Source IP Geoip

Pacous · May 18, 2021, 7:21pm

Hello,

I collect the fortigate events.
I configured the geoip plugin in logstash.
The visualization of sources before configuring the plugin is different after configuring the plugin.
Please find the difference below:

Can you explain to me why the list of ip before configuring the plugin is different from the list linked to Geoip?
Can you explain to me why we have UnitedStates which produces the most events on the fortigate logs and Amsterdam is in fourth position. And on the Geoip_timezone, is Amsterdam which produces the most events and UnitedStates is in fourth position?

Regards,

thomasneirynck · May 19, 2021, 3:07pm

I think the first one seems to be looking at timezones. The second at geographic location.

My hunch is:

in the second screenshot, it shows northamerica.unitedstates on top (it collects traffic from 4 timezones).

But I'm not quite sure how the timezone-data is generated (is that part of the original logs?)

system · June 16, 2021, 3:08pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
GEOIP woes Logstash	7	647	February 21, 2019
Logstash Condiational Filtering Issue with Geo Location Logstash elastic-stack-security	2	193	October 20, 2023
GeoIP LookUp failure Logstash	6	11531	July 6, 2018
How to setup logstash with geoip Logstash	14	3643	February 21, 2017
Elastic Agent Fortinet Module 7 Hours Delay Log Elastic Agent filebeat	15	1126	August 30, 2022

Source IP Geoip

Related topics