diff --git a/10-suricata b/10-suricata
new file mode 100644
index 0000000000000000000000000000000000000000..64deabfbcf2c6a82751ccbc821a4f08abd217e2f
--- /dev/null
+++ b/10-suricata
@@ -0,0 +1,37 @@
+filter {
+  if [type] == "SuricataIDPS" {
+    date {
+      match => [ "timestamp", "ISO8601" ]
+    }
+    ruby {
+      code => "if event['event_type'] == 'fileinfo'; event['fileinfo']['type']=event['fileinfo']['magic'].to_s.split(',')[0]; end;"
+    }
+  }
+
+  if [src_ip]  {
+    geoip {
+      source => "src_ip"
+      target => "geoip"
+      database => "/etc/logstash/GeoLite2-City.mmdb"
+      add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
+      add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}"  ]
+    }
+    mutate {
+      convert => [ "[geoip][coordinates]", "float" ]
+    }
+    if ![geoip.ip] {
+      if [dest_ip]  {
+        geoip {
+          source => "dest_ip"
+          target => "geoip"
+          database => "/etc/logstash/GeoLite2-City.mmdb"
+          add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
+          add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}"  ]
+        }
+        mutate {
+          convert => [ "[geoip][coordinates]", "float" ]
+        }
+      }
+    }
+  }
+}