diff --git a/packetbeat/docs/images/kibana-update-map.png b/packetbeat/docs/images/kibana-update-map.png index 7a7785f14eb..1a71050ee33 100644 Binary files a/packetbeat/docs/images/kibana-update-map.png and b/packetbeat/docs/images/kibana-update-map.png differ diff --git a/packetbeat/docs/packetbeat-geoip.asciidoc b/packetbeat/docs/packetbeat-geoip.asciidoc index 5c108ef86c2..2a83c8db5e3 100644 --- a/packetbeat/docs/packetbeat-geoip.asciidoc +++ b/packetbeat/docs/packetbeat-geoip.asciidoc @@ -2,22 +2,18 @@ == Export GeoIP Information You can use Packetbeat along with the -{plugindoc}/ingest-geoip.html[ingest geoIP processor plugin] in Elasticsearch +{plugins}/ingest-geoip.html[ingest geoIP processor plugin] in Elasticsearch to export geographic location information about source IPs for incoming HTTP requests. Then you can use this info to visualize the location of your clients on a map in Kibana. -Prior to version 5.0, Packetbeat provided a `geoip` configuration option for -exporting geoIP information about the source IPs. Starting with 5.0, the -`geoip` configuration option in Beats is deprecated in favor of using the -ingest geoIP processor plugin. This plugin adds information about the -geographical location of IP addresses, based on data from the Maxmind GeoLite2 -City Database. Because the plugin uses a geoIP database that's installed on -Elasticsearch, you no longer need to install a geoIP database on the -machines running Beats. +The geoIP processor plugin adds information about the geographical location of +IP addresses, based on data from the Maxmind GeoLite2 City Database. Because the +plugin uses a geoIP database that's installed on Elasticsearch, you don't need +to install a geoIP database on the machines running Beats. NOTE: If your use case involves using Logstash, you can use the -{logstashdoc}/plugins-filters-geoip.html[GeoIP filter] available in Logstash +{logstash-ref}/plugins-filters-geoip.html[GeoIP filter] available in Logstash instead of using the ingest plugin. However, using the ingest plugin is the simplest approach when you don't require the additional processing power of Logstash. @@ -28,13 +24,14 @@ Logstash. To configure Packetbeat and the ingest geoIP processor plugin: -1. {plugindoc}/ingest-geoip.html[Install the ingest geoIP processor plugin]. +1. {plugins}/ingest-geoip.html[Install the ingest geoIP processor plugin]. After installing the plugin, remember to restart the node. 2. Define an ingest node pipeline that uses a `geoip` processor to add location info to the event. For example, you can use the Console in Kibana to create the following pipeline: + +-- [source,json] ------------------------------------------------------------------------------- PUT _ingest/pipeline/geoip-info @@ -52,6 +49,8 @@ PUT _ingest/pipeline/geoip-info ] } ------------------------------------------------------------------------------- +//CONSOLE +-- + This pipeline adds a `client_geoip.location` field of type `geo_point` to the event. The ID of the pipeline is `geoip-info`. `client_ip` is the output field @@ -60,7 +59,7 @@ in Packetbeat that contains the IP address of the client. You set when it encounters an event that doesn't have a `client_ip` field. + See -{plugindoc}/using-ingest-geoip.html[Using the Geoip Processor in a Pipeline] +{plugins}/using-ingest-geoip.html[Using the Geoip Processor in a Pipeline] for more options. 3. In the Packetbeat config file, configure the Elasticsearch output to use the @@ -78,7 +77,7 @@ output.elasticsearch: + [source,shell] ------------------------------------------------------------------------------- -./packetbeat -e -c packetbeat.yml +sudo ./packetbeat -e -c packetbeat.yml ------------------------------------------------------------------------------- + The event that's sent to Elasticsearch should now include a @@ -90,9 +89,10 @@ The event that's sent to Elasticsearch should now include a To visualize the location of your Packetbeat clients, you can either <> (if -you haven't already), or create a new {kibana-ref}/tilemap.html[Tile map] in -Kibana and use the `client_geoip.location` field as the Geohash. +you haven't already), or create a new {kibana-ref}/tilemap.html[coordinate map] +in Kibana and use the `client_geoip.location` field as the Geohash. +[role="screenshot"] image:./images/kibana-update-map.png[Update Packetbeat client location map in Kibana] TIP: If the map in the dashboard reports "no results found", and you don't see