From 663a751e38300e2df709466231286b0d492fedfe Mon Sep 17 00:00:00 2001
From: Andrew Stucki <andrew.stucki@elastic.co>
Date: Thu, 6 Aug 2020 09:19:47 -0400
Subject: [PATCH 1/2] [Filebeat] Fix Okta ingest pipeline (#20454)

* Fix ingest pipeline

* Add changelog entry

(cherry picked from commit 5fdcb1c994d00803efa0337dc4b3003118900f1a)
---
 CHANGELOG.next.asciidoc                                | 1 +
 x-pack/filebeat/module/okta/system/ingest/pipeline.yml | 7 +++++--
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
index dd97d7fa922..b56e860c342 100644
--- a/CHANGELOG.next.asciidoc
+++ b/CHANGELOG.next.asciidoc
@@ -264,6 +264,7 @@ field. You can revert this change by configuring tags for the module and omittin
 - Fix millisecond timestamp normalization issues in CrowdStrike module {issue}20035[20035], {pull}20138[20138]
 - Fix support for message code 106100 in Cisco ASA and FTD. {issue}19350[19350] {pull}20245[20245]
 - Fix `fortinet` setting `event.timezone` to the system one when no `tz` field present {pull}20273[20273]
+- Fix `okta` geoip lookup in pipeline for `destination.ip` {pull}20454[20454]
 
 *Heartbeat*
 
diff --git a/x-pack/filebeat/module/okta/system/ingest/pipeline.yml b/x-pack/filebeat/module/okta/system/ingest/pipeline.yml
index 78f6fa37047..ab8b27342a3 100644
--- a/x-pack/filebeat/module/okta/system/ingest/pipeline.yml
+++ b/x-pack/filebeat/module/okta/system/ingest/pipeline.yml
@@ -1,6 +1,9 @@
 description: Pipeline for Okta system logs.
 
 processors:
+  - set:
+      field: event.ingested
+      value: "{{_ingest.timestamp}}"
   - user_agent:
       field: user_agent.original
       ignore_missing: true
@@ -10,7 +13,7 @@ processors:
       ignore_missing: true
   - geoip:
       field: destination.ip
-      target_field: source.geo
+      target_field: destination.geo
       ignore_missing: true
   - geoip:
       database_file: GeoLite2-ASN.mmdb
@@ -48,4 +51,4 @@ processors:
 on_failure:
   - set:
       field: error.message
-      value: '{{ _ingest.on_failure_message }}'
+      value: "{{ _ingest.on_failure_message }}"

From c2fbae5ae46c17a807e0ea73ccf0bc4f28fd1d7d Mon Sep 17 00:00:00 2001
From: Andrew Stucki <andrew.stucki@gmail.com>
Date: Thu, 6 Aug 2020 10:27:31 -0400
Subject: [PATCH 2/2] Remove added event.ingested from another commit

---
 x-pack/filebeat/module/okta/system/ingest/pipeline.yml | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/x-pack/filebeat/module/okta/system/ingest/pipeline.yml b/x-pack/filebeat/module/okta/system/ingest/pipeline.yml
index ab8b27342a3..6b09d69373c 100644
--- a/x-pack/filebeat/module/okta/system/ingest/pipeline.yml
+++ b/x-pack/filebeat/module/okta/system/ingest/pipeline.yml
@@ -1,9 +1,6 @@
 description: Pipeline for Okta system logs.
 
 processors:
-  - set:
-      field: event.ingested
-      value: "{{_ingest.timestamp}}"
   - user_agent:
       field: user_agent.original
       ignore_missing: true