Geoip for both source and destination

[devinbfergy]

I do geoip fields for both my source and destination IPs. Would it be useful to include a separation between these two within ECS? I found it hard to differentiate between which geoip is internal and which one is external without it. Or should this just be an specific schema for my particular use case?

Thanks!

[webmat]

I agree. For security analytics, I've been cramming my source and destination geoip data at source.geoip and destination.geoip respectively. Because in these kinds of settings, we are observing traffic flows going in both directions. Sometimes our monitored system is the source, and the destination is remote and worth doing geoip on.

I think people have not done it this way in so far, because in operational monitoring cases (e.g. analysing your NGINX web logs), we're only tracking requests going in one direction. Source is always the remote, and destination is always the local address. So in these cases, having geoip at the top level was sufficient.

I think we could document both approaches as valid approaches. What do you think, @ruflin ?

[praseodym]

This is a duplicate of #9.

[webmat]

True. We can close this one. There's more discussion around that over in #9.