Winlogbeat ingest pipelines missing geoIP

Winlogbeat ingest pipelines Security and Sysmon missing geoIP. It is on purpose?
All filebeat ingest pipelines have geoIP enrichment and it seems strange that winlogbeat missing geoIP.

My guess, it's on purpose. Windows event logs seldom have public ip adresses in them. If they have ip adresses they are often in an obscure part of the message field.
So for efficiency reasons it would make sense.
On the other hand, what's stopping you from adding an extra geoip ingest pipeline step?

I did but it seems wrong to me to make custom solution. When ingest pipelines will be updated I will need to keep this fix in mind. I can make a Pull Request but before I need to be sure it makes sense.


That's a valid point. I'm not sure what Elastic version you are using but what if you would switch to the elastic agent, it uses filebeat to fetch windows events. In Elastic Cloud you have pipelines named @custom for exactly that purpose.

This is a valid question and I would recommend creating a feature request on GitHub so the team can take a look and comment.

Concur with this as when there is a public IP in the event log, mainly sysmon code 3, it makes it easy to compare teh process with the owner of the IP to do a quick check. Did this microsoft exe connect to a MS IP?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.