+# ESGuardian: esguardian@outlook.com v 1.0.0

+# index cisco-asa-*

+

+input {

+        udp {

+                port => 10514

+                tags => ["cisco-asa"]

+        }

+}

+

+filter {

+    if "cisco-asa" in [tags] {

+        grok {

+            patterns_dir => ["/etc/logstash/patterns"]

+            match => [

+                    "message", "%{ESGCISCOFWUNKNOWN}"

+            ]

+           

+        }

+        grok {

+            patterns_dir => ["/etc/logstash/patterns"]

+            match => [

+                    "log_msg", "%{ESGCISCOFW106001}",

+                    "log_msg", "%{ESGCISCOFW106006_106007_106010}",

+                    "log_msg", "%{ESGCISCOFW106014}",

+                    "log_msg", "%{ESGCISCOFW106015}",

+                    "log_msg", "%{ESGCISCOFW106021}",

+                    "log_msg", "%{ESGCISCOFW106023}",

+                    "log_msg", "%{ESGCISCOFW106100}",

+                    "log_msg", "%{ESGCISCOFW110002}",

+                    "log_msg", "%{ESGCISCOFW302010}",

+                    "log_msg", "%{ESGCISCOFW302013_302014_302015_302016}",

+                    "log_msg", "%{ESGCISCOFW302020_302021}",

+                    "log_msg", "%{ESGCISCOFW305011}",

+                    "log_msg", "%{ESGCISCOFW313001_313004_313008}",

+                    "log_msg", "%{ESGCISCOFW402117}",

+                    "log_msg", "%{ESGCISCOFW402119}",

+                    "log_msg", "%{ESGCISCOFW419001}",

+                    "log_msg", "%{ESGCISCOFW419002}",

+                    "log_msg", "%{ESGCISCOFW500004}",

+                    "log_msg", "%{ESGCISCOFW602303_602304}",

+                    "log_msg", "%{ESGCISCOFW710001_710002_710003_710005_710006}",

+                    "log_msg", "%{ESGCISCOFW713172}",

+                    "log_msg", "%{ESGCISCOFW722051}",

+                    "log_msg", "%{ESGCISCOFW722037}",

+                    "log_msg", "%{ESGCISCOFW113019}",

+                    "log_msg", "%{ESGCISCOFW733100}"

+            ]

+        

+        

+        }

+        

+

+        # Parse the syslog severity and facility

+        syslog_pri { }

+        geoip {

+          source => "src_ip"

+          target => "geoip"

+          database => "/etc/logstash/GeoLiteCity.dat"          

+        }

+        mutate {

+            remove_field => [ "message" ]

+            gsub => ["event-code","4-106023","Reject"]

+            gsub => ["event-code","4-419002","Duplicate TCP SYN"]

+            gsub => ["event-code","3-710003","Reject"]

+            gsub => ["event-code","2-106001","Reject"]

+            gsub => ["event-code","4-313005","ICMP Reject"]

+            gsub => ["event-code","3-313001","ICMP Reject"]

+            gsub => ["event-code","3-210007","LU allocate xlate failed"]

+            gsub => ["event-code","2-106017","Land Atack"]

+            gsub => ["event-code","4-722051","Remconn address assigned"]

+            gsub => ["event-code","4-113019","Remconn session disconnected"]

+            gsub => ["event-code","4-722037","Remconn closing connection"]

+            gsub => ["event-code","4-722041","Remconn IPv6 not available"]

+            gsub => ["event-code","3-713194","IKE delete"]

+            gsub => ["event-code","4-405001","ARP collision"]

+        }

+

+

+        # Do a DNS lookup for the sending host

+        # Otherwise host field will contain an

+        # IP address instead of a hostname

+#        dns {

+#            reverse => [ "host" ]

+#            action => "replace"

+#          }

+

+    }

+}

+

+output {

+  if "cisco-asa" in [tags] {

+    #stdout { codec => rubydebug }

+    elasticsearch {        

+         hosts => ["127.0.0.1:9200"]

+         index => "cisco-asa-%{+YYYY.MM.dd}"

+         document_type => "cisco-asa"

+         template => "/etc/logstash/elastic-cisco-asa-template.json"

+         template_name => "cisco-asa"

+         template_overwrite => true

+    }

+  }

+# ESGuardian: esguardian@outlook.com v 1.0.0

+

+# ASA unknown

+ESGCISCOFWUNKNOWN ASA-%{DATA:event-code}: %{GREEDYDATA:log_msg}

+# ASA-1-104001

+ESGCISCOFW104001 \((?:Primary|Secondary)\) Switching to ACTIVE - %{GREEDYDATA:switch_reason}

+# ASA-1-104002

+ESGCISCOFW104002 \((?:Primary|Secondary)\) Switching to STANDBY - %{GREEDYDATA:switch_reason}

+# ASA-1-104003

+ESGCISCOFW104003 \((?:Primary|Secondary)\) Switching to FAILED\.

+# ASA-1-104004

+ESGCISCOFW104004 \((?:Primary|Secondary)\) Switching to OK\.

+# ASA-1-105003

+ESGCISCOFW105003 \((?:Primary|Secondary)\) Monitoring on [Ii]nterface %{GREEDYDATA:interface_name} waiting

+# ASA-1-105004

+ESGCISCOFW105004 \((?:Primary|Secondary)\) Monitoring on [Ii]nterface %{GREEDYDATA:interface_name} normal

+# ASA-1-105005

+ESGCISCOFW105005 \((?:Primary|Secondary)\) Lost Failover communications with mate on [Ii]nterface %{GREEDYDATA:interface_name}

+# ASA-1-105008

+ESGCISCOFW105008 \((?:Primary|Secondary)\) Testing [Ii]nterface %{GREEDYDATA:interface_name}

+# ASA-1-105009

+ESGCISCOFW105009 \((?:Primary|Secondary)\) Testing on [Ii]nterface %{GREEDYDATA:interface_name} (?:Passed|Failed)

+# ASA-2-106001

+ESGCISCOFW106001 %{CISCO_DIRECTION:direction} %{WORD:protocol} connection %{CISCO_ACTION:action} from %{IP:src_ip}/%{INT:src_port} to %{IP:dst_ip}/%{INT:dst_port} flags %{GREEDYDATA:tcp_flags} on interface %{GREEDYDATA:interface}

+# ASA-2-106006, ASA-2-106007, ASA-2-106010

+ESGCISCOFW106006_106007_106010 %{CISCO_ACTION:action} %{CISCO_DIRECTION:direction} %{WORD:protocol} (?:from|src) %{IP:src_ip}/%{INT:src_port}(\(%{DATA:src_fwuser}\))? (?:to|dst) %{IP:dst_ip}/%{INT:dst_port}(\(%{DATA:dst_fwuser}\))? (?:on interface %{DATA:interface}|due to %{CISCO_REASON:reason})

+# ASA-3-106014

+ESGCISCOFW106014 %{CISCO_ACTION:action} %{CISCO_DIRECTION:direction} %{WORD:protocol} src %{DATA:src_interface}:%{IP:src_ip}(\(%{DATA:src_fwuser}\))? dst %{DATA:dst_interface}:%{IP:dst_ip}(\(%{DATA:dst_fwuser}\))? \(type %{INT:icmp_type}, code %{INT:icmp_code}\)

+# ASA-6-106015

+ESGCISCOFW106015 %{CISCO_ACTION:action} %{WORD:protocol} \(%{DATA:policy_id}\) from %{IP:src_ip}/%{INT:src_port} to %{IP:dst_ip}/%{INT:dst_port} flags %{DATA:tcp_flags}  on interface %{GREEDYDATA:interface}

+# ASA-1-106021

+ESGCISCOFW106021 %{CISCO_ACTION:action} %{WORD:protocol} reverse path check from %{IP:src_ip} to %{IP:dst_ip} on interface %{GREEDYDATA:interface}

+# ASA-4-106023

+ESGCISCOFW106023 %{CISCO_ACTION:action}( protocol)? %{WORD:protocol} src %{DATA:src_interface}:%{DATA:src_ip}(/%{INT:src_port})?(\(%{DATA:src_fwuser}\))? dst %{DATA:dst_interface}:%{DATA:dst_ip}(/%{INT:dst_port})?(\(%{DATA:dst_fwuser}\))?( \(type %{INT:icmp_type}, code %{INT:icmp_code}\))? by access-group "?%{DATA:policy_id}"? \[%{DATA:hashcode1}, %{DATA:hashcode2}\]

+# ASA-4-106100, ASA-4-106102, ASA-4-106103

+ESGCISCOFW106100_2_3 access-list %{NOTSPACE:policy_id} %{CISCO_ACTION:action} %{WORD:protocol} for user '%{DATA:src_fwuser}' %{DATA:src_interface}/%{IP:src_ip}\(%{INT:src_port}\) -> %{DATA:dst_interface}/%{IP:dst_ip}\(%{INT:dst_port}\) hit-cnt %{INT:hit_count} %{CISCO_INTERVAL:interval} \[%{DATA:hashcode1}, %{DATA:hashcode2}\]

+# ASA-5-106100

+ESGCISCOFW106100 access-list %{NOTSPACE:policy_id} %{CISCO_ACTION:action} %{WORD:protocol} %{DATA:src_interface}/%{IP:src_ip}\(%{INT:src_port}\)(\(%{DATA:src_fwuser}\))? -> %{DATA:dst_interface}/%{IP:dst_ip}\(%{INT:dst_port}\)(\(%{DATA:src_fwuser}\))? hit-cnt %{INT:hit_count} %{CISCO_INTERVAL:interval} \[%{DATA:hashcode1}, %{DATA:hashcode2}\]

+# ASA-6-110002

+ESGCISCOFW110002 %{CISCO_REASON:reason} for %{WORD:protocol} from %{DATA:src_interface}:%{IP:src_ip}/%{INT:src_port} to %{IP:dst_ip}/%{INT:dst_port}

+# ASA-6-302010

+ESGCISCOFW302010 %{INT:connection_count} in use, %{INT:connection_count_max} most used

+# ASA-6-302013, ASA-6-302014, ASA-6-302015, ASA-6-302016

+ESGCISCOFW302013_302014_302015_302016 %{CISCO_ACTION:action}(?: %{CISCO_DIRECTION:direction})? %{WORD:protocol} connection %{INT:connection_id} for %{DATA:src_interface}:%{IP:src_ip}/%{INT:src_port}( \(%{IP:src_mapped_ip}/%{INT:src_mapped_port}\))?(\(%{DATA:src_fwuser}\))? to %{DATA:dst_interface}:%{IP:dst_ip}/%{INT:dst_port}( \(%{IP:dst_mapped_ip}/%{INT:dst_mapped_port}\))?(\(%{DATA:dst_fwuser}\))?( duration %{TIME:duration} bytes %{INT:bytes})?(?: %{CISCO_REASON:reason})?( \(%{DATA:user}\))?

+# ASA-6-302020, ASA-6-302021

+ESGCISCOFW302020_302021 %{CISCO_ACTION:action}(?: %{CISCO_DIRECTION:direction})? %{WORD:protocol} connection for faddr %{IP:dst_ip}/%{INT:icmp_seq_num}(?:\(%{DATA:fwuser}\))? gaddr %{IP:src_xlated_ip}/%{INT:icmp_code_xlated} laddr %{IP:src_ip}/%{INT:icmp_code}( \(%{DATA:user}\))?

+# ASA-6-305011

+ESGCISCOFW305011 %{CISCO_ACTION:action} %{CISCO_XLATE_TYPE:xlate_type} %{WORD:protocol} translation from %{DATA:src_interface}:%{IP:src_ip}(/%{INT:src_port})?(\(%{DATA:src_fwuser}\))? to %{DATA:src_xlated_interface}:%{IP:src_xlated_ip}/%{DATA:src_xlated_port}

+# ASA-3-313001, ASA-3-313004, ASA-3-313008

+ESGCISCOFW313001_313004_313008 %{CISCO_ACTION:action} %{WORD:protocol} type=%{INT:icmp_type}, code=%{INT:icmp_code} from %{IP:src_ip} on interface %{DATA:interface}( to %{IP:dst_ip})?

+# ASA-4-313005

+ESGCISCOFW313005 %{CISCO_REASON:reason} for %{WORD:protocol} error message: %{WORD:err_protocol} src %{DATA:err_src_interface}:%{IP:err_src_ip}(\(%{DATA:err_src_fwuser}\))? dst %{DATA:err_dst_interface}:%{IP:err_dst_ip}(\(%{DATA:err_dst_fwuser}\))? \(type %{INT:err_icmp_type}, code %{INT:err_icmp_code}\) on %{DATA:interface} interface\.  Original IP payload: %{WORD:protocol} src %{IP:orig_src_ip}/%{INT:orig_src_port}(\(%{DATA:orig_src_fwuser}\))? dst %{IP:orig_dst_ip}/%{INT:orig_dst_port}(\(%{DATA:orig_dst_fwuser}\))?

+# ASA-5-321001

+ESGCISCOFW321001 Resource '%{WORD:resource_name}' limit of %{POSINT:resource_limit} reached for system

+# ASA-4-402117

+ESGCISCOFW402117 %{WORD:protocol}: Received a non-IPSec packet \(protocol= %{WORD:orig_protocol}\) from %{IP:src_ip} to %{IP:dst_ip}

+# ASA-4-402119

+ESGCISCOFW402119 %{WORD:protocol}: Received an %{WORD:orig_protocol} packet \(SPI= %{DATA:spi}, sequence number= %{DATA:seq_num}\) from %{IP:src_ip} \(user= %{DATA:user}\) to %{IP:dst_ip} that failed anti-replay checking

+# ASA-4-419001

+ESGCISCOFW419001 %{CISCO_ACTION:action} %{WORD:protocol} packet from %{DATA:src_interface}:%{IP:src_ip}/%{INT:src_port} to %{DATA:dst_interface}:%{IP:dst_ip}/%{INT:dst_port}, reason: %{GREEDYDATA:reason}

+# ASA-4-419002

+ESGCISCOFW419002 %{CISCO_REASON:reason} from %{DATA:src_interface}:%{IP:src_ip}/%{INT:src_port} to %{DATA:dst_interface}:%{IP:dst_ip}/%{INT:dst_port} with different initial sequence number

+# ASA-4-500004

+ESGCISCOFW500004 %{CISCO_REASON:reason} for protocol=%{WORD:protocol}, from %{IP:src_ip}/%{INT:src_port} to %{IP:dst_ip}/%{INT:dst_port}

+# ASA-6-602303, ASA-6-602304

+ESGCISCOFW602303_602304 %{WORD:protocol}: An %{CISCO_DIRECTION:direction} %{GREEDYDATA:tunnel_type} SA \(SPI= %{DATA:spi}\) between %{IP:src_ip} and %{IP:dst_ip} \(user= %{DATA:user}\) has been %{CISCO_ACTION:action}

+# ASA-7-710001, ASA-7-710002, ASA-7-710003, ASA-7-710005, ASA-7-710006

+ESGCISCOFW710001_710002_710003_710005_710006 %{WORD:protocol} (?:request|access) %{CISCO_ACTION:action} from %{IP:src_ip}/%{INT:src_port} to %{DATA:dst_interface}:%{IP:dst_ip}/%{INT:dst_port}

+# ASA-6-713172

+ESGCISCOFW713172 Group = %{GREEDYDATA:group}, IP = %{IP:src_ip}, Automatic NAT Detection Status:\s+Remote end\s*%{DATA:is_remote_natted}\s*behind a NAT device\s+This\s+end\s*%{DATA:is_local_natted}\s*behind a NAT device

+# ASA-4-733100

+ESGCISCOFW733100 \[\s*%{DATA:drop_type}\s*\] drop %{DATA:drop_rate_id} exceeded. Current burst rate is %{INT:drop_rate_current_burst} per second, max configured rate is %{INT:drop_rate_max_burst}; Current average rate is %{INT:drop_rate_current_avg} per second, max configured rate is %{INT:drop_rate_max_avg}; Cumulative total count is %{INT:drop_total_count}

+

+# ASA-4-722051

+ESGCISCOFW722051 Group <%{DATA:group}> User <%{DATA:user}> IP <%{IP:src_ip}> IPv4 Address <%{IP:assigned_ip}> IPv6 address <%{DATA:assigned_ipv6}> assigned to session

+# ASA-4-722037 

+ESGCISCOFW722037 Group <%{DATA:group}> User <%{DATA:user}> IP <%{IP:src_ip}> SVC closing connection: %{GREEDYDATA:reason}\.

+# ASA-4-113019 

+# ESGuardian: esguardian@outlook.com v 1.0.0

+# ESGuardian: esguardian@outlook.com v 1.0.0

+# index cisco-asa-*

+

+input {

+        udp {

+                port => 10514

+                tags => ["cisco-asa"]

+        }

+}

+

+filter {

+    if "cisco-asa" in [tags] {

+        grok {

+            patterns_dir => ["/etc/logstash/patterns"]

+            match => [

+                    "message", "%{ESGCISCOFWUNKNOWN}"

+            ]

+           

+        }

+        grok {

+            patterns_dir => ["/etc/logstash/patterns"]

+            match => [

+                    "log_msg", "%{ESGCISCOFW106001}",

+                    "log_msg", "%{ESGCISCOFW106006_106007_106010}",

+                    "log_msg", "%{ESGCISCOFW106014}",

+                    "log_msg", "%{ESGCISCOFW106015}",

+                    "log_msg", "%{ESGCISCOFW106021}",

+                    "log_msg", "%{ESGCISCOFW106023}",

+                    "log_msg", "%{ESGCISCOFW106100}",

+                    "log_msg", "%{ESGCISCOFW110002}",

+                    "log_msg", "%{ESGCISCOFW302010}",

+                    "log_msg", "%{ESGCISCOFW302013_302014_302015_302016}",

+                    "log_msg", "%{ESGCISCOFW302020_302021}",

+                    "log_msg", "%{ESGCISCOFW305011}",

+                    "log_msg", "%{ESGCISCOFW313001_313004_313008}",

+                    "log_msg", "%{ESGCISCOFW402117}",

+                    "log_msg", "%{ESGCISCOFW402119}",

+                    "log_msg", "%{ESGCISCOFW419001}",

+                    "log_msg", "%{ESGCISCOFW419002}",

+                    "log_msg", "%{ESGCISCOFW500004}",

+                    "log_msg", "%{ESGCISCOFW602303_602304}",

+                    "log_msg", "%{ESGCISCOFW710001_710002_710003_710005_710006}",

+                    "log_msg", "%{ESGCISCOFW713172}",

+                    "log_msg", "%{ESGCISCOFW722051}",

+                    "log_msg", "%{ESGCISCOFW722037}",

+                    "log_msg", "%{ESGCISCOFW113019}",

+                    "log_msg", "%{ESGCISCOFW733100}"

+            ]

+        

+        

+        }

+        

+

+        # Parse the syslog severity and facility

+        syslog_pri { }

+        geoip {

+          source => "src_ip"

+          target => "geoip"

+          database => "/etc/logstash/GeoLiteCity.dat"          

+        }

+        mutate {

+            remove_field => [ "message" ]

+            gsub => ["event-code","4-106023","Reject"]

+            gsub => ["event-code","4-419002","Duplicate TCP SYN"]

+            gsub => ["event-code","3-710003","Reject"]

+            gsub => ["event-code","2-106001","Reject"]

+            gsub => ["event-code","4-313005","ICMP Reject"]

+            gsub => ["event-code","3-313001","ICMP Reject"]

+            gsub => ["event-code","3-210007","LU allocate xlate failed"]

+            gsub => ["event-code","2-106017","Land Atack"]

+            gsub => ["event-code","4-722051","Remconn address assigned"]

+            gsub => ["event-code","4-113019","Remconn session disconnected"]

+            gsub => ["event-code","4-722037","Remconn closing connection"]

+            gsub => ["event-code","4-722041","Remconn IPv6 not available"]

+            gsub => ["event-code","3-713194","IKE delete"]

+            gsub => ["event-code","4-405001","ARP collision"]

+        }

+

+

+        # Do a DNS lookup for the sending host

+        # Otherwise host field will contain an

+        # IP address instead of a hostname

+#        dns {

+#            reverse => [ "host" ]

+#            action => "replace"

+#          }

+

+    }

+}

+

+output {

+  if "cisco-asa" in [tags] {

+    #stdout { codec => rubydebug }

+    elasticsearch {        

+         hosts => ["127.0.0.1:9200"]

+         index => "cisco-asa-%{+YYYY.MM.dd}"

+         document_type => "cisco-asa"

+         template => "/etc/logstash/elastic-cisco-asa-template.json"

+         template_name => "cisco-asa"

+         template_overwrite => true

+    }

+  }

+  "order": 0,

+  "template": "cisco-asa*",

+  "settings": {

+    "index.refresh_interval": "5s"

+  },

+  "mappings": {

+    "cisco-asa": {

+      "dynamic_templates": [

+        {

+          "notanalyzed": {

+            "match": "*",

+            "match_mapping_type": "string",

+            "mapping": {

+              "type": "string",

+              "index": "not_analyzed",

+              "doc_values": "true"

+            }

+          }

+        }

+      ],

+      "properties": {

+        "@timestamp": {

+          "type": "date",

+          "format": "dateOptionalTime",

+          "index": "not_analyzed"

+        },

+        "@version": {

+          "type": "string"

+        },

+        "action": {

+          "type": "string",

+          "index": "not_analyzed"

+        },

+        "assigned_ip": {

+          "type": "string",

+          "index": "not_analyzed"

+        },

+        "assigned_ipv6": {

+          "type": "string",

+          "index": "not_analyzed"

+        },

+        "cisco-type": {

+          "type": "string",

+          "index": "not_analyzed"

+        },

+        "direction": {

+          "type": "string",

+          "index": "not_analyzed"

+        },

+        "dst_interface": {

+          "type": "string",

+          "index": "not_analyzed"

+        },

+        "dst_ip": {

+          "type": "string",

+          "index": "not_analyzed"

+        },

+        "dst_port": {

+          "type": "string",

+          "index": "not_analyzed"

+        },

+        "err_dst_interface": {

+          "type": "string",

+          "index": "not_analyzed"

+        },

+        "err_dst_ip": {

+          "type": "string",

+          "index": "not_analyzed"

+        },

+        "err_icmp_code": {

+          "type": "string",

+          "index": "not_analyzed"

+        },

+        "err_icmp_type": {

+          "type": "string",

+          "index": "not_analyzed"

+        },

+        "err_protocol": {

+          "type": "string",

+          "index": "not_analyzed"

+        },

+        "err_src_fwuser": {

+          "type": "string",

+          "index": "not_analyzed"

+        },

+        "err_src_interface": {

+          "type": "string",

+          "index": "not_analyzed"

+        },

+        "err_src_ip": {

+          "type": "string",

+          "index": "not_analyzed"

+        },

+        "event-code": {

+          "type": "string",

+          "index": "not_analyzed"

+        },

+        "group": {

+          "type": "string",

+          "index": "not_analyzed"

+        },

+        "hashcode1": {

+          "type": "string",

+          "index": "not_analyzed"

+        },

+        "hashcode2": {

+          "type": "string",

+          "index": "not_analyzed"

+        },

+        "host": {

+          "type": "string",

+          "index": "not_analyzed"

+        },

+        "icmp_code": {

+          "type": "string",

+          "index": "not_analyzed"

+        },

+        "icmp_type": {

+          "type": "string",

+          "index": "not_analyzed"

+        },

+        "interface": {

+          "type": "string",

+          "index": "not_analyzed"

+        },

+        "log_msg": {

+          "type": "string"

+        },

+        "orig_dst_ip": {

+          "type": "string",

+          "index": "not_analyzed"

+        },

+        "orig_dst_port ": {

+          "type": "string",

+          "index": "not_analyzed"

+        },

+        "orig_src_ip": {

+          "type": "string",

+          "index": "not_analyzed"

+        },

+        "orig_src_port": {

+          "type": "string",

+          "index": "not_analyzed"

+        },

+        "policy_id": {

+          "type": "string",

+          "index": "not_analyzed"

+        },

+        "protocol": {

+          "type": "string",

+          "index": "not_analyzed"

+        },

+        "reason": {

+          "type": "string",

+          "index": "not_analyzed"

+        },

+        "src_interface": {

+          "type": "string",

+          "index": "not_analyzed"

+        },

+        "src_ip": {

+          "type": "string",

+          "index": "not_analyzed"

+        },

+        "src_port": {

+          "type": "string",

+          "index": "not_analyzed"

+        },

+        "syslog_facility": {

+          "type": "string",

+          "index": "not_analyzed"

+        },

+        "syslog_facility_code": {

+          "type": "string",

+          "index": "not_analyzed"

+        },

+        "syslog_severity": {

+          "type": "string",

+          "index": "not_analyzed"

+        },

+        "syslog_severity_code": {

+          "type": "string",

+          "index": "not_analyzed"

+        },

+        "tags": {

+          "type": "string"

+        },

+        "tcp_flags": {

+          "type": "string",

+          "index": "not_analyzed"

+        },

+        "geoip": {

+          "type": "object",

+          "properties": {

+            "area_code": {

+              "type": "long"

+            },

+            "city_name": {

+              "type": "string",

+              "index": "not_analyzed",

+              "doc_values": "true"

+            },

+            "continent_code": {

+              "type": "string"

+            },

+            "country_code2": {

+              "type": "string"

+            },

+            "country_code3": {

+              "type": "string"

+            },

+            "country_name": {

+              "type": "string",

+              "index": "not_analyzed",

+              "doc_values": "true"

+            },

+            "dma_code": {

+              "type": "long"

+            },

+            "ip": {

+              "type": "string",

+              "index": "not_analyzed",

+              "doc_values": "true"

+            },

+            "latitude": {

+              "type": "double"

+            },

+            "longitude": {

+              "type": "double"

+            },

+            "location": {

+              "type": "geo_point"

+            },

+            "postal_code": {

+              "type": "string"

+            },

+            "real_region_name": {

+              "type": "string",

+              "index": "not_analyzed",

+              "doc_values": "true"

+            },

+            "region_name": {

+              "type": "string",

+              "index": "not_analyzed",

+              "doc_values": "true"

+            },

+            "timezone": {

+              "type": "string"

+            }

+          }

+        }

+        

+      }

+    }

+  }