Hello,
We use the SentinelOne integration through fleet in our Elastic Cloud environment.
Events are being received and processed.
The issue is we get "_geoip_database_unavailable_GeoLite2-City.mmdb" errors on all agent logs.
We use the build-in ingest pipelines, not modifications have been made.
Other sources like our firewall logs also collected with the build-in integration have no such issues and GeoIP works. I also see no difference between the working and failing GeoIP pipeline section.
I am doubting if the ingest pipeline is the source. The error is only visible as a tag but the pipeline code suggests that there needs to be a field "error.message" with the error. There is no "error.message" field.
Elastic Cloud version: 8.6.2
Agent version: 8.6.2
Pipeline: logs-sentinel_one.agent-1.5.0
Error: _geoip_database_unavailable_GeoLite2-City.mmdb
Pipeline code:
{
"geoip": {
"field": "json.externalIp",
"target_field": "host.geo",
"ignore_missing": true,
"if": "ctx.json?.externalIp != null && ctx.json.externalIp != ''",
"on_failure": [
{
"append": {
"field": "error.message",
"value": "{{{_ingest.on_failure_message}}}"
}
}
]
}
},
I would appreciate any help.