logstash shutsdown because of GeoIP

[grkravi]

Hello, I followed the steps for Manual PFELK Install on Ubuntu 24.10. Dashboards are empty though. I found logstash is failing from the syslog messages and there's no GeoIP folder in /usr/share. I did do "sudo geoipupdate" and did not see any errors. Also, shoud i do rsyslog configuration for recieving logs on 5140 port? I don't see anything listening on this port with the "ss" command.

Syslog-

2024-10-29T12:33:29.430932-05:00 elk logstash[12061]: [2024-10-29T17:33:29,430][INFO ][logstash.runner ] JVM bootstrap flags: [-Xms1g, -Xmx1g, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djruby.compile.invokedynamic=true, -XX:+HeapDumpOnOutOfMemoryError, -Djava.security.egd=file:/dev/urandom, -Dlog4j2.isThreadContextMapInheritable=true, -Dlogstash.jackson.stream-read-constraints.max-string-length=200000000, -Dlogstash.jackson.stream-read-constraints.max-number-length=10000, -Djruby.regexp.interruptible=true, -Djdk.io.File.enableADS=true, --add-exports=jdk.compiler/com.sun.tools.javac.api=ALL-UNNAMED, --add-exports=jdk.compiler/com.sun.tools.javac.file=ALL-UNNAMED, --add-exports=jdk.compiler/com.sun.tools.javac.parser=ALL-UNNAMED, --add-exports=jdk.compiler/com.sun.tools.javac.tree=ALL-UNNAMED, --add-exports=jdk.compiler/com.sun.tools.javac.util=ALL-UNNAMED, --add-opens=java.base/java.security=ALL-UNNAMED, --add-opens=java.base/java.io=ALL-UNNAMED, --add-opens=java.base/java.nio.channels=ALL-UNNAMED, --add-opens=java.base/sun.nio.ch=ALL-UNNAMED, --add-opens=java.management/sun.management=ALL-UNNAMED, -Dio.netty.allocator.maxOrder=11]
2024-10-29T12:33:29.433909-05:00 elk logstash[12061]: [2024-10-29T17:33:29,433][INFO ][logstash.runner ] Jackson default value override logstash.jackson.stream-read-constraints.max-string-length configured to 200000000
2024-10-29T12:33:29.434302-05:00 elk logstash[12061]: [2024-10-29T17:33:29,434][INFO ][logstash.runner ] Jackson default value override logstash.jackson.stream-read-constraints.max-number-length configured to 10000
2024-10-29T12:33:30.305350-05:00 elk logstash[12061]: [2024-10-29T17:33:30,304][INFO ][logstash.agent ] Successfully started Logstash API endpoint {:port=>9600, :ssl_enabled=>false}
2024-10-29T12:33:36.091236-05:00 elk logstash[12061]: [2024-10-29T17:33:36,090][INFO ][org.reflections.Reflections] Reflections took 146 ms to scan 1 urls, producing 138 keys and 481 values
2024-10-29T12:33:37.087825-05:00 elk logstash[12061]: [2024-10-29T17:33:37,087][ERROR][logstash.filters.geoip ] Invalid setting for geoip filter plugin:
2024-10-29T12:33:37.088042-05:00 elk logstash[12061]: filter {
2024-10-29T12:33:37.088125-05:00 elk logstash[12061]: geoip {
2024-10-29T12:33:37.088195-05:00 elk logstash[12061]: # This setting must be a path
2024-10-29T12:33:37.088248-05:00 elk logstash[12061]: # File does not exist or cannot be opened /usr/share/GeoIP/GeoLite2-City.mmdb
2024-10-29T12:33:37.088292-05:00 elk logstash[12061]: database => "/usr/share/GeoIP/GeoLite2-City.mmdb"
2024-10-29T12:33:37.088349-05:00 elk logstash[12061]: ...
2024-10-29T12:33:37.088393-05:00 elk logstash[12061]: }
2024-10-29T12:33:37.088432-05:00 elk logstash[12061]: }
2024-10-29T12:33:37.097983-05:00 elk logstash[12061]: [2024-10-29T17:33:37,094][ERROR][logstash.agent ] Failed to execute action {:action=>LogStash::PipelineAction::Create/pipeline_id:pfelk, :exception=>"Java::JavaLang::IllegalStateException", :message=>"Unable to configure plugins: (ConfigurationError) Something is wrong with your configuration.", :backtrace=>["org.logstash.config.ir.CompiledPipeline.(CompiledPipeline.java:120)", "org.logstash.execution.AbstractPipelineExt.initialize(AbstractPipelineExt.java:186)", "org.logstash.execution.AbstractPipelineExt$INVOKER$i$initialize.call(AbstractPipelineExt$INVOKER$i$initialize.gen)"

[grkravi]

I am able to get the dashboards populated by updating the 30-geoip file not to use MaxMind. Will continue to troubleshoot this issue.

[a3ilson]

@grkravi - do you know the path of where the *.mmdb files from MaxMind were installed?

[grkravi]

Thanks. Its installed on /var/lib. Let me use this path instead on 30-geoip file and give it a try. I had one more question, is it possible to report top visited websites by IP?