1

I want to create a tile map in Kibana to show source IP's from countries around the world. When trying to set up a tile map, I get an error saying that "The "logstash-*" index pattern does not contain any of the following field types: geo_point"

I've googled the problem and found this link https://github.com/elastic/logstash/issues/3137 and at the end of that page, it states this is fixed in 2.x. But I am on 2.1.

Here are my configs:

1inputs.conf:

   input {
   udp {
    type => "syslog"
    port => 5140
     }
    }

5pfsense.conf:

filter {
    # Replace with your IP
    if [host] =~ /10\.1\.15\.200/ {
        grok {
           match => [ 'message', '.* %{WORD:program}:%{GREEDYDATA:rest}' ]
        }

        if [program] == "filterlog" {
            # Grab fields up to IP version. The rest will vary depending on IP version.
            grok {
                match => [ 'rest', '%{INT:rule_number},%{INT:sub_rule_number},,%{INT:tracker_id},%{WORD:interface},%{WORD:reason},%{WORD:action},%{WORD:direction},%{WORD:ip_version},%{GREEDYDATA:rest2}' ]
            }
        }

        mutate {
          replace => [ 'message', '%{rest2}' ]
        }

        if [ip_version] == "4" {
            # IPv4. Grab field up to dest_ip. Rest can vary.
            grok {
                match => [ 'message', '%{WORD:tos},,%{INT:ttl},%{INT:id},%{INT:offset},%{WORD:flags},%{INT:protocol_id},%{WORD:protocol},%{INT:length},%{IP:src_ip},%{IP:dest_ip},%{GREEDYDATA:rest3}' ]
            }
        }

        if [protocol_id] != 2 {
            # Non-IGMP has more fields.
            grok {
                match => [ 'rest3', '^%{INT:src_port:int},%{INT:dest_port:int}' ]
            }
        }

        else {
            # IPv6. Grab field up to dest_ip. Rest can vary.
            grok {
                match => [ 'message', '%{WORD:class},%{WORD:flow_label},%{INT:hop_limit},%{WORD:protocol},%{INT:protocol_id},%{INT:length},%{IPV6:src_ip},%{IPV6:dest_ip},%{GREEDYDATA:rest3}' ]
            }
        }

        mutate {
            replace => [ 'message', '%{rest3}' ]
            lowercase => [ 'protocol' ]
        }

        if [message] {
            # Non-ICMP has more fields
            grok {
                match => [ 'message', '^%{INT:src_port:int},%{INT:dest_port:int},%{INT:data_length}' ]
            }
        }

        mutate {
            remove_field => [ 'message' ]
            remove_field => [ 'rest' ]
            remove_field => [ 'rest2' ]
            remove_field => [ 'rest3' ]
            remove_tag => [ '_grokparsefailure' ]
            add_tag => [ 'packetfilter' ]
        }

        geoip {
            add_tag => [ "GeoIP" ]
            source => "src_ip"
        }
    }
}

Lastly, the 50outputs.conf:

output {
elasticsearch { hosts => localhost index => "logstash-%{+YYYY.MM.dd}" template_overwrite => "true" }
stdout { codec => rubydebug }
}
W Khan
  • 120
  • 1
  • 2
  • 10

0 Answers0