在Amazon OpenSearch上使用ingest-geoip 或者Nginx filebeat/metricbeat模块。

0

【以下的问题经过翻译处理】 我正在尝试使用filebeat/metricbeat的Nginx模块,但似乎需要用到ingest-geoip。以下是他们收到的错误信息:

Dec 03 08:37:45 ip-10-1-2-5 filebeat[30775]: 2020-12-03T08:37:45.077Z ERROR [publisher_pipeline_output] pipeline/output.go:154 Failed to connect to backoff(elasticsearch(https://<OUR_AWS_ELK_INSTANCE>)): Connection marked as failed because the onConnect callback failed: Error loading pipeline for fileset nginx/access: This module requires the following Elasticsearch plugins: ingest-geoip. You can install them by running the following commands on all the Elasticsearch nodes:
Dec 03 08:37:45 ip-10-1-2-5 filebeat[30775]: sudo bin/elasticsearch-plugin install ingest-geoip

有没有安装ingest-geoip或其他解决方法来在ES上使用Nginix模块的途径?

profile picture
EXPERT
asked 10 months ago48 views
1 Answer
0

【以下的回答经过翻译处理】 截至目前,Amazon Elasticsearch服务没有集成ingest-geoip模块。因此,您有两种方法可以解决此错误:

  1. 使用logstash: 在此方法中,不是将数据从Filebeat发送到Elasticsearch,而是通过logstash发送。您可以进行类似于Filebeat -> Logstash -> Elasticsearch的操作。

在此情况下,在logstash中添加geoip过滤器并为IP丰富数据。示例配置可能如下所示:

input {
  beat { .. }
}

filter {
    geoip {
      source => "ip_field_name"
    }
}

output {
  elasticsearch { .. }
}

  1. 跳过geoip解析,只将数据发送到Elasticsearch。您将无法提取地理详细信息,但仍然可以将其余数据发送到Elasticsearch。

为此,请转到您的filebeat安装路径,例如:filebeat-7.10.0-darwin-x86_64/module/nginx/access/ingest/pipeline.yml,并注释或删除与geoip相关的部分。

- geoip:
    field: source.ip
    target_field: source.geo
    ignore_missing: true
- geoip:
    database_file: GeoLite2-ASN.mmdb
    field: source.ip
    target_field: source.as
    properties:
    - asn
    - organization_name
    ignore_missing: true

profile picture
EXPERT
answered 10 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions