Logstash Crashing GeoIP Volume Location

[mmohoney]

Describe the bug Logstash crashes due to the volume path in the docker-compose.yml for GeoIP. According to that error it is looking in the path /usr/share/GeoIP/, but the volume is mounted to /usr/share/logstash/GeoIP/

https://github.com/3ilson/docker-pfelk/blob/651a902cfe7a22b637046d6938d3a0d3a996c442/docker-compose.yml#L102

[ERROR] 2020-04-08 22:00:03.265 [Converge PipelineAction::Create<main>] geoip - Invalid setting for geoip filter plugin:,
,
  filter {,
    geoip {,
      # This setting must be a path,
      # File does not exist or cannot be opened /usr/share/GeoIP/GeoLite2-City.mmdb,
      database => "/usr/share/GeoIP/GeoLite2-City.mmdb",
,
.,
    },
  },

Changing this to be /usr/share/GeoIP/:/usr/share/GeoIP/ fixes the issue but would like to understand if that is not the intention.

To Reproduce Steps to reproduce the behavior: Follow the README.md on a fresh install.

Operating System (please complete the following information):

• OS (printf "$(uname -srm)\n$(cat /etc/os-release)\n"): Ubuntu 18.04.4 LTS
• Version of Docker (docker -v): 19.03.8
• Version of Docker-Compose (docker-compose -v): 1.24.1

Elasticsearch, Logstash, Kibana (please complete the following information):

• Version of ELK (cat /docker-pfelk/.env) Latest zip - afb6bec16f8c6870626b315cc8b52a7c5f8d2aad

  **Service logs

• docker-compose logs pfelk01
• docker-compose logs pfelk02
• docker-compose logs pfelk03
• docker-compose logs logstash
• docker-compose logs kibana

logstash.txt

Additional context Add any other context about the problem here.

[a3ilson]

@mmohoney - Awe....My last update dorked up all the paths.... I'm fixing them now

[a3ilson]

@mmohoney - All paths were updated and corrected. I just installed a fresh instance without any issues. I apologize for the inconvenience. Please give it another try (you'll need to download the pfelkdocker.zip that contains all the updated *.conf files).

[a3ilson]

Once you have verified that it works, please close this issue.

[mmohoney]

@a3ilson just stood up a new install successfully 👍 . I figured the paths needed updating as I had done that to get my install working earlier too.

[a3ilson]

Great/thanks!

[mmohoney]

I can open a new issue if you like, but as far as the dashboards, anything special besides using the pf-* index pattern and the files under the Dashboard folder? When I bring in the latest dashboard, most tiles say - "Could not locate that index-pattern-field (id: event.action.keyword)" and the like.

[mmohoney]

Should note, I have a manual install that I stood up in November with working dashboards but figured I would try Docker since I have a ton of other containers I run

[a3ilson]

@mmohoney - I just imported and didn't have any issues. You may need to let it collect logs for a few minutes and refresh the fields. (Kibana>>Management>>Index Patterns>>pf-* and click the refresh icon.

When importing be sure to select the corresponding index pattern - see image below:

[mmohoney]

Yep that was it. Refreshing the index after a while brought in the missing fields. Liking the docker install so far.

Thanks for the time!