PaloAlto ingest pipeline and geoip lookup

Elastic Stack Beats
1

Hi there
We are running Filebeat 7.8.0, and utilising the Palo Alto module to ingest firewalls using ECS. When I go to display the source or destination IP addresses on on a map, I get a failure and no data points. According to the Kibana geo mapping information, the MAP processor is looking for a geo-point data type, normally found as "location" in the index. Looking at the data in my index, I can see:

text destination.geo.continent_name Oceania
test destination.geo.country_iso_code AU
number destination.geo.location.lat -33.49
number destination.geo.location.lon 143.21
text ecs.version 1.5.0

which technically matches the geoip definition, as shown by this snippet from the online documentation for 7.8:
"text": "Geo-point as an object",
"location": {
"lat": 41.12,
"lon": -71.34
}

However when I go to create a MAP, and it asks me to select an index pattern, it won't even show me the filebeat 7.8.0 index pattern, which according to the documentation is because it does not contain a definition of a geo-point in the index. Filebeat 7.7.0 index pattern defined "location" as a geo-point. 7.8.0 seems to define it as an object.
This has also broken all the built-in MAP displays.

Any ideas?

Ross

2

@andrewkroh does this ring any bells?

3

I know replying to yourself is rude, but here is some more info.

I have the filebeat 7.8.0 template loaded, and matched to the incoming index. The template explicitly has (as an example) client.geo defined as:

"geo": {
              "type": "object",
              "properties": {
                "city_name": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "continent_name": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "country_iso_code": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "country_name": {
                  "ignore_above": 1024,
                  "type": "keyword"
                },
                "location": {
                  "type": "geo_point"
                },

When I point the Kibana discover-> map at that index, I get the error message:
Type query_shard_exception

Reason failed to find geo_point field [client.geo.location]

when I look at the settings for that index via the index management screen in Kibana I get:

 "location": {
                  "properties": {
                    "lat": {
                      "type": "float"
                    },
                    "lon": {
                      "type": "float"
                    }
                  }
                },

It appears that "something" has ignored the geo-point definition and just accepted the lat and lon as floats instead. The geoip lookup inside the pipeline is working, its just the mapping into the index that appears to be failing. Confused I am.

4

Its even ruder to answer your own question but here goes...
I fixed the problem by uploading (again) the index template to the elastic server. This was exactly the same template that was uploaded when we upgraded from 7.7.1 to 7.8.0. I then deleted and recreated the index pattern for filebeat referencing the replaced template. I then forced a rollover in the ILM, and when documents started appearing in the new indexes I was able to reference them in Maps with no errors. I then went back and re-indexed all the existing indexes that were causing issues, and then I was able to reference all these indexes with no errors, and create Maps with data in them.
I'm not sure what caused the original problem, and how the data got into the indexes that caused the geoip information to get mistreated, but now all the dashboard maps seem to be working.
Ho hum....

5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.