We're running on Elastic Stack 7.5 and have all of our Beats output being sent to Logstash. Then from Logstash, output is sent to Elasticsearch and Kibana.
Using this flow, we have been unsuccessful in implementing geoIP data so that we can have Kibana plot source and destination IP addresses in its maps (in both "Map" and in SIEM/Network Map). However, when we change a Beats output to Elasticsearch (bypassing Logstash), maps are populating in SIEM/Network Map.
Our goal was to send all Beats output to Logstash and centrally-manage via Logstash. However, we are unable to populate maps via Logstash.
If we add a second Logstash output to the Beat for geoIP, geoIP data is not being populated in geoIP fields:
output.logstash:
hosts: ["host IP address:5044"]
pipeline: geoip-info
If we add a separate output in Beats to Elasticsearch (and retain the Logstash output config), dedicated-to processing/populating geoIP data, the Beats service fails to start:
output.elasticsearch:
hosts: ["host IP address:9200"]
pipeline: geoip-info
Thank you for your reply. We tried the following config in Logstash and it appears forwarding to elasticsearch started failing although Logstash restarted fine (Sorry for the formatting):
Sample Logstash configuration for creating a simple
Beats -> Logstash -> Elasticsearch pipeline.
input {
beats {
host => "Some IP Address"
port => 5044
}
}
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.