Unable to load geoip in elasticsearch/logstash

bharat1 · April 5, 2019, 7:08am

Dear All,
I am new to ELK stack. I am unable to add/load geoip details into my elasticsearch/logstash. I have installed ELK 6.7 version + filebeat & metricbeat,
I tried using /usr/share/elasticsearch/bin/elasticsearch-plugin install ingest-geoip
but it gave error and on further digging got to know that in 6.7 such modules are inbuilt and not required to execute such command.

Below are the details of my config. I want to add geospatial info of all geo related info including source and destination ip based location. How should I achieve this? Any help will be appretiated

======== Elasticsearch.yml: on 192.168.1.1 =========

# Use a descriptive name for your cluster:
#
#cluster.name: my-application
cluster.name: ELK-test
#
# ------------------------------------ Node ------------------------------------
#
# Use a descriptive name for the node:
#
#node.name: node-1
node.name: Master-1
node.master: true
node.data: false
#---------------- Network -----------------
#
# Set the bind address to a specific IP (IPv4 or IPv6):
#
network.host: 192.168.1.1
http.port: 9200
#discovery.zen.ping.unicast.hosts: ["192.168.1.1", "192.168.1.2", "192.168.1.3"]

=========== logstash.yml on 192.168.1.2: ===============

# ------------  Node identity ------------
#
# Use a descriptive name for the node:
#
# node.name: test
 node.name: cnode-1
# ------------ Data path ------------------
path.data: /var/lib/logstash
path.data: /var/lib/logstash

02-beats-input.conf

input {
  beats {
    port => 5044
    ssl => true
    ssl_certificate => "/etc/pki/tls/certs/logstash-forwarder.crt"
    ssl_key => "/etc/pki/tls/private/logstash-forwarder.key"
  }
}

10-syslog-filter.conf

	filter {
    if [type] == "syslog" {
        grok {
            match => { "message" => "%{SYSLOGLINE}" }
        }
        date {
            match => [ "timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
        }
     geoip {
        source => "clientip"
      }

     }
}

30-elasticsearch-output.conf

output {
  elasticsearch {
    hosts => ["192.168.1.2:9200"]
    sniffing => true
    manage_template => false
    index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
    document_type => "%{[@metadata][type]}"
  }
}

======== filebeat.yml on 192.168.1.2 ===========

#======== Filebeat inputs ===============

filebeat.inputs:

# Each - is an input. Most options can be set at the input level, so
# you can use different inputs for various configurations.
# Below are the input specific configurations.

- type: log

  # Change to true to enable this input configuration.
  enabled: true

  # Paths that should be crawled and fetched. Glob based paths.
  paths:
    - /var/log/secure
    - /var/log/messages
    #- c:\programdata\elasticsearch\logs\*
#============== Kibana =============

# Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API.
# This requires a Kibana endpoint configuration.
setup.kibana:

  # Kibana Host
  # Scheme and port can be left out and will be set to the default (http and 5601)
  # In case you specify and additional path, the scheme is required: http://localhost:5601/path
  # IPv6 addresses should always be defined as: https://[2001:db8::1]:5601
  #host: "localhost:5601"
  host: "192.168.1.3:5601"
#--------- Elasticsearch output -------------
#output.elasticsearch:
  # Array of hosts to connect to.
  #hosts: ["192.168.1.1:9200"]

  # Enabled ilm (beta) to use index lifecycle management instead daily indices.
  #ilm.enabled: false

  # Optional protocol and basic auth credentials.
  #protocol: "https"
  #username: "elastic"
  #password: "changeme"

#------------ Logstash output -------------
output.logstash:
  # The Logstash hosts
  hosts: ["192.168.1.2:5044"]
  pipeline: geoip-info

  # Optional SSL. By default is off.
  # List of root certificates for HTTPS server verifications
  ssl.certificate_authorities: ["/etc/pki/tls/certs/logstash-forwarder.crt"]

  # Certificate for SSL client authentication
  #ssl.certificate: "/etc/pki/client/cert.pem"

  # Client Certificate Key
  #ssl.key: "/etc/pki/client/cert.key"

----------------- filebeat modules---------------------

- module: system
  # Syslog
  syslog:
    enabled: true

    # Set custom paths for the log files. If left empty,
    # Filebeat will choose the paths depending on your OS.
    #var.paths:

    # Convert the timestamp to UTC. Requires Elasticsearch >= 6.1.
    #var.convert_timezone: false

  # Authorization logs
  auth:
    enabled: true

    # Set custom paths for the log files. If left empty,
    # Filebeat will choose the paths depending on your OS.
    #var.paths:

    # Convert the timestamp to UTC. Requires Elasticsearch >= 6.1.
    #var.convert_timezone: false

dadoonet · April 5, 2019, 7:20am

Please format your code, logs or configuration files using </> icon as explained in this guide and not the citation button. It will make your post more readable.

Or use markdown style like:

```
CODE
```

This is the icon to use if you are not using markdown format:

There's a live preview panel for exactly this reasons.

Lots of people read these forums, and many of them will simply skip over a post that is difficult to read, because it's just too large an investment of their time to try and follow a wall of badly formatted text.
If your goal is to get an answer to your questions, it's in your interest to make it as easy to read and understand as possible.
Please update your post.

bharat1 · April 5, 2019, 7:33am

Thanks dadoonet for your patient and correcting me. I have edited now and hope it looks as per standard now.

dadoonet · April 5, 2019, 8:31am

Not really.
You modified the content of the file which now make it not conform to what config files should look like.

Instead use the markdown format as I said

For example, instead of:

---------------------------------- Cluster -----------------------------------
Use a descriptive name for your cluster:
cluster.name: ELK-test
node.name: Master-1
node.master: true
node.data: false
network.host: 192.168.1.1
http.port: 9200
discovery.zen.ping.unicast.hosts: ["192.168.1.1", "192.168.1.2", "192.168.1.3"]

Write:

```
# ---------------------------------- Cluster -----------------------------------
# Use a descriptive name for your cluster:
cluster.name: ELK-test
node.name: Master-1
node.master: true
node.data: false
network.host: 192.168.1.1
http.port: 9200
discovery.zen.ping.unicast.hosts: ["192.168.1.1", "192.168.1.2", "192.168.1.3"]
```

Which will look then:

# ---------------------------------- Cluster -----------------------------------
# Use a descriptive name for your cluster:
cluster.name: ELK-test
node.name: Master-1
node.master: true
node.data: false
network.host: 192.168.1.1
http.port: 9200
discovery.zen.ping.unicast.hosts: ["192.168.1.1", "192.168.1.2", "192.168.1.3"]

Again, have a look at the preview window.

bharat1 · April 5, 2019, 8:42am

ok thanks for correcting me again Dadoonet. in preview window it looks good now. Let me know if require any more modifications. This was my first post and appreciate for making it simple.

Appreciate if someone can help me on what I am missing for GeoIP

dadoonet · April 5, 2019, 9:20am

All good now. I made some last edits to make even more clear your post.

Some questions:

Why are you using Logstash? Your Logstash pipeline seems super simple and I don't see anything that could not be solved with only filebeat and elasticsearch.
What does not work?
It sounds like you are interested by syslog. Why not just using the Syslog builtin module which will configure everything for you? See https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-system.html

This documentation is probably also good to follow: https://www.elastic.co/guide/en/beats/filebeat/6.7/filebeat-modules-quickstart.html

bharat1 · April 5, 2019, 9:50am

Going further I would like to create pipeline and transformations etc... using logstash.
I am able to get the system logs by following steps from the link you posted.
Currently I am trying to load various types of logs like - system, metrics, applications and other logs and unable to get geoip stuff working.
Problems:

I am not able to see or enable GeoIP details which can help me build visualization
Though the logs are coming, however I am only able to see only couple of servers in the discovery under specific index on left hand side panel. i.e. "host.name" - So do not know why and I tried changing the time limits etc...

dadoonet · April 5, 2019, 10:13am

The question is "what for" ?
I mean that you can reinvent the wheel but if everything is already available by default, why would you want to do that manually?

Currently I am trying to load various types of logs like - system, metrics, applications and other logs and unable to get geoip stuff working.

The Kibana home page helps you doing that. Every step is described. Although there is "one bug" which tells you that you have to install ingest-geoip and ingest-useragent which you don't have to anymore.

I am not able to see or enable GeoIP details which can help me build visualization

Ok. So what is a typical document in elasticsearch? Could you share one please?

bharat1 · April 5, 2019, 2:31pm

Actually I think there will be multiple application logs which may not suite the format, values and the length etc... in which I guess we may have to write separate regex. Kindly correct me

Yes you are right. I followed it as well as "System module | Filebeat Reference [6.7] | Elastic". I am able to get /var/log/messages file but not other log files.
I did tried that couple or more times but was unable achieve below stuffs where I need help to resolve the issue.

/var/log/secure --> not able to see them in discovery but I am able to get o/p from below query in the console

POST /filebeat-*/_search
{
  "size": 10,
  "query": {
    "match": {
      "source": "/var/log/secure"
    }
  }
}

/var/log/audit/audit.log --> not able to see this log in discovery
GeoIP details not visible - followed -
Enrich events with geoIP information | Filebeat Reference [master] | Elastic

dadoonet · April 5, 2019, 2:48pm

What is the output of:

POST /filebeat-*/_search
{
  "query": {
    "match": {
      "source": "/var/log/secure"
    }
  }
}

bharat1 · April 5, 2019, 3:29pm

below is the output of the above query. I have also pasted end of this post the config file details

{  "took" : 2,
  "timed_out" : false,
  "_shards" : {
    "total" : 6,
    "successful" : 6,
    "skipped" : 0,
    "failed" : 0
  },
  "hits" : {
    "total" : 197,
    "max_score" : 8.023746,
    "hits" : [
      {
        "_index" : "filebeat-6.7.1-2019.04.05",
        "_type" : "doc",
        "_id" : "fsdf84jdh8FsER0IGU9_lH",
        "_score" : 8.023746,
        "_source" : {
          "offset" : 203,
          "log" : {
            "file" : {
              "path" : "/var/log/secure"
            }
          },
          "prospector" : {
            "type" : "log"
          },
          "source" : "/var/log/secure",
          "fileset" : {
            "module" : "system",
            "name" : "auth"
          },
          "input" : {
            "type" : "log"
          },
          "@timestamp" : "2019-04-02T14:43:22.000Z",
          "system" : {
            "auth" : {
              "hostname" : "examplehost1",
              "program" : "su",
              "message" : "pam_unix(su-l:session): session opened for user pentaho by root(uid=0)",
              "timestamp" : "Apr  2 14:43:22"
            }
          },
          "meta" : {
            "cloud" : {
              "machine_type" : "938474",
              "availability_zone" : "_101",
              "instance_name" : "examplehost1.example.com",
              "instance_id" : "dgffe3w32d",
              "provider" : "openstack"
            }
          },
          "host" : {
            "os" : {
              "codename" : "Core",
              "name" : "CentOS Linux",
              "family" : "redhat",
              "version" : "7 (Core)",
              "platform" : "centos"
            },
            "containerized" : true,
            "name" : "examplehost1",
            "id" : "163dfdf793kfnsgabV8b",
            "architecture" : "x86_64"
          },
          "beat" : {
            "hostname" : "examplehost1",
            "name" : "examplehost1",
            "version" : "6.7.1"
          },
          "event" : {
            "dataset" : "system.auth"
          }
        }
      },
      {
        "_index" : "filebeat-6.7.1-2019.04.05",
        "_type" : "doc",
        "_id" : "dgJDH8jen33H9_lH",
        "_score" : 8.023746,
        "_source" : {
          "offset" : 304,
          "log" : {
            "file" : {
              "path" : "/var/log/secure"
            }
          },
          "prospector" : {
            "type" : "log"
          },
          "source" : "/var/log/secure",
          "fileset" : {
            "module" : "system",
            "name" : "auth"
          },
          "input" : {
            "type" : "log"
          },
          "@timestamp" : "2019-04-02T15:44:09.000Z",
          "system" : {
            "auth" : {
              "hostname" : "examplehost1",
              "program" : "su",
              "message" : "pam_unix(su-l:session): session opened for user root by root(uid=55684)",
              "timestamp" : "Apr  2 15:44:09"
            }
          },
          "meta" : {
            "cloud" : {
              "machine_type" : "938474",
              "availability_zone" : "_101",
              "instance_name" : "examplehost1.example.com",
              "instance_id" : "dgffe3w32d",
              "provider" : "openstack"
            }
          },
          "host" : {
            "os" : {
              "codename" : "Core",
              "name" : "CentOS Linux",
              "family" : "redhat",
              "version" : "7 (Core)",
              "platform" : "centos"
            },
            "containerized" : true,
            "name" : "examplehost1",
            "id" : "163dfdf793kfnsgabV8b",
            "architecture" : "x86_64"
          },
          "beat" : {
            "hostname" : "examplehost1",
            "name" : "examplehost1",
            "version" : "6.7.1"
          },
          "event" : {
            "dataset" : "system.auth"
          }
        }
      },
      {
        "_index" : "filebeat-6.7.1-2019.04.05",
        "_type" : "doc",
        "_id" : "C1Vw7WkBA7nVrIGU9_p_",
        "_score" : 8.023746,
        "_source" : {
          "offset" : 666,
          "log" : {
            "file" : {
              "path" : "/var/log/secure"
            }
          },
          "prospector" : {
            "type" : "log"
          },
          "source" : "/var/log/secure",
          "fileset" : {
            "module" : "system",
            "name" : "auth"
          },
          "input" : {
            "type" : "log"
          },
          "@timestamp" : "2019-04-02T16:11:42.000Z",
          "system" : {
            "auth" : {
              "hostname" : "examplehost1",
              "pid" : "2397",
              "program" : "sshd",
              "message" : "Connection closed by 192.168.10.10 port 53853 [preauth]",
              "timestamp" : "Apr  2 16:11:42"
            }
          },
          "meta" : {
            "cloud" : {
              "machine_type" : "938474",
              "availability_zone" : "_101",
              "instance_id" : "dgffe3w32d",
              "instance_name" : "examplehost1.example.com",
              "provider" : "openstack"
            }
          },
          "beat" : {
            "hostname" : "examplehost1",
            "name" : "examplehost1",
            "version" : "6.7.1"
          },
          "host" : {
            "os" : {
              "codename" : "Core",
              "name" : "CentOS Linux",
              "family" : "redhat",
              "version" : "7 (Core)",
              "platform" : "centos"
            },
            "containerized" : true,
            "name" : "examplehost1",
            "id" : "163dfdf793kfnsgabV8b",
            "architecture" : "x86_64"
          },
          "event" : {
            "dataset" : "system.auth"
          }
        }
      },

bharat1 · April 5, 2019, 3:30pm

pasting the o/p continuation in 2nd response since there is a limitation

{
        "_index" : "filebeat-6.7.1-2019.04.05",
        "_type" : "doc",
        "_id" : "GU9_p_",
        "_score" : 8.023746,
        "_source" : {
          "offset" : 970,
          "log" : {
            "file" : {
              "path" : "/var/log/secure"
            }
          },
          "prospector" : {
            "type" : "log"
          },
          "source" : "/var/log/secure",
          "fileset" : {
            "module" : "system",
            "name" : "auth"
          },
          "input" : {
            "type" : "log"
          },
          "@timestamp" : "2019-04-02T16:24:52.000Z",
          "system" : {
            "auth" : {
              "hostname" : "examplehost1",
              "program" : "su",
              "message" : "pam_unix(su-l:session): session opened for user root by pentaho(uid=55684)",
              "timestamp" : "Apr  2 16:24:52"
            }
          },
          "meta" : {
            "cloud" : {
              "machine_type" : "_4C16R40",
              "availability_zone" : "101",
              "instance_name" : "examplehost1.example.com",
              "instance_id" : "ABCDE-0002222036c",
              "provider" : "openstack"
            }
          },
          "beat" : {
            "hostname" : "examplehost1",
            "name" : "examplehost1",
            "version" : "6.7.1"
          },
          "host" : {
            "os" : {
              "codename" : "Core",
              "name" : "CentOS Linux",
              "family" : "redhat",
              "version" : "7 (Core)",
              "platform" : "centos"
            },
            "containerized" : true,
            "name" : "examplehost1",
            "id" : "fmej376393kggjngwwgj9994a2d9b9fbfd79ce8b",
            "architecture" : "x86_64"
          },
          "event" : {
            "dataset" : "system.auth"
          }
        }
      },
      {
        "_index" : "filebeat-6.7.1-2019.04.05",
        "_type" : "doc",
        "_id" : "ABCDEFdfsdf832ldfjjdhGGUGU9_qr",
        "_score" : 8.023746,
        "_source" : {
          "offset" : 2169,
          "log" : {
            "file" : {
              "path" : "/var/log/secure"
            }
          },
          "prospector" : {
            "type" : "log"
          },
          "source" : "/var/log/secure",
          "fileset" : {
            "module" : "system",
            "name" : "auth"
          },
          "input" : {
            "type" : "log"
          },
          "@timestamp" : "2019-04-02T16:40:48.000Z",
          "system" : {
            "auth" : {
              "hostname" : "examplehost1",
              "pid" : "754",
              "program" : "polkitd",
              "message" : "Registered Authentication Agent for unix-process:8876:471157932 (system bus name :1.3380 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)",
              "timestamp" : "Apr  2 16:40:48"
            }
          },
          "meta" : {
            "cloud" : {
              "machine_type" : "_4C16R40",
              "availability_zone" : "101",
              "instance_name" : "examplehost1.example.com",
              "instance_id" : "ABCDE-0002222036c",
              "provider" : "openstack"
            }
          },
          "host" : {
            "os" : {
              "codename" : "Core",
              "name" : "CentOS Linux",
              "family" : "redhat",
              "version" : "7 (Core)",
              "platform" : "centos"
            },
            "containerized" : true,
            "name" : "examplehost1",
            "id" : "fmej376393kggjngwwgj9994a2d9b9fbfd79ce8b",
            "architecture" : "x86_64"
          },
          "beat" : {
            "hostname" : "examplehost1",
            "name" : "examplehost1",
            "version" : "6.7.1"
          },
          "event" : {
            "dataset" : "system.auth"
          }
        }
      },

bharat1 · April 5, 2019, 3:32pm

3rd continuation of o/p

{
        "_index" : "filebeat-6.7.1-2019.04.05",
        "_type" : "doc",
        "_id" : "JHSKSNDD7765JKH00009_qr",
        "_score" : 8.023746,
        "_source" : {
          "offset" : 2717,
          "log" : {
            "file" : {
              "path" : "/var/log/secure"
            }
          },
          "prospector" : {
            "type" : "log"
          },
          "source" : "/var/log/secure",
          "fileset" : {
            "module" : "system",
            "name" : "auth"
          },
          "input" : {
            "type" : "log"
          },
          "@timestamp" : "2019-04-02T16:40:53.000Z",
          "system" : {
            "auth" : {
              "hostname" : "examplehost1",
              "pid" : "18642",
              "program" : "sshd",
              "message" : "Received signal 15; terminating.",
              "timestamp" : "Apr  2 16:40:53"
            }
          },
          "meta" : {
            "cloud" : {
              "machine_type" : "00t4t4t445dfHIVDK99870",
              "availability_zone" : "_KJDHDUHJD89866101",
              "instance_name" : "examplehost1.example.com",
              "instance_id" : "AHDJKU8826736c",
              "provider" : "openstack"
            }
          },
          "host" : {
            "os" : {
              "codename" : "Core",
              "name" : "CentOS Linux",
              "family" : "redhat",
              "version" : "7 (Core)",
              "platform" : "centos"
            },
            "containerized" : true,
            "name" : "examplehost1",
            "id" : "93483894507sdjDDJJKD8b",
            "architecture" : "x86_64"
          },
          "beat" : {
            "hostname" : "examplehost1",
            "name" : "examplehost1",
            "version" : "6.7.1"
          },
          "event" : {
            "dataset" : "system.auth"
          }
        }
      },
      {
        "_index" : "filebeat-6.7.1-2019.04.05",
        "_type" : "doc",
        "_id" : "UFVw7WkBA7nVrIGU9_qr",
        "_score" : 8.023746,
        "_source" : {
          "offset" : 2789,
          "log" : {
            "file" : {
              "path" : "/var/log/secure"
            }
          },
          "prospector" : {
            "type" : "log"
          },
          "source" : "/var/log/secure",
          "fileset" : {
            "module" : "system",
            "name" : "auth"
          },
          "input" : {
            "type" : "log"
          },
          "@timestamp" : "2019-04-02T16:40:53.000Z",
          "system" : {
            "auth" : {
              "hostname" : "examplehost1",
              "pid" : "8896",
              "program" : "sshd",
              "message" : "Server listening on 0.0.0.0 port 22.",
              "timestamp" : "Apr  2 16:40:53"
            }
          },
          "meta" : {
            "cloud" : {
              "machine_type" : "00t4t4t445dfHIVDK99870",
              "availability_zone" : "_KJDHDUHJD89866101",
              "instance_id" : "AHDJKU8826736c",
              "instance_name" : "examplehost1.example.com",
              "provider" : "openstack"
            }
          },
          "beat" : {
            "hostname" : "examplehost1",
            "name" : "examplehost1",
            "version" : "6.7.1"
          },
          "host" : {
            "os" : {
              "codename" : "Core",
              "name" : "CentOS Linux",
              "family" : "redhat",
              "version" : "7 (Core)",
              "platform" : "centos"
            },
            "containerized" : true,
            "name" : "examplehost1",
            "id" : "93483894507sdjDDJJKD8b",
            "architecture" : "x86_64"
          },
          "event" : {
            "dataset" : "system.auth"
          }
        }
      },
      {
        "_index" : "filebeat-6.7.1-2019.04.05",
        "_type" : "doc",
        "_id" : "UVVw7WkBA7nVrIGU9_qr",
        "_score" : 8.023746,
        "_source" : {
          "offset" : 2864,
          "log" : {
            "file" : {
              "path" : "/var/log/secure"
            }
          },
          "prospector" : {
            "type" : "log"
          },
          "source" : "/var/log/secure",
          "fileset" : {
            "module" : "system",
            "name" : "auth"
          },
          "input" : {
            "type" : "log"
          },
          "@timestamp" : "2019-04-02T16:40:53.000Z",
          "system" : {
            "auth" : {
              "hostname" : "examplehost1",
              "pid" : "8896",
              "program" : "sshd",
              "message" : "Server listening on :: port 22.",
              "timestamp" : "Apr  2 16:40:53"
            }
          },
          "meta" : {
            "cloud" : {
              "machine_type" : "00t4t4t445dfHIVDK99870",
              "availability_zone" : "_KJDHDUHJD89866101",
              "instance_name" : "examplehost1.example.com",
              "instance_id" : "AHDJKU8826736c",
              "provider" : "openstack"
            }
          },
          "host" : {
            "os" : {
              "codename" : "Core",
              "name" : "CentOS Linux",
              "family" : "redhat",
              "version" : "7 (Core)",
              "platform" : "centos"
            },
            "containerized" : true,
            "name" : "examplehost1",
            "id" : "93483894507sdjDDJJKD8b",
            "architecture" : "x86_64"
          },
          "beat" : {
            "hostname" : "examplehost1",
            "name" : "examplehost1",
            "version" : "6.7.1"
          },
          "event" : {
            "dataset" : "system.auth"
          }
        }
      },
      {
        "_index" : "filebeat-6.7.1-2019.04.05",
        "_type" : "doc",
        "_id" : "KDHDBkfjdndu83736_r3",
        "_score" : 8.023746,
        "_source" : {
          "offset" : 4681,
          "log" : {
            "file" : {
              "path" : "/var/log/secure"
            }
          },
          "prospector" : {
            "type" : "log"
          },
          "source" : "/var/log/secure",
          "fileset" : {
            "module" : "system",
            "name" : "auth"
          },
          "input" : {
            "type" : "log"
          },
          "@timestamp" : "2019-04-02T16:41:16.000Z",
          "system" : {
            "auth" : {
              "hostname" : "examplehost1",
              "pid" : "8977",
              "program" : "sshd",
              "message" : "Server listening on :: port 22.",
              "timestamp" : "Apr  2 16:41:16"
            }
          },

bharat1 · April 5, 2019, 3:34pm

4th continuation of o/p

       "meta" : {
            "cloud" : {
              "machine_type" : "JDHDBDHDB22340",
              "availability_zone" : "--kdfjdn_jdfuHDHD873201",
              "instance_id" : "i-0000036c",
              "instance_name" : "examplehost1.example.com",
              "provider" : "openstack"
            }
          },
          "host" : {
            "os" : {
              "codename" : "Core",
              "name" : "CentOS Linux",
              "family" : "redhat",
              "version" : "7 (Core)",
              "platform" : "centos"
            },
            "containerized" : true,
            "name" : "examplehost1",
            "id" : "JHDGNRJFN8778367384bfd79ce8b",
            "architecture" : "x86_64"
          },
          "beat" : {
            "hostname" : "examplehost1",
            "name" : "examplehost1",
            "version" : "6.7.1"
          },
          "event" : {
            "dataset" : "system.auth"
          }
        }
      },
      {
        "_index" : "filebeat-6.7.1-2019.04.05",
        "_type" : "doc",
        "_id" : "gskmsjJKDNDH725394oZ",
        "_score" : 8.023746,
        "_source" : {
          "offset" : 5157,
          "log" : {
            "file" : {
              "path" : "/var/log/secure"
            }
          },
          "prospector" : {
            "type" : "log"
          },
          "source" : "/var/log/secure",
          "fileset" : {
            "module" : "system",
            "name" : "auth"
          },
          "input" : {
            "type" : "log"
          },
          "@timestamp" : "2019-04-02T16:41:39.000Z",
          "system" : {
            "auth" : {
              "hostname" : "examplehost1",
              "pid" : "2427",
              "program" : "sshd",
              "message" : "pam_unix(sshd:session): session closed for user pentaho",
              "timestamp" : "Apr  2 16:41:39"
            }
          },
          "meta" : {
            "cloud" : {
              "machine_type" : "JDHDBDHDB22340",
              "availability_zone" : "--kdfjdn_jdfuHDHD873201",
              "instance_id" : "i-0000036c",
              "instance_name" : "examplehost1.example.com",
              "provider" : "openstack"
            }
          },
          "host" : {
            "os" : {
              "codename" : "Core",
              "name" : "CentOS Linux",
              "family" : "redhat",
              "version" : "7 (Core)",
              "platform" : "centos"
            },
            "containerized" : true,
            "name" : "examplehost1",
            "id" : "JHDGNRJFN8778367384bfd79ce8b",
            "architecture" : "x86_64"
          },
          "beat" : {
            "hostname" : "examplehost1",
            "name" : "examplehost1",
            "version" : "6.7.1"
          },
          "event" : {
            "dataset" : "system.auth"
          }
        }
      }
    ]
  }
}

bharat1 · April 5, 2019, 3:34pm

This is a freshly installed box.
filebeat config sending to ES

#=========================== Filebeat inputs =============================
filebeat.inputs:

# Each - is an input. Most options can be set at the input level, so
# you can use different inputs for various configurations.
# Below are the input specific configurations.

- type: log

  # Change to true to enable this input configuration.
  enabled: false

  # Paths that should be crawled and fetched. Glob based paths.
  paths:
    - /var/log/audit/audit.log
    - /var/log/secure
    - /var/log/messages
    #- c:\programdata\elasticsearch\logs\*
#============================= Filebeat modules ===============================

filebeat.config.modules:
  # Glob pattern for configuration loading
  path: ${path.config}/modules.d/*.yml

  # Set to true to enable config reloading
  reload.enabled: false

  # Period on which files under path should be checked for changes
  #reload.period: 10s

#==================== Elasticsearch template setting ==========================

setup.template.settings:
  index.number_of_shards: 3
  #index.codec: best_compression
  #_source.enabled: false

#================================ General =====================================

# The name of the shipper that publishes the network data. It can be used to group
# all the transactions sent by a single shipper in the web interface.
#name:

# The tags of the shipper are included in their own field with each
# transaction published.
#tags: ["service-X", "web-tier"]

# Optional fields that you can specify to add additional information to the
# output.
#fields:
#  env: staging
#============================== Kibana =====================================

# Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API.
# This requires a Kibana endpoint configuration.
setup.kibana:

  # Kibana Host
  # Scheme and port can be left out and will be set to the default (http and 5601)
  # In case you specify and additional path, the scheme is required: http://localhost:5601/path
  # IPv6 addresses should always be defined as: https://[2001:db8::1]:5601
  host: "192.168.1.1:5601"

  # Kibana Space ID
  # ID of the Kibana Space into which the dashboards should be loaded. By default,
  # the Default Space will be used.
  #space.id:

#================================ Outputs =====================================

# Configure what output to use when sending the data collected by the beat.

#-------------------------- Elasticsearch output ------------------------------
output.elasticsearch:
  # Array of hosts to connect to.
  hosts: ["192.168.1.1:9200"]
  pipeline: geoip-info

  # Enabled ilm (beta) to use index lifecycle management instead daily indices.
  #ilm.enabled: false

  # Optional protocol and basic auth credentials.
  #protocol: "https"
  #username: "elastic"
  #password: "changeme"

#----------------------------- Logstash output --------------------------------
#output.logstash:
  # The Logstash hosts
  #hosts: ["localhost:5044"]

  # Optional SSL. By default is off.
  # List of root certificates for HTTPS server verifications
  #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]

  # Certificate for SSL client authentication
  #ssl.certificate: "/etc/pki/client/cert.pem"

  # Client Certificate Key
  #ssl.key: "/etc/pki/client/cert.key"
#================================ Processors =====================================

dadoonet · April 5, 2019, 3:56pm

There is no IP address in:

      {
        "_index" : "filebeat-6.7.1-2019.04.05",
        "_type" : "doc",
        "_id" : "fsdf84jdh8FsER0IGU9_lH",
        "_score" : 8.023746,
        "_source" : {
          "offset" : 203,
          "log" : {
            "file" : {
              "path" : "/var/log/secure"
            }
          },
          "prospector" : {
            "type" : "log"
          },
          "source" : "/var/log/secure",
          "fileset" : {
            "module" : "system",
            "name" : "auth"
          },
          "input" : {
            "type" : "log"
          },
          "@timestamp" : "2019-04-02T14:43:22.000Z",
          "system" : {
            "auth" : {
              "hostname" : "examplehost1",
              "program" : "su",
              "message" : "pam_unix(su-l:session): session opened for user pentaho by root(uid=0)",
              "timestamp" : "Apr  2 14:43:22"
            }
          },
          "meta" : {
            "cloud" : {
              "machine_type" : "938474",
              "availability_zone" : "_101",
              "instance_name" : "examplehost1.example.com",
              "instance_id" : "dgffe3w32d",
              "provider" : "openstack"
            }
          },
          "host" : {
            "os" : {
              "codename" : "Core",
              "name" : "CentOS Linux",
              "family" : "redhat",
              "version" : "7 (Core)",
              "platform" : "centos"
            },
            "containerized" : true,
            "name" : "examplehost1",
            "id" : "163dfdf793kfnsgabV8b",
            "architecture" : "x86_64"
          },
          "beat" : {
            "hostname" : "examplehost1",
            "name" : "examplehost1",
            "version" : "6.7.1"
          },
          "event" : {
            "dataset" : "system.auth"
          }
        }
      }

That's probably why geoIP can not extract any geo point from an IP.

bharat1 · April 5, 2019, 4:02pm

That is what I get. Not sure why and where is it going wrong any pointers?
Secondly other log messages like secure and audit logs don't appear in Discovery however the o/p of the script give for secure but not for audit.

dadoonet · April 5, 2019, 4:03pm

If the source data does not have IP, how would filebeat create it?

bharat1 · April 6, 2019, 7:14am

Okay then what changes do you think/suggest to add in the source data log collection for all sort? Because I feel log/secure should at least have from where the login session was initiated etc....

dadoonet · April 6, 2019, 7:48am

What does a log line look like?