Problems processing nginx access log

Hello everyone!

I'm new here (and an ES novice) so please bear with me ...

I have a setup of ELK using docker (just default images) and I'm sending some logs off an nginx webserver directly to ES using filebeat installed via the deb package.

My only configuration was to enable nginx module and provide the paths to access and error logs respectively.

Now, I know my setup works because if I process only the error log, all is perfect!
However, if I enable access log, I get this:

2018-04-29T18:27:15.972Z ERROR pipeline/output.go:74 Failed to connect: Connection marked as failed because the onConnect callback failed: Error loading pipeline for fileset nginx/access: couldn't load pipeline: couldn't load json. Error: 400 Bad Request: {"error":{"root_cause":[{"type":"parse_exception","reason":"[database_file] database file [GeoLite2-City.mmdb.gz] doesn't exist","header":{"processor_type":"geoip","property_name":"database_file"}}],"type":"parse_exception",

I believe it comes from ES? However, geoip ingest is installed (comes by default it seems). Is there some setup I need to do that this doesn't account for? The documentation mentions that the GeoLite2 City database is bundled, but this doesn't seem to be the case.


Answer: purging and reinstalling the geoip ingest is the solution. For some reason, even though the ingest is installed by default, the actual db files are missing. Reinstalling the ingest in docker (or by creating a local Dockerfile customising the default) fixes this.

Might warrant a bug on the Docker repository.

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.