By using AWS re:Post, you agree to the Terms of Use
AWS re:Postre:Post
/using ingest-geoip or Nginx filebeat/metricbeat module on Amazon ElasticSearch/

using ingest-geoip or Nginx filebeat/metricbeat module on Amazon ElasticSearch

0

I am trying to use the Nginx module for filebeat/metricbeat, which in turn seems to require ingest-geoip This is the error they got:

Dec 03 08:37:45 ip-10-1-2-5 filebeat[30775]: 2020-12-03T08:37:45.077Z ERROR [publisher_pipeline_output] pipeline/output.go:154 Failed to connect to backoff(elasticsearch(https://<OUR_AWS_ELK_INSTANCE>)): Connection marked as failed because the onConnect callback failed: Error loading pipeline for fileset nginx/access: This module requires the following Elasticsearch plugins: ingest-geoip. You can install them by running the following commands on all the Elasticsearch nodes:
Dec 03 08:37:45 ip-10-1-2-5 filebeat[30775]: sudo bin/elasticsearch-plugin install ingest-geoip

Is there a way to install ingest-geoip or any other workaround to use Nginix module for filebeat/metricbeat on ES?

Topics
Analytics
Tags
Amazon OpenSearch Service
AWS-User-4387767
asked a year ago17 views
1 Answers
0
Accepted Answer

As of now Amazon Elasticsearch service does not have the ingest-geoip module built in. So, there are 2 ways you can tackle this error:

1) Use logstash: In this method instead of sending data from Filebeat -> Elasticsearch, send it via logstash. You can do something like Filebeat -> Logstash -> Elasticsearch.

In this case add the geoip filter in logstash and enrich the data for IP. A sample conf may look like:

input {
  beat { .. }
}

filter {
    geoip {
      source => "ip_field_name"
    }
}

output {
  elasticsearch { .. }
}

2) Skip the geoip parsing and just send the data to Elasticsearch. You won't get the geo details extracted, but you can still send the rest of data to Elasticsearch.

For this go to your filebeat installation path, for example: filebeat-7.10.0-darwin-x86_64/module/nginx/access/ingest/pipeline.yml and comment out or remove the section related to geoip. 

- geoip:
    field: source.ip
    target_field: source.geo
    ignore_missing: true
- geoip:
    database_file: GeoLite2-ASN.mmdb
    field: source.ip
    target_field: source.as
    properties:
    - asn
    - organization_name
    ignore_missing: true
Prashant Agrawal
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant questions