Closed
Description
Using the apache2 integration configured in fleet, results in logs been parsed correctly, BUT with no GeoIP mapping. Processor seems not to be working.
If using the apache-source.log with agent directly sending data to Elasticsearch instead of having Logstash run Ingest Pipelines, GeoIP data is populated in the documents (and hence, correctly displayed in the Map for the integration's dashboard).
There are no error Logs in Logstash.
Config:
filter {
elastic_integration {
cloud_id => "XX"
auth_basic_username => "logstash"
auth_basic_password => "XX"
remove_field => ['_version']
geoip_database_directory => "/etc/logstash/geoip/"
}
}
Permissions:
roaksoax@andreserl-logstash-performance-ssd:/var/lib/logstash/dead_letter_queue$ ls -l /etc/logstash/
total 60
drwxr-xr-x 2 logstash logstash 4096 Apr 19 19:29 certs
drwxr-xr-x 2 root root 4096 Nov 30 08:45 conf.d
drwxr-xr-x 2 logstash logstash 4096 Apr 26 19:01 geoip
-rw-r--r-- 1 root root 1834 Jan 17 21:07 jvm.options
-rw-r--r-- 1 root root 1878 Dec 17 04:06 jvm.options.dpkg-old
-rw-r--r-- 1 root root 7437 Nov 30 08:40 log4j2.properties
-rw-r--r-- 1 root root 342 Nov 30 08:40 logstash-sample.conf
-rw-r--r-- 1 root root 780 Apr 19 19:44 logstash.yml
-rw-r--r-- 1 root root 15017 Mar 26 03:39 logstash.yml.dpkg-dist
-rw-r--r-- 1 root root 285 Nov 30 08:40 pipelines.yml
-rw------- 1 root root 1696 Nov 30 08:40 startup.options
roaksoax@andreserl-logstash-performance-ssd:/var/lib/logstash/dead_letter_queue$ ls -l /etc/logstash/geoip/
total 84192
-rw-r--r-- 1 logstash logstash 8154123 Apr 24 22:05 GeoLite2-ASN.mmdb
-rw-r--r-- 1 logstash logstash 72209755 Apr 24 22:06 GeoLite2-City.mmdb
-rw-r--r-- 1 logstash logstash 5844936 Apr 24 22:06 GeoLite2-Country.mmdb