using ingest-geoip or Nginx filebeat/metricbeat module on Amazon ElasticSearch

0

I am trying to use the Nginx module for filebeat/metricbeat, which in turn seems to require ingest-geoip This is the error they got:

Dec 03 08:37:45 ip-10-1-2-5 filebeat[30775]: 2020-12-03T08:37:45.077Z ERROR [publisher_pipeline_output] pipeline/output.go:154 Failed to connect to backoff(elasticsearch(https://<OUR_AWS_ELK_INSTANCE>)): Connection marked as failed because the onConnect callback failed: Error loading pipeline for fileset nginx/access: This module requires the following Elasticsearch plugins: ingest-geoip. You can install them by running the following commands on all the Elasticsearch nodes:
Dec 03 08:37:45 ip-10-1-2-5 filebeat[30775]: sudo bin/elasticsearch-plugin install ingest-geoip

Is there a way to install ingest-geoip or any other workaround to use Nginix module for filebeat/metricbeat on ES?

demandé il y a 4 ans1056 vues
1 réponse
0
Réponse acceptée

As of now Amazon Elasticsearch service does not have the ingest-geoip module built in. So, there are 2 ways you can tackle this error:

  1. Use logstash: In this method instead of sending data from Filebeat -> Elasticsearch, send it via logstash. You can do something like Filebeat -> Logstash -> Elasticsearch.

In this case add the geoip filter in logstash and enrich the data for IP. A sample conf may look like:

input {
  beat { .. }
}

filter {
    geoip {
      source => "ip_field_name"
    }
}

output {
  elasticsearch { .. }
}

2) Skip the geoip parsing and just send the data to Elasticsearch. You won't get the geo details extracted, but you can still send the rest of data to Elasticsearch.

For this go to your filebeat installation path, for example: filebeat-7.10.0-darwin-x86_64/module/nginx/access/ingest/pipeline.yml and comment out or remove the section related to geoip.

- geoip:
    field: source.ip
    target_field: source.geo
    ignore_missing: true
- geoip:
    database_file: GeoLite2-ASN.mmdb
    field: source.ip
    target_field: source.as
    properties:
    - asn
    - organization_name
    ignore_missing: true
AWS
répondu il y a 4 ans
profile picture
EXPERT
vérifié il y a 6 mois

Vous n'êtes pas connecté. Se connecter pour publier une réponse.

Une bonne réponse répond clairement à la question, contient des commentaires constructifs et encourage le développement professionnel de la personne qui pose la question.

Instructions pour répondre aux questions