elastic"
                password => "password-for-elastic"
                ssl => true
                cacert => "cert-path"
                }
        }
}

leandrojmp · June 6, 2023, 8:43pm

It is not clear what you want to achieve and what is not working, can you provide more context?

thunt · June 6, 2023, 8:44pm

Thanks for the quick response - End goal - Use the Map functionality w/in Kibana.

Badger · June 6, 2023, 8:46pm

I'd start with a template to tell elasticsearch that that field is a geo_point.

thunt · June 6, 2023, 8:48pm

Sorry - Thought I included in op. And thank you for response - See below (It's evident that I'm not an expert w/ Elastic. So really appreciate the help. And if there's any "dumb" mistakes I made, my bad )

{
  "mappings": {
    "properties": {      "@timestamp": {
        "type": "date"
      },
      "@version": {
        "type": "text",
        "fields": {
          "keyword": {
            "type": "keyword",
            "ignore_above": 256
          }
        }
      },
      "Action": {
        "type": "text",
        "fields": {
          "keyword": {
            "type": "keyword",
            "ignore_above": 256
          }
        }
      },
      "Action Flags": {
        "type": "text",
        "fields": {
          "keyword": {
            "type": "keyword",
            "ignore_above": 256
          }
        }
      },
      "Action Source": {
        "type": "text",
        "fields": {
          "keyword": {
            "type": "keyword",
            "ignore_above": 256
          }
        }
      },
      "App Flap Count": {
        "type": "text",
        "fields": {
          "keyword": {
            "type": "keyword",
            "ignore_above": 256
          }
        }
      },
      "Application": {
        "type": "text",
        "fields": {
          "keyword": {
            "type": "keyword",
            "ignore_above": 256
          }
        }
      },
      "Application Category": {
        "type": "text",
        "fields": {
          "keyword": {
            "type": "keyword",
            "ignore_above": 256
          }
        }
      },
      "Application Characteristic": {
        "type": "text",
        "fields": {
          "keyword": {
            "type": "keyword",
            "ignore_above": 256
          }
        }
      },
      "Application Container": {
        "type": "text",
        "fields": {
          "keyword": {
            "type": "keyword",
            "ignore_above": 256
          }
        }
      },
      "Application Risk": {
        "type": "text",
        "fields": {
          "keyword": {
            "type": "keyword",
            "ignore_above": 256
          }
        }
      },
      "Application SaaS": {
        "type": "boolean"
      },
      "Application Sanctioned State": {
        "type": "boolean"
      },
      "Application Subcategory": {
        "type": "text",
        "fields": {
          "keyword": {
            "type": "keyword",
            "ignore_above": 256
          }
        }
      },
      "Application Technology": {
        "type": "text",
        "fields": {
          "keyword": {
            "type": "keyword",
            "ignore_above": 256
          }
        }
      },
      "Bytes": {
        "type": "long"
      },
      "Bytes Received": {
        "type": "long"
      },
      "Bytes Sent": {
        "type": "long"
      },
      "Category": {
        "type": "text",
        "fields": {
          "keyword": {
            "type": "keyword",
            "ignore_above": 256
          }
        }
      },
      "Destination Country": {
        "type": "text",
        "fields": {
          "keyword": {
            "type": "keyword",
            "ignore_above": 256
          }
        }
      },
      "Destination Device Category": {
        "type": "text",
        "fields": {
          "keyword": {
            "type": "keyword",
            "ignore_above": 256
          }
        }
      },
      "Destination Device OS Family": {
        "type": "text",
        "fields": {
          "keyword": {
            "type": "keyword",
            "ignore_above": 256
          }
        }
      },
      "Destination Device OS Version": {
        "type": "text",
        "fields": {
          "keyword": {
            "type": "keyword",
            "ignore_above": 256
          }
        }
      },
      "Destination Device Profile": {
        "type": "text",
        "fields": {
          "keyword": {
            "type": "keyword",
            "ignore_above": 256
          }
        }
      },
      "Destination Device Vendor": {
        "type": "text",
        "fields": {
          "keyword": {
            "type": "keyword",
            "ignore_above": 256
          }
        }
      },
      "Destination Hostname": {
        "type": "text",
        "fields": {
          "keyword": {
            "type": "keyword",
            "ignore_above": 256
          }
        }
      },
      "Destination Mac Address": {
        "type": "text",
        "fields": {
          "keyword": {
            "type": "keyword",
            "ignore_above": 256
          }
        }
      },
      "Destination Port": {
        "type": "text",
        "fields": {
          "keyword": {
            "type": "keyword",
            "ignore_above": 256
          }
        }
      },
      "Destination Zone": {
        "type": "text",
        "fields": {
          "keyword": {
            "type": "keyword",
            "ignore_above": 256
          }
        }
      },
      "DestinationIP": { "type" : "ip" },
      "DestinationIPGeo": {
        "properties": {
          "geo": {
            "properties": {
              "city_name": {
                "type": "text",
                "fields": {
                  "keyword": {
                    "type": "keyword",
                    "ignore_above": 256
                  }
                }
              },
              "continent_code": {
                "type": "text",
                "fields": {
                  "keyword": {
                    "type": "keyword",
                    "ignore_above": 256
                  }
                }
              },
              "country_iso_code": {
                "type": "text",
                "fields": {
                  "keyword": {
                    "type": "keyword",
                    "ignore_above": 256
                  }
                }
              },
              "country_name": {
                "type": "text",
                "fields": {
                  "keyword": {
                    "type": "keyword",
                    "ignore_above": 256
                  }
                }
              },
              "latitude" : {
                "type" : "half_float"
              },
              "location": { "type" : "geo_point" },
              "longitude" : {
                "type" : "half_float"
              },
              "postal_code": {
                "type": "text",
                "fields": {
                  "keyword": {
                    "type": "keyword",
                    "ignore_above": 256
                  }
                }
              },
              "region_iso_code": {
                "type": "text",
                "fields": {
                  "keyword": {
                    "type": "keyword",
                    "ignore_above": 256
                  }
                }
              },
              "region_name": {
                "type": "text",
                "fields": {
                  "keyword": {
                    "type": "keyword",
                    "ignore_above": 256
                  }
                }
              },
              "timezone": {
                "type": "text",
                "fields": {
                  "keyword": {
                    "type": "keyword",
                    "ignore_above": 256
                  }
                }
              }
            }
          },
          "ip": { "type" : "ip" },
          "mmdb": {
            "properties": {
              "dma_code": {
                "type": "long"
              }
            }
          }
        }
      },
      "Device Group Hierarchy Level 1": {
        "type": "text",
        "fields": {
          "keyword": {
            "type": "keyword",
            "ignore_above": 256
          }
        }
      },
      "Device Group Hierarchy Level 2": {
        "type": "text",
        "fields": {
          "keyword": {
            "type": "keyword",
            "ignore_above": 256
          }
        }
      },
      "Device Group Hierarchy Level 3": {
        "type": "text",
        "fields": {
          "keyword": {
            "type": "keyword",
            "ignore_above": 256
          }
        }
      },
      "Device Group Hierarchy Level 4": {
        "type": "text",
        "fields": {
          "keyword": {
            "type": "keyword",
            "ignore_above": 256
          }
        }
      },
      "Device Name": {
        "type": "text",
        "fields": {
          "keyword": {
            "type": "keyword",
            "ignore_above": 256
          }
        }
      },
      "Elapsed Time": {
        "type": "long"
      },
      "Flags": {
        "type": "text",
        "fields": {
          "keyword": {
            "type": "keyword",
            "ignore_above": 256
          }
        }
      },
      "Flow Type": {
        "type": "text",
        "fields": {
          "keyword": {
            "type": "keyword",
            "ignore_above": 256
          }
        }
      },
      "Generated Time": {
        "type": "date",
        "format": "yyyy/MM/dd HH:mm:ss||yyyy/MM/dd||epoch_millis"
      },
      "HTTP2 Connection": {
        "type": "text",
        "fields": {
          "keyword": {
            "type": "keyword",
            "ignore_above": 256
          }
        }
      },
      "Inbound Interface": {
        "type": "text",
        "fields": {
          "keyword": {
            "type": "keyword",
            "ignore_above": 256
          }
        }
      },
      "Log Action": {
        "type": "text",
        "fields": {
          "keyword": {
            "type": "keyword",
            "ignore_above": 256
          }
        }
      },
      "NAT Destination IP": { "type" : "ip" },
      "NAT Destination Port": {
        "type": "integer"
      },
      "NAT Source IP": { "type" : "ip" },
      "NAT Source Port": {
        "type": "integer"
      },
      "Offloaded": {
        "type": "text",
        "fields": {
          "keyword": {
            "type": "keyword",
            "ignore_above": 256
          }
        }
      },
      "Outbound Interface": {
        "type": "text",
        "fields": {
          "keyword": {
            "type": "keyword",
            "ignore_above": 256
          }
        }
      },
      "Packets": {
        "type": "long"
      },
      "Packets Received": {
        "type": "long"
      },
      "Packets Sent": {
        "type": "long"
      },
      "Parent Session ID": {
        "type": "integer"
      },
      "Parent Start Time": {
        "type": "date",
        "format": "yyyy/MM/dd HH:mm:ss||yyyy/MM/dd||epoch_millis"
      },
      "Protocol": {
        "type": "text",
        "fields": {
          "keyword": {
            "type": "keyword",
            "ignore_above": 256
          }
        }
      },
      "Receive Time": {
        "type": "date",
        "format": "yyyy/MM/dd HH:mm:ss||yyyy/MM/dd||epoch_millis"
      },
      "Repeat Count": {
        "type": "long"
      },
      "Rule Name": {
        "type": "text",
        "fields": {
          "keyword": {
            "type": "keyword",
            "ignore_above": 256
          }
        }
      },
      "Rule UUID": {
        "type": "text",
        "fields": {
          "keyword": {
            "type": "keyword",
            "ignore_above": 256
          }
        }
      },
      "SCTP Association ID": {
        "type": "text",
        "fields": {
          "keyword": {
            "type": "keyword",
            "ignore_above": 256
          }
        }
      },
      "SCTP Chunks": {
        "type": "text",
        "fields": {
          "keyword": {
            "type": "keyword",
            "ignore_above": 256
          }
        }
      },
      "SCTP Chunks Received": {
        "type": "text",
        "fields": {
          "keyword": {
            "type": "keyword",
            "ignore_above": 256
          }
        }
      },
      "SCTP Chunks Sent": {
        "type": "text",
        "fields": {
          "keyword": {
            "type": "keyword",
            "ignore_above": 256
          }
        }
      },
      "Sequence Number": {
        "type": "long"
      },
      "Session End Reason": {
        "type": "text",
        "fields": {
          "keyword": {
            "type": "keyword",
            "ignore_above": 256
          }
        }
      },
      "Session ID": {
        "type": "text",
        "fields": {
          "keyword": {
            "type": "keyword",
            "ignore_above": 256
          }
        }
      },
      "Source Country": {
        "type": "text",
        "fields": {
          "keyword": {
            "type": "keyword",
            "ignore_above": 256
          }
        }
      },
      "Source Device Category": {
        "type": "text",
        "fields": {
          "keyword": {
            "type": "keyword",
            "ignore_above": 256
          }
        }
      },
      "Source Device Model": {
        "type": "text",
        "fields": {
          "keyword": {
            "type": "keyword",
            "ignore_above": 256
          }
        }
      },
      "Source Device OS Family": {
        "type": "text",
        "fields": {
          "keyword": {
            "type": "keyword",
            "ignore_above": 256
          }
        }
      },
      "Source Device OS Version": {
        "type": "text",
        "fields": {
          "keyword": {
            "type": "keyword",
            "ignore_above": 256
          }
        }
      },
      "Source Device Profile": {
        "type": "text",
        "fields": {
          "keyword": {
            "type": "keyword",
            "ignore_above": 256
          }
        }
      },
      "Source Device Vendor": {
        "type": "text",
        "fields": {
          "keyword": {
            "type": "keyword",
            "ignore_above": 256
          }
        }
      },
      "Source Hostname": {
        "type": "text",
        "fields": {
          "keyword": {
            "type": "keyword",
            "ignore_above": 256
          }
        }
      },
      "Source Mac Address": {
        "type": "text",
        "fields": {
          "keyword": {
            "type": "keyword",
            "ignore_above": 256
          }
        }
      },
      "Source Port": {
        "type": "text",
        "fields": {
          "keyword": {
            "type": "keyword",
            "ignore_above": 256
          }
        }
      },
      "Source User": {
        "type": "text",
        "fields": {
          "keyword": {
            "type": "keyword",
            "ignore_above": 256
          }
        }
      },
      "Source Zone": {
        "type": "text",
        "fields": {
          "keyword": {
            "type": "keyword",
            "ignore_above": 256
          }
        }
      },
      "SourceIP": { "type" : "ip" },
      "SourceIPGeo" : {
        "properties" : {
          "city_name" : {
            "type" : "text",
            "fields" : {
              "keyword" : {
                "type" : "keyword",
                "ignore_above" : 256
              }
            }
          },
          "continent_code" : {
            "type" : "text",
            "fields" : {
              "keyword" : {
                "type" : "keyword",
                "ignore_above" : 256
              }
            }
          },
          "country_code2" : {
            "type" : "text",
            "fields" : {
              "keyword" : {
                "type" : "keyword",
                "ignore_above" : 256
              }
            }
          },
          "country_code3" : {
            "type" : "text",
            "fields" : {
              "keyword" : {
                "type" : "keyword",
                "ignore_above" : 256
              }
            }
          },
          "country_name" : {
            "type" : "text",
            "fields" : {
              "keyword" : {
                "type" : "keyword",
                "ignore_above" : 256
              }
            }
          },
          "dma_code" : {
            "type" : "short"
          },
          "ip" : { "type" : "ip" },
          "latitude" : {
            "type" : "half_float"
          },
          "location" : { "type" : "geo_point" },
          "longitude" : {
            "type" : "half_float"
          },
          "postal_code" : {
            "type" : "text",
            "fields" : {
              "keyword" : {
                "type" : "text"
              }
            }
          },
          "region_code" : {
            "type" : "text",
            "fields" : {
              "keyword" : {
                "type" : "keyword",
                "ignore_above" : 256
              }
            }
          },
          "region_name" : {
            "type" : "text",
            "fields" : {
              "keyword" : {
                "type" : "keyword",
                "ignore_above" : 256
              }
            }
          },
          "timezone" : {
            "type" : "text",
            "fields" : {
              "keyword" : {
                "type" : "keyword",
                "ignore_above" : 256
              }
            }
          }
        }
      },
      "SourceLocation" : {
        "type" : "text",
        "fields" : {
          "keyword" : {
            "type" : "keyword",
            "ignore_above" : 256
          }
        }
      },
      "Start Time": {
        "type": "date",
        "format": "yyyy/MM/dd HH:mm:ss||yyyy/MM/dd||epoch_millis"
      },
      "Threat Content Type": {
        "type": "text",
        "fields": {
          "keyword": {
            "type": "keyword",
            "ignore_above": 256
          }
        }
      },
      "Timestamp": {
        "type": "date"
      },
      "Tunnel ID IMSI": {
        "type": "text",
        "fields": {
          "keyword": {
            "type": "keyword",
            "ignore_above": 256
          }
        }
      },
      "Tunnel Type": {
        "type": "text",
        "fields": {
          "keyword": {
            "type": "keyword",
            "ignore_above": 256
          }
        }
      },
      "Tunneled Application": {
        "type": "text",
        "fields": {
          "keyword": {
            "type": "keyword",
            "ignore_above": 256
          }
        }
      },
      "Type": {
        "type": "text",
        "fields": {
          "keyword": {
            "type": "keyword",
            "ignore_above": 256
          }
        }
      },
      "VSYS": {
        "type": "text",
        "fields": {
          "keyword": {
            "type": "keyword",
            "ignore_above": 256
          }
        }
      },
      "event": {
        "properties": {
          "hash": {
            "type": "text",
            "fields": {
              "keyword": {
                "type": "keyword",
                "ignore_above": 256
              }
            }
          },
          "original": {
            "type": "text",
            "fields": {
              "keyword": {
                "type": "keyword",
                "ignore_above": 256
              }
            }
          }
        }
      },
      "host": {
        "properties": {
          "hostname": {
            "type": "text",
            "fields": {
              "keyword": {
                "type": "keyword",
                "ignore_above": 256
              }
            }
          },
          "ip": { "type" : "ip"},
      "log": {
        "properties": {
          "syslog": {
            "properties": {
              "facility": {
                "properties": {
                  "code": {
                    "type": "long"
                  },
                  "name": {
                    "type": "text",
                    "fields": {
                      "keyword": {
                        "type": "keyword",
                        "ignore_above": 256
                      }
                    }
                  }
                }
              },
              "priority": {
                "type": "long"
              },
              "severity": {
                "properties": {
                  "code": {
                    "type": "long"
                  },
                  "name": {
                    "type": "text",
                    "fields": {
                      "keyword": {
                        "type": "keyword",
                        "ignore_above": 256
                      }
                    }
                  }
                }
              }
            }
          }
        }
      },
      "message": {
        "type": "text",
        "fields": {
          "keyword": {
            "type": "keyword",
            "ignore_above": 256
          }
        }
      },
      "service": {
        "properties": {
          "type": {
            "type": "text",
            "fields": {
              "keyword": {
                "type": "keyword",
                "ignore_above": 256
              }
            }
          }
        }
      },
      "tags": {
        "type": "text",
        "fields": {
          "keyword": {
            "type": "keyword",
            "ignore_above": 256
          }
        }
      }
    }
  }
}

leandrojmp · June 6, 2023, 9:03pm

Which version of Logstash are you using? It is 8.X?

The behavior of the geoip filter changed in version 8 and will depend on the ecs_compatibility setting of your pipeline.

Per default the ecs_compatibility uses the value of v8.

For example, in your case you have the following geoip filter.

geoip {
        source => "SourceIP"
        target => "SourceIPGeo"
}

With pipeline.ecs_compatibility set to v8, the geoip will store the geolocation data in a nested field under your target field, so you will have SourceIPGeo.geo.location, and then you need to have a mapping for this field.

But if the pipeline.ecs_compatibility is set to disabled the geolocation data will be stored under the SourceIPGeo, so you will have SourceIPGeo.location.

The first thing is to confirm what is your output field, can you share what field are you getting in Kibana?

thunt · June 6, 2023, 9:07pm

Ahh makes sense - Version 8.8 (I'm running this in lab before I move it to the main env)

And for the Destination, I"m seeing fields below:
DestinationIPGeo.geo.city_name
DestinationIPGeo.geo.continent_code
DestinationIPGeo.geo.country_iso_code
DestinationIPGeo.geo.country_name
DestinationIPGeo.geo.location.lat
..etc

leandrojmp · June 6, 2023, 9:16pm

Yeah, this is correct, but looking at your mapping, it seems that this is mapped correctly already:

"DestinationIPGeo": {
        "properties": {
          "geo": {
            "properties": {
              "city_name": {
                "type": "text",
                "fields": {
                  "keyword": {
                    "type": "keyword",
                    "ignore_above": 256
                  }
                }
              },
              "continent_code": {
                "type": "text",
                "fields": {
                  "keyword": {
                    "type": "keyword",
                    "ignore_above": 256
                  }
                }
              },
              "country_iso_code": {
                "type": "text",
                "fields": {
                  "keyword": {
                    "type": "keyword",
                    "ignore_above": 256
                  }
                }
              },
              "country_name": {
                "type": "text",
                "fields": {
                  "keyword": {
                    "type": "keyword",
                    "ignore_above": 256
                  }
                }
              },
              "latitude" : {
                "type" : "half_float"
              },
              "location": { "type" : "geo_point" },
              "longitude" : {
                "type" : "half_float"
              }

The DestinationIPGeo.geo.location field is already a geo_point, so I'm not sure what is the current issue.

Can you share a screenshot of your Kibana Discover showing how the DestinationGeoIP looks like on an expanded document?

To be able to use maps in basically just need those two things, the correct mapped on a template, so the indice will be created with this mapping, and the geo data created by the geoip filter.

Also, no sure what you are trying to do with this:

                if ([SourceIPGeo.location] and [SourceIPGeo.location] =~ "0,0") {
                        mutate {
                                replace => [ "SourceIPGeo.location", "" ]
                        }
                }

But this will not work, first because the field does not exist, seconde because the correct way to access nested fields is using squared brackets, like [TopField][NestedField].

system · July 4, 2023, 9:16pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Palo alto sent to server via syslog Logstash	1	1040	November 15, 2022
Logstash TCP Zero Window - Palo Alto logs Logstash	4	938	February 22, 2022
Multiple syslog input into logstash Logstash	3	948	November 8, 2022
Panw.panos TCP grok errors Logstash	1	224	February 9, 2024
Elastic Parsing Elasticsearch	2	870	January 6, 2021

Palo Alto Networks - Logstash > Elastic > Kibana

Related Topics