I've been experiencing an issue with the GeoIP filter here. So, at the beginning of my logstash deployment, the GeoIP filter was working well but recently I saw a tag on all my documents that said _geoip_expired_database. do you know how to solve this?
since this is a production environment, if there is a URL that logstash should be able to access, what is the URL? I need to whitelist it
i tried to disable xpack.geoip.downloader.enabled in logstash.yml and the GeoIP fields are back again in each document. but in this situation, my GeoIP database is not up to date right? To keep my logstash up to date, is it enough just to be connected to the internet? or is there any specific URL that logstash must be able to connect to?
That is more of a MaxMind question than a logstash question. The API requires access to DNS and port 443, but it doesn't seem to document what URL it accesses. You might be able to find that by sniffing the network traffic.