1 回答
- 最新
- 投票最多
- 评论最多
0
As of now Amazon Elasticsearch service does not have the ingest-geoip module built in. So, there are 2 ways you can tackle this error:
- Use logstash: In this method instead of sending data from Filebeat -> Elasticsearch, send it via logstash. You can do something like Filebeat -> Logstash -> Elasticsearch.
In this case add the geoip filter in logstash and enrich the data for IP. A sample conf may look like:
input {
beat { .. }
}
filter {
geoip {
source => "ip_field_name"
}
}
output {
elasticsearch { .. }
}
2) Skip the geoip parsing and just send the data to Elasticsearch. You won't get the geo details extracted, but you can still send the rest of data to Elasticsearch.
For this go to your filebeat installation path, for example: filebeat-7.10.0-darwin-x86_64/module/nginx/access/ingest/pipeline.yml and comment out or remove the section related to geoip.
- geoip:
field: source.ip
target_field: source.geo
ignore_missing: true
- geoip:
database_file: GeoLite2-ASN.mmdb
field: source.ip
target_field: source.as
properties:
- asn
- organization_name
ignore_missing: true
已回答 4 年前
相关内容
- AWS 官方已更新 4 个月前
- AWS 官方已更新 2 年前