I'm trying to ingest Windows IIS logs with the Filebeat IIS module.
The pipeline that Filebeat has automatically defined for this includes GeoIP lookups, e.g.:
"geoip" : {
"field" : "source.ip",
"target_field" : "source.geo",
"ignore_missing" : true
}
However, I noticed the geo fields were never present.
I recreated this manually by following the guide here:
https://www.elastic.co/guide/en/beats/filebeat/7.7/filebeat-geoip.html
First I created the pipeline:
PUT _ingest/pipeline/geoip-info
{
"description": "Add geoip info",
"processors": [
{
"geoip": {
"field": "source.ip"
}
}
]
}
Then I tried ingesting a document through the pipeline:
PUT geoip-test2/_doc/my_id?pipeline=geoip-info
{
"source.ip": "8.8.8.8"
}
This gives the following output:
{
"error" : {
"root_cause" : [
{
"type" : "illegal_argument_exception",
"reason" : "field [source] not present as part of path [source.ip]"
}
],
"type" : "illegal_argument_exception",
"reason" : "field [source] not present as part of path [source.ip]"
},
"status" : 400
}
It does work if I manually change it to:
PUT geoip-test2/_doc/my_id?pipeline=geoip-info
{
"source": {
"ip": "8.8.8.8"
}
}
I assume this is also the reason why the Filebeat data never gets GeoIP information.
As far as I can tell I'm following the defaults provided (Filebeat's own default IIS module) and the documentation as found in the manual.
Am I missing something or is the documentation/default module wrong?