Source IP Geoip

Elastic Stack Kibana
1

Hello,

I collect the fortigate events.
I configured the geoip plugin in logstash.
The visualization of sources before configuring the plugin is different after configuring the plugin.
Please find the difference below:

ip_after
ip_after857×393 5.19 KB

ip_before
ip_before853×398 4.81 KB

src_after
src_after847×396 6.94 KB

src_before
src_before848×393 6.74 KB

Can you explain to me why the list of ip before configuring the plugin is different from the list linked to Geoip?
Can you explain to me why we have UnitedStates which produces the most events on the fortigate logs and Amsterdam is in fourth position. And on the Geoip_timezone, is Amsterdam which produces the most events and UnitedStates is in fourth position?

Regards,

2

I think the first one seems to be looking at timezones. The second at geographic location.

My hunch is:

in the second screenshot, it shows northamerica.unitedstates on top (it collects traffic from 4 timezones).

But I'm not quite sure how the timezone-data is generated (is that part of the original logs?)

3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.