2

I am trying to create a geographical map of my data in Kibana 5.01, and it does not work. The fact is that I do not even have the geoip.field that is required in the menu.

I am sending data from IntelMQ, that is processed by logstash to get into elastic search. In the fields received I only have source_ip

What to do?

Rui F Ribeiro
  • 55,929
  • 26
  • 146
  • 227

1 Answers1

3

For passing geographical data to elasticsearch, there is a need to create a logstash filter to process the field referencing the IP address, and creating new field(s) with geographical data.

Based on this article How To Map User Location with GeoIP and ELK?

My new /etc/logstash/conf.d is:

filter {
  geoip {
    source => "source_ip"
    target => "geoip"
    database => "/etc/logstash/GeoLiteCity.dat"
    add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
    add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}"  ]
  }
  mutate {
    convert => [ "[geoip][coordinates]", "float"]
  }
}

After applying this log, there is a need to restart logstash and double check the logs at /var/log/logstash.

So the end result is:

map

GAD3R
  • 63,407
  • 31
  • 131
  • 192
Rui F Ribeiro
  • 55,929
  • 26
  • 146
  • 227
  • 1
    Is it also possible to use the longitude and latitude of the intelmq-event itself (and use the maxmind-geoip expert)? – sebix Nov 07 '17 at 14:17