Geohash not working about pfelk HOT 8 CLOSED

@pclever1
You'll need to insert the contents of this file (https://raw.githubusercontent.com/a3ilson/pfelk/master/Dashboard/GeoIP(Template)) into the Kibana console.

(1) Navigate to Kibana>>Dev Tools
(2) Paste the contents of this file into the console (https://raw.githubusercontent.com/a3ilson/pfelk/master/Dashboard/GeoIP(Template))
(3) Press the triangle (play button icon)
(4) Wait a few...and your Geo Fields should be recognized

My YouTube videos are about a year old but will be updating within the new two months.

from pfelk.

@a3ilson
Thank you for that information!
I tried it and it returned "acknowledged" : true but the feature still isn't working.

I refreshed the index pattern and there isn't a field for geo_point
I ran your template with both index_patters : pf-* and pf* to make sure that wasn't an issue and waited 30+ minutes between.

Can you think of anything I could be doing wrong?

from pfelk.

@pclever1
You utilized the tutorial on Github? Everything else is working minus the GeoIP?

from pfelk.

Yes, I followed your tutorial and everything else is working perfectly.
Do you know if there is an error log anywhere for Console?
Also I ran it multiple times, could that pose an issue?

from pfelk.

@pclever1
I would restart your services (I'm assuming you already have). I'll put together another tutorial (video) in a month or so.

from pfelk.

Yeah I just did a full reboot and it's still not working. I will try to stand up a new VM this weekend and try it again.

Also I have been working on making a script to automate this entire install process. When I finish I will send it to you and you can decide if you want merge it or not.

from pfelk.

@a3ilson Update:
I just realized today that my main issue with this was conflicting field types (see more below). Unfortunately I am still unable to create a coordinate map with this data. Firewall entries now show a new field destination.geo.location that has both lat/long in JSON format.

When I try to plot a coordinate map with the field destination.as.location there is nothing that gets displayed on the map. This field is not present in any of my syslog entries.

Is it possible do change destination.as.location to destination.geo.location ??

Conflicting Data Types

If I ran the console script you provided before sending ELK any data this wouldn't have been a problem. I wonder if these conflicts can be set in the configuration files during install:

• destination.as.ip (type: "text" -> "ip")
• destination.geo.ip (type: "text" -> "ip")
• destination.geo.location (type: "object" -> "geo_point")
• source.as.ip (type: "text" -> "ip")
• source.geo.ip (type: "text" -> "ip")
• source.geo.location (type: "object" -> "geo_point")

from pfelk.

Another update,
It took a few hours but now destination.geo.location is an option on the coordinate map!

Steps I used to get GeoIP working:

1. Run script in Dev Tools -> Console
2. Delete data up to current time to resolve field type conflicts (Management -> Elasticsearch -> Index Management) [there may be a better way to do this]
3. Wait a few hours and try creating a Coordinate map

from pfelk.