input {
jdbc {
jdbc_driver_library => "/home/cuckoo/cuckoo/logstash-5.2.2/mariadb-java-client-1.5.9.jar"
jdbc_driver_class => "org.mariadb.jdbc.Driver"
jdbc_connection_string => "jdbc:mariadb://100.1100.100.100:3306/snort"
jdbc_user => "logstash"
jdbc_password => "Password"
schedule => "/3 * * * *"
statement => "SELECT signature,sig_name,timestamp,INET_NTOA(ip_src),sig_priority FROM acid_event WHERE timestamp BETWEEN DATE_SUB(NOW(), INTERVAL 3 minute) and NOW();"
type => "snort_log"
}
}
filter
{
if [type] == "snort_log"
{
grok
{
match => {"message" => "%{COMBINEDAPACHELOG}"}
}
geoip
{
source => "inet_ntoa(ip_src)"
target => "geoip"
database => "/home/cuckoo/cuckoo/data/GeoIP.mmdb"
}
mutate {
add_field => ["[geo][location]","%{[geoip][longitude]}"]
add_field => ["[geo][location]","%{[geoip][latitude]}"]
}
mutate {
convert => ["[geo][location]","float"]
}
}
}
output
{
elasticsearch {
action => "index"
hosts => "127.0.0.1:9200"
index => "snort3"
workers => 1
}
stdout { codec => dots }
}
What am I doing wrong?