Hey Elasticsearch Team,
I am trying to "Maps" to detail Suricata alerts that I am receiving. I use Wazuh to receive the Suricata logs and alert on particular severity levels. However, I am having trouble representing these alerts via the Map. I only have a few options when trying to add a Geo point. The two options are Geolocation.Location and data.aws.service.action.networkConnectionAction.remoteIpDetails.geoLocation. I have attached in the image below:
However, I believe logstash should contain more geo points. Here is file /etc/logstash/conf.d/01-wazuh.conf where I believe the transformation is done:
I get the entries in my log files:
However, when adding a Geopspatial field to the map, I only get the Geolocation.location option and the aws.service.action.
I am not sure if I need to add some entries to the logstash file I have been configuring or if something else needs to be done.
I greatly appreciate any help that can be provided.
Thanks,
Taylor