GeoIP informations mapped for wrong IP #183
Comments
|
This is the part of the logstash config that you refer to right - https://github.com/StamusNetworks/SELKS/blob/master/staging/etc/logstash/conf.d/logstash.conf#L50 ? |
|
Yes - sorry, I'm not a logstash expert, but AFAIK lines 59-67 will override 50-58. I made a test renaming field at 62 (and re-creating the index in Kibana) and it seems to work properly, but I think that it should be the default :-) |
|
aha ok. Could you please do a pull request towards the git master for review? |
|
I will ASAP :-) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The GeoIP information are extracted from the destination IP only (I think that this is caused by the logstash configuration, which logs the geoip result with the same key for source and destination IPs). In my opinion, these informations should be divided in
geoip_srcandgeoip_dest.My setup is SELKS with a secondary NIC for passive interception (the NIC is linked to a SPAN/mirror port in the switch)
The text was updated successfully, but these errors were encountered: