SentinelOne integration GeoIP database error

Hello,

We use the SentinelOne integration through fleet in our Elastic Cloud environment.
Events are being received and processed.

The issue is we get "_geoip_database_unavailable_GeoLite2-City.mmdb" errors on all agent logs.
We use the build-in ingest pipelines, not modifications have been made.
Other sources like our firewall logs also collected with the build-in integration have no such issues and GeoIP works. I also see no difference between the working and failing GeoIP pipeline section.

I am doubting if the ingest pipeline is the source. The error is only visible as a tag but the pipeline code suggests that there needs to be a field "error.message" with the error. There is no "error.message" field.

Elastic Cloud version: 8.6.2
Agent version: 8.6.2
Pipeline: logs-sentinel_one.agent-1.5.0
Error: _geoip_database_unavailable_GeoLite2-City.mmdb

Pipeline code:

  {
    "geoip": {
      "field": "json.externalIp",
      "target_field": "host.geo",
      "ignore_missing": true,
      "if": "ctx.json?.externalIp != null && ctx.json.externalIp != ''",
      "on_failure": [
        {
          "append": {
            "field": "error.message",
            "value": "{{{_ingest.on_failure_message}}}"
          }
        }
      ]
    }
  },

I would appreciate any help.

1 Like

Perhaps try this...

Disable and reenable the geoip databases

Also, is that the complete error?

Where are you seeing that?

1 Like

Ok, this is annoying and not at the same time...
My colleagues upgraded our Elastic Cloud cluster yesterday to 8.7.1 and since May 12th 11:07 we have the first geo_ip entries.
So it works now.... :slight_smile:

The error was added as a tag to the events.

Thanks for your response anyway.

At least I learned something new :slight_smile:

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.