1

I am trying to implement logstash on my openvpn server, but I get the following error:

GeoIP Filter in ECS-Compatiblity mode requires a `target` when `source` is not an `ip` sub-field, eg. [client][ip]>

My logstash file looks as follows, which I took from this gist https://gist.github.com/soulsearcher/68fa902298e59dc4d70696862244e778 :

input {
  beats {
    port => 5044
  }
}

filter {
  grok {
    match => {
      "message" => "%{SYSLOGBASE} %{USER:user}/%{IP:source_ip}:%{POSINT:source_port} SENT CONTROL \[%{USER:user1}\]: \'%{DATA:msg}\' \(status=%{INT:status_code}\)"
    }
    remove_field => ["user1"]

    match => {
      "message" => "%{SYSLOGBASE} %{IP:source_ip}:%{POSINT:source_port} SENT CONTROL \[%{USER:user}\]: \'%{DATA:msg}\' \(status=%{INT:status_code}\)"
    }
  }

  geoip {
    source => "source_ip"xy
  }

  if [msg] =~ "PUSH_REPLY" {
    mutate {
      replace => { type => "openvpn_access" }
    }
  }

  if [msg] =~ "AUTH_FAILED" {
    mutate {
      replace => { type => "openvpn_err" }
    }
  }

  date {
    match => ["timestamp", "MMM dd HH:mm:ss", "MMM  d HH:mm:ss"]
    target => "@timestamp"
  }

  if "_grokparsefailure" in [tags] {
    drop { }
  }
}


output {
  # send to elasticsearch
  elasticsearch {
    cloud_id => "removed"
    cloud_auth => "removed"
    index => "openvpn-%{+YYYY.MM.dd}"
  }
}

I am working with logstash 8.5.1 and elastic 8.5.0. I want to be able to push my logs to elasticsearch to save them for a longer period.

Mathijs
  • 177
  • 3
  • 18

1 Answers1

1

Logstash 8.5 runs default in ECS compatibility mode. when no target is provided for the geoip plugin and the ip address is at source.ip the geo data will be placed at source.geo

Your source for the geoip plugin does not follow the standards for ECS so you had to provide a target by yourself

when you replace

  geoip {
    source => "source_ip"xy
  }

with

geoip {
    source => "source_ip"
    target => "source_geo"
  }

the geo data should be placed at source_geo.

See also https://www.elastic.co/guide/en/logstash/current/plugins-filters-geoip.html

FredvN
  • 504
  • 1
  • 3
  • 14
  • This results in the following message: geoip - ECS expect `target` value `source_geo` in ["client", "destination", "host", "observer", "server", "source"] Can I ignore this? – Mathijs Nov 23 '22 at 12:45
  • When your data is inserted in your elasticsearch database you can ignore them.When you don't want the message add the property ecs_compatibility => "disabled" in your plugin or add the property pipeline.ecs_compatibility: disabled to your pipeline definition to disable ECS completly – FredvN Nov 23 '22 at 12:58