102 lines
3.9 KiB
Text
102 lines
3.9 KiB
Text
[[packetbeat-geoip]]
|
|
== Export GeoIP Information
|
|
|
|
You can use Packetbeat along with the
|
|
{plugins}/ingest-geoip.html[ingest geoIP processor plugin] in Elasticsearch
|
|
to export geographic location information about source IPs for incoming HTTP
|
|
requests. Then you can use this info to visualize the location of your
|
|
clients on a map in Kibana.
|
|
|
|
The geoIP processor plugin adds information about the geographical location of
|
|
IP addresses, based on data from the Maxmind GeoLite2 City Database. Because the
|
|
plugin uses a geoIP database that's installed on Elasticsearch, you don't need
|
|
to install a geoIP database on the machines running Beats.
|
|
|
|
NOTE: If your use case involves using Logstash, you can use the
|
|
{logstash-ref}/plugins-filters-geoip.html[GeoIP filter] available in Logstash
|
|
instead of using the ingest plugin. However, using the ingest plugin is the
|
|
simplest approach when you don't require the additional processing power of
|
|
Logstash.
|
|
|
|
[float]
|
|
[[packetbeat-configuring-geoip]]
|
|
=== Configuring the ingest geoIP processor plugin
|
|
|
|
To configure Packetbeat and the ingest geoIP processor plugin:
|
|
|
|
1. {plugins}/ingest-geoip.html[Install the ingest geoIP processor plugin].
|
|
After installing the plugin, remember to restart the node.
|
|
|
|
2. Define an ingest node pipeline that uses a `geoip` processor to add location
|
|
info to the event. For example, you can use the Console in Kibana to create the
|
|
following pipeline:
|
|
+
|
|
--
|
|
[source,json]
|
|
-------------------------------------------------------------------------------
|
|
PUT _ingest/pipeline/geoip-info
|
|
{
|
|
"description": "Add geoip info",
|
|
"processors": [
|
|
{
|
|
"geoip": {
|
|
"field": "client_ip",
|
|
"target_field": "client_geoip",
|
|
"properties": ["location"],
|
|
"ignore_failure": true
|
|
}
|
|
}
|
|
]
|
|
}
|
|
-------------------------------------------------------------------------------
|
|
//CONSOLE
|
|
--
|
|
+
|
|
This pipeline adds a `client_geoip.location` field of type `geo_point` to the
|
|
event. The ID of the pipeline is `geoip-info`. `client_ip` is the output field
|
|
in Packetbeat that contains the IP address of the client. You set
|
|
`ignore_failure` to `true` so that the pipeline will continue processing events
|
|
when it encounters an event that doesn't have a `client_ip` field.
|
|
+
|
|
See
|
|
{plugins}/using-ingest-geoip.html[Using the Geoip Processor in a Pipeline]
|
|
for more options.
|
|
|
|
3. In the Packetbeat config file, configure the Elasticsearch output to use the
|
|
pipeline. Specify the pipeline ID in the `pipeline` option under
|
|
`output.elasticsearch`. For example:
|
|
+
|
|
[source,yaml]
|
|
-------------------------------------------------------------------------------
|
|
output.elasticsearch:
|
|
hosts: ["localhost:9200"]
|
|
pipeline: geoip-info
|
|
-------------------------------------------------------------------------------
|
|
|
|
4. Run Packetbeat, passing in the configuration file that you updated earlier.
|
|
+
|
|
[source,shell]
|
|
-------------------------------------------------------------------------------
|
|
sudo ./packetbeat -e -c packetbeat.yml
|
|
-------------------------------------------------------------------------------
|
|
+
|
|
The event that's sent to Elasticsearch should now include a
|
|
`client_geoip.location` field.
|
|
|
|
[float]
|
|
[[packetbeat-visualizing-location]]
|
|
=== Visualizing the location of your Packetbeat clients
|
|
|
|
To visualize the location of your Packetbeat clients, you can either
|
|
<<load-kibana-dashboards,set up the example Kibana dashboards>> (if
|
|
you haven't already), or create a new {kibana-ref}/tilemap.html[coordinate map]
|
|
in Kibana and use the `client_geoip.location` field as the Geohash.
|
|
|
|
[role="screenshot"]
|
|
image:./images/kibana-update-map.png[Update Packetbeat client location map in Kibana]
|
|
|
|
TIP: If the map in the dashboard reports "no results found", and you don't see
|
|
`client_geoip.location` in the list of available Geohash fields, try refreshing
|
|
the field list in Kibana. On the Management tab, select the `packetbeat-*`
|
|
index pattern, and refresh the field list to pick up any fields that were added
|
|
by the ingest geoIP processor.
|