Type Geo_Point


(1623664) #1

input {
jdbc {
jdbc_driver_library => "/home/cuckoo/cuckoo/logstash-5.2.2/mariadb-java-client-1.5.9.jar"
jdbc_driver_class => "org.mariadb.jdbc.Driver"
jdbc_connection_string => "jdbc:mariadb://100.1100.100.100:3306/snort"
jdbc_user => "logstash"
jdbc_password => "Password"
schedule => "/3 * * * *"
statement => "SELECT signature,sig_name,timestamp,INET_NTOA(ip_src),sig_priority FROM acid_event WHERE timestamp BETWEEN DATE_SUB(NOW(), INTERVAL 3 minute) and NOW();"
type => "snort_log"
}
}

filter
{
if [type] == "snort_log"
{
grok
{
match => {"message" => "%{COMBINEDAPACHELOG}"}
}
geoip
{
source => "inet_ntoa(ip_src)"
target => "geoip"
database => "/home/cuckoo/cuckoo/data/GeoIP.mmdb"
}
mutate {
add_field => ["[geo][location]","%{[geoip][longitude]}"]
add_field => ["[geo][location]","%{[geoip][latitude]}"]
}
mutate {
convert => ["[geo][location]","float"]
}
}
}

output
{
elasticsearch {
action => "index"
hosts => "127.0.0.1:9200"
index => "snort3"
workers => 1
}
stdout { codec => dots }
}

What am I doing wrong?


(Mark Walkom) #2

It's not clear what you are expecting versus what you are seeing, so it's hard to say.


(1623664) #3

Kibana Map does not contain data of type Geo_Point


(Mark Walkom) #4

Have a read of https://www.elastic.co/blog/geoip-in-the-elastic-stack


(1623664) #5
{"cuckoo_template":{"order":0,"template":"cuckoo-*","settings":{"index":{"codec":"best_compression","mapping":{"coerce":"true"},"number_of_shards":"1","number_of_replicas":"0"}},"mappings":{"irma":{"dynamic_templates":[{"notanalyzed":{"mapping":{"index":"not_analyzed","type":"string","doc_values":"True"},"match_mapping_type":"string","match":"*"}}],"properties":{"timestamp_first_scan":{"format":"epoch_millis","type":"date"},"timestamp_last_scan":{"format":"epoch_millis","type":"date"}}},"call":{"dynamic_templates":[{"not_analyzed":{"mapping":{"ignore_above":32766,"index":"not_analyzed","type":"string"},"match_mapping_type":"string","match":"*"}},{"call_arguments":{"path_match":"arguments.*","mapping":{"ignore_above":32766,"index":"not_analyzed","type":"string"},"match_mapping_type":"long","match":"*"}}],"date_detection":false,"properties":{"report_time":{"format":"epoch_second","type":"date"}}},"cuckoo":{"dynamic_templates":[{"not_analyzed":{"mapping":{"ignore_above":32766,"index":"not_analyzed","type":"string"},"match_mapping_type":"string","match":"*"}},{"signatures":{"path_match":"signatures.marks.call.arguments.*","path_unmatch":"signatures.marks.call.arguments.registers.*","mapping":{"ignore_above":32766,"index":"not_analyzed","type":"string"},"match_mapping_type":"long","match":"*"}}],"date_detection":false,"properties":{"report_time":{"format":"epoch_second","type":"date"},"procmemory":{"include_in_root":"True","type":"nested","properties":{"regions":{"include_in_root":"True","type":"nested"}}}}}},"aliases":{}},"logstash":{"order":0,"version":50001,"template":"logstash-*","settings":{"index":{"refresh_interval":"5s"}},"mappings":{"_default_":{"dynamic_templates":[{"message_field":{"path_match":"message","mapping":{"norms":false,"type":"text"},"match_mapping_type":"string"}},{"string_fields":{"mapping":{"norms":false,"type":"text","fields":{"keyword":{"type":"keyword"}}},"match_mapping_type":"string","match":"*"}}],"_all":{"norms":false,"enabled":true},"properties":{"@timestamp":{"include_in_all":false,"type":"date"},"geoip":{"dynamic":true,"properties":{"ip":{"type":"ip"},"latitude":{"type":"half_float"},"location":{"type":"geo_point"},"longitude":{"type":"half_float"}}},"@version":{"include_in_all":false,"type":"keyword"}}}},"aliases":{}}}

(1623664) #6

No Compatible Fields: The "*" index pattern does not contain any of the following field types: geo_point


(system) #7

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.