In OpenSearch, you can use Logstash to map IP address data to geo_point fields, just add the following to your Logstash filters.
Here's an example Logstash configuration:
if [ip] {
geoip {
source => "ip"
target => "[source][geo]"
}
geoip {
source => "ip"
target => "[source][as]"
default_database_type => "ASN"
fields => [ "AUTONOMOUS_SYSTEM_NUMBER", "AUTONOMOUS_SYSTEM_ORGANIZATION"]
}
}
In this Logstash configuration:
Replace [ip] with the actual name of the field in your data that contains IP addresses.
The first geoip filter enriches the document with geographical information.
The second geoip filter enriches the document with Autonomous System (AS) information.
Make sure to configure the source and target fields according to your data structure. The fields parameter in the second geoip filter specifies which AS-related fields to include in the output.
After configuring Logstash, your documents will be enriched with geographical and AS information, and you can index them into OpenSearch. Then, in OpenSearch Dashboards, you can create visualizations and dashboards using the mapped geo_point fields.
Remember to adjust the Logstash input and output configurations based on your specific data sources and destination requirements.
Whats next:
Learn more about ElastAlert rules: if you'd like to learn more about ElastAlert rules from the people that built it, check out their cheat sheet.
Read Logit.io's Introduction to alerting
Learn how to send alerts to Email from your Logit.io stacks.
Learn how to send alerts to PagerDuty from your Logit.io stacks.