input {
    http {
    port => 8000
    codec => nmap
    tags => [nmap]
  }
}

filter {
  if "nmap" in [tags] {
    # Don't emit documents for 'down' hosts
    if [status][state] == "down" {
      drop {}
    }

    mutate {
      # Drop HTTP headers and logstash server hostname
      remove_field => ["headers", "hostname"]
    }

    if "nmap_traceroute_link" == [type] {
      geoip {
        source => "[to][address]"
        target => "[to][geoip]"
      }

      geoip {
        source => "[from][address]"
        target => "[from][geoip]"
      }
    }

    if [ipv4] {
      geoip {
        source => ipv4
        target => geoip
      }
    }

  }
}

output {
  if "nmap" in [tags] {
    elasticsearch {
      document_type => "%{[type]}"
      document_id => "%{[id]}"
      # Nmap data usually isn't too bad, so monthly rotation should be fine
      index => "nmap-logstash-%{+YYYY.MM}"
      template => "./elasticsearch_nmap_template.json"
      template_name => "logstash_nmap"
    }

    stdout {
      codec => json_lines
    }
  }
}