Disable geoip processor via filebeat ingest pipeline

Elastic Stack Beats
1

Hi,

I'm running ES and filebeat v8.8.0. I'm trying to disable the geoip processing only for netflow data written to the index test. I have netflow data written to other indices by other filebeat instances that have geoip enabled.

I have modified the config files below, but they did not work (geoip-related fields such as source.geo.country_name still appear in my records in the test index).

In /etc/filebeat/filebeat.yml, added:

output.elasticsearch.indices:
  - index: "test"
      when.equals:
        input.type: "netflow"

In /usr/share/filebeat/module/netflow/log/manifest.yml:

  • Commented out name: geoip and plugin: ingest-geoip

In /usr/share/filebeat/module/netflow/log/ingest/pipeline.yml:

  • Removed all geoip blocks
  • Removed all rename blocks that refer to as.* in source and destination fields

Is filebeat not automatically using the pipeline defined in /usr/share/filebeat/module/netflow/log/ingest/pipeline.yml?

I have also tried to explicitly create a pipeline, and specify the pipeline in the filebeat config file. I.e.

PUT _ingest/pipeline/test_pipeline
{ 
   <Contents of pipeline.yml without any "geoip" or "rename" blocks">
}

Then adding output.elasticsearch.pipeline: "test_pipeline" to filebeat.yml. This didn't work either.

Thank you.

2

Found the problem. I needed to load the pipeline manually after modifying pipeline.yml, by doing this

filebeat setup --pipelines --modules nginx -M "netflow.log.enabled=true"

3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.