Elastic GeoIP does not work for Linux hosts

Hello,

I have a rather strange problem. My fleet agents that are either Windows or MacOS will send the network flows just fine, including geoid enrichment:

Example:

But the flows send by Linux hosts do not contain any geo ip enrichment anymore. I know this worked some time ago so I am not sure what happened.

Example:

I searched for anything destination.geo.country: * and host os linux but no results.

It would be nice if this would work again as some of my detection rules are based on geo ip (e.g. connection of server to suspicious country etc.).

ELK 8.14.0
Fleet Agents (working and not working) are on
8.14.0 as well.

Network Capture Integration v1.1.0 (on all agents).

Any help is appreciated.

Anyone?

Hmmm, the geoip processes happen in an ingest pipelines on elasticsearch, not on the agent host, so it should be independent of agent Host OS.

First, I would update the Network Capture Integration.

v1.1.0 is nearly 3 years old

the latest is

Network Packet Capture version

|Latest version|1.32.1|

Then say that is DNS flow the geoip happens in

logs-network_traffic.dns-1.32.1-geoip ingest pipeline which does not operate on Operating System OS

Perhaps upgrade and see if you get different results