using ingest-geoip or Nginx filebeat/metricbeat module on Amazon ElasticSearch

0

I am trying to use the Nginx module for filebeat/metricbeat, which in turn seems to require ingest-geoip This is the error they got:

Dec 03 08:37:45 ip-10-1-2-5 filebeat[30775]: 2020-12-03T08:37:45.077Z ERROR [publisher_pipeline_output] pipeline/output.go:154 Failed to connect to backoff(elasticsearch(https://<OUR_AWS_ELK_INSTANCE>)): Connection marked as failed because the onConnect callback failed: Error loading pipeline for fileset nginx/access: This module requires the following Elasticsearch plugins: ingest-geoip. You can install them by running the following commands on all the Elasticsearch nodes:
Dec 03 08:37:45 ip-10-1-2-5 filebeat[30775]: sudo bin/elasticsearch-plugin install ingest-geoip

Is there a way to install ingest-geoip or any other workaround to use Nginix module for filebeat/metricbeat on ES?

질문됨 4년 전1056회 조회
1개 답변
0
수락된 답변

As of now Amazon Elasticsearch service does not have the ingest-geoip module built in. So, there are 2 ways you can tackle this error:

  1. Use logstash: In this method instead of sending data from Filebeat -> Elasticsearch, send it via logstash. You can do something like Filebeat -> Logstash -> Elasticsearch.

In this case add the geoip filter in logstash and enrich the data for IP. A sample conf may look like:

input {
  beat { .. }
}

filter {
    geoip {
      source => "ip_field_name"
    }
}

output {
  elasticsearch { .. }
}

2) Skip the geoip parsing and just send the data to Elasticsearch. You won't get the geo details extracted, but you can still send the rest of data to Elasticsearch.

For this go to your filebeat installation path, for example: filebeat-7.10.0-darwin-x86_64/module/nginx/access/ingest/pipeline.yml and comment out or remove the section related to geoip.

- geoip:
    field: source.ip
    target_field: source.geo
    ignore_missing: true
- geoip:
    database_file: GeoLite2-ASN.mmdb
    field: source.ip
    target_field: source.as
    properties:
    - asn
    - organization_name
    ignore_missing: true
AWS
답변함 4년 전
profile picture
전문가
검토됨 5달 전

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠