I thing I misspoke here are a couple of excerpts from our filebeat.yml file --
#============================= Elastic Cloud ==================================
#== These settings simplify using filebeat with the Elastic Cloud (https://cloud.elastic.co/).
#== The cloud.id setting overwrites the output.elasticsearch.hosts
and
#== setup.kibana.host
options.
#== You can find the cloud.id
in the Elastic Cloud web UI.
cloud.id: xxxx
#== The cloud.auth setting overwrites the output.elasticsearch.username
and
#== output.elasticsearch.password
settings. The format is <user>:<pass>
.
cloud.auth: xxxx
#================================ Outputs =====================================
#== Configure what output to use when sending the data collected by the beat.
#-------------------------- Elasticsearch output ------------------------------
output.elasticsearch:
#== Array of hosts to connect to.
hosts: ["http://localhost:9200/"]
pipeline: geoip-info
index: "filebeat-%{[fields.doc_type]}-%{+yyyy.MM.dd}"
setup.template.name: xxxx
setup.template.pattern: xxxx
setup.template.name: xxxx
setup.template.pattern: xxxx
After posting this I was reading further on the topic and realized that the only thing that gets ignored is the 'hosts' property.
I've defined the geoip-info processer with this following the process outlined in https://www.elastic.co/guide/en/beats/filebeat/7.11/filebeat-geoip.html
PUT _ingest/pipeline/geoip-info
{
"description": "Add geoip info",
"processors": [
{
"geoip": {
"field": "client.ip",
"target_field": "client.geo",
"ignore_missing": true
}
},
{
"geoip": {
"field": "source.ip",
"target_field": "source.geo",
"ignore_missing": true
}
},
{
"geoip": {
"field": "destination.ip",
"target_field": "destination.geo",
"ignore_missing": true
}
},
{
"geoip": {
"field": "server.ip",
"target_field": "server.geo",
"ignore_missing": true
}
},
{
"geoip": {
"field": "host.ip",
"target_field": "host.geo",
"ignore_missing": true
}
}
]
}
I'm still not seeing any geoip info being sent through from filebeat
Thanks,
Bill