Geoip-info fail on auditbeat, filebeat and packetbeack

Hello everyone o/

I followed this tutorial and after restarting the beats (it's the same steps for all beats) I can't receive any geoip-info fields.
Do I need more configs on .yml files?

geoip-info

Hi @b0r1s

Can you post your 1 of your config files? You will need to add that pipeline to the elasticsearch output. Also remember the geoip only works for public IPs.

output.elasticsearch:
  hosts: ["localhost:9200"]
  pipeline: geoip-info

Are you sending the data directly from the Beats to Elasticsearch... is there anything in between?

The sample geoip-info pipeline will only work on the fields specified, if you IPs are in different fields then they would need to be referenced.

Hi @stephenb o/

# ---------------------------- Elasticsearch Output ----------------------------
output.elasticsearch:
  # Array of hosts to connect to.
  hosts: ["https://myelasticservers..."]
  pipeline: geoip-info
  # Protocol - either `http` (default) or `https`.
  protocol: "https"

I'm sending data directly from Beats to Elasticsearch.
I just tested packetbeat on a Windows host where I accessed some external sites and geoip worked =]
I think that before it was just capturing internal traffic, that's why it didn't appear...
I apologize for my ignorance and thank you for your attention!

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.