securityonion-elastic: check ingest geoip fields

Security-Onion-Solutions / security-onion

Security Onion 16.04 - Linux distro for threat hunting, enterprise security monitoring, and log management

https://securityonion.net

3.06k stars 519 forks source link

Closed dougburks closed 4 years ago

dougburks commented 4 years ago

Looks like we might still be getting an extra geoip field from elasticsearch ingest node parsing: region_iso_code.

We do have a region_code field in our template, so if this is the same field, it may just need to be renamed.

dougburks commented 4 years ago

To test, please verify that Elasticsearch ingest node parsing now renames region_iso_code to region_code.

dougburks commented 4 years ago