Hi,
We are shipping some windows logs using winlogbeat to our logstash nodes and then to our elastic cluster. We have successfully installed the geoip plugin on all of our elasticsearch nodes. Here is our logstash configuration for winlogbeat:
1001-inputs-beat.conf:
input {
beats {
port => 5044
id => "beats-input"
tags => "beats"
}
}
3001-filter-beats.conf:
filter {
if "beats" in [tags] {
mutate {
remove_field => [ "host" ]
}
geoip {
source => "[event_data][IpAddress]"
target => "geo_point"
}
}
}
9000-output-elastic.conf:
output {
elasticsearch {
hosts => ["10.229.1.12:9200", "10.229.1.13:9200"]
index => "%{[@metadata][beat]}-%{+YYYY-MM-dd}"
user => logstash_internal
password => password
}
}
I then updated our winlogbeat template with the following:
"mappings": {
"doc": {
"properties": {
"geoip" : {
"dynamic": true,
"properties" : {
"ip": { "type": "ip" },
"location" : { "type" : "geo_point" },
"latitude" : { "type" : "float" },
"longitude" : { "type" : "float" }
}
}
}
}
}
However, no geotags are showing up in our index. We have succesfully added geotags to our syslog index but cannot seem to figure out how to add it to our windows logs... We have also tried following this guide, Monitoring Windows Logons with Winlogbeat | Elastic Blog, but that didn't help us with our problem unfortunately.