How to solve _geoip_expired_database

Hi,

I've been experiencing an issue with the GeoIP filter here. So, at the beginning of my logstash deployment, the GeoIP filter was working well but recently I saw a tag on all my documents that said _geoip_expired_database. do you know how to solve this?

since this is a production environment, if there is a URL that logstash should be able to access, what is the URL? I need to whitelist it

Thanks

Perhaps take a look at this..

i tried to disable xpack.geoip.downloader.enabled in logstash.yml and the GeoIP fields are back again in each document. but in this situation, my GeoIP database is not up to date right? To keep my logstash up to date, is it enough just to be connected to the internet? or is there any specific URL that logstash must be able to connect to?

sorry, I think It could be a misunderstanding. I can't edit it but this is the right one

but in this situation, my GeoIP database is not up to date right? To keep my GeoIP database up to date, is it enough just to be connected to the internet?

You would need to have xpack.geoip.downloader.enable as true to enable the auto-update and your logstash would need internet access.

If you set it as false your databases will not be updated even if you connect to the internet.

That is more of a MaxMind question than a logstash question. The API requires access to DNS and port 443, but it doesn't seem to document what URL it accesses. You might be able to find that by sniffing the network traffic.

It is not in the documentation, but it is present on the logstash.yml reference file.

#xpack.geoip.downloader.enabled: true
#xpack.geoip.downloader.endpoint: "https://geoip.elastic.co/v1/database"

Just needs to allow traffic for geoip.elastic.co on port 443.

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.