prepare for new attack map feature

tweaking, cleanup

docker/elk/logstash/dist/logstash.conf

@@ -664,6 +664,14 @@ filter {
 if "_grokparsefailure" in [tags] { drop {} }
 if "_jsonparsefailure" in [tags] { drop {} }
 
+# Add T-Pot hostname and external IP
+  mutate {
+    add_field => {
+      "t-pot_ip_ext" => "${MY_EXTIP}"
+      "t-pot_ip_int" => "${MY_INTIP}"
+      "t-pot_hostname" => "${MY_HOSTNAME}"
+    }
+  }
 
 # Add geo coordinates / ASN info / IP rep.
   if [src_ip]  {
@@ -684,6 +692,20 @@ if "_jsonparsefailure" in [tags] { drop {} }
       dictionary_path => "/etc/listbot/iprep.yaml"
     }
   }
+  if [t-pot_ip_ext]  {
+    geoip {
+      cache_size => 10000
+      source => "t-pot_ip_ext"
+      target => "geoip_ext"
+      database => "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-geoip-7.2.8-java/vendor/GeoLite2-City.mmdb"
+    }
+    geoip {
+      cache_size => 10000
+      source => "t-pot_ip_ext"
+      target => "geoip_ext"
+      database => "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-geoip-7.2.8-java/vendor/GeoLite2-ASN.mmdb"
+    }
+  }
 
 # In some rare conditions dest_port, src_port, status are indexed as string, forcing integer for now
   if [dest_port] {
@@ -712,15 +734,6 @@ if "_jsonparsefailure" in [tags] { drop {} }
     }
   }
 
-# Add T-Pot hostname and external IP
-  mutate {
-    add_field => {
-      "t-pot_ip_ext" => "${MY_EXTIP}"
-      "t-pot_ip_int" => "${MY_INTIP}"
-      "t-pot_hostname" => "${MY_HOSTNAME}"
-    }
-  }
-
 }
 
 # Output section