The GeoIP processor adds information about the geographical location of IP addresses, based on data from the Maxmind databases.
This processor adds this information by default under the
geoip field. The
geoip processor can resolve both IPv4 and
The ingest-geoip plugin ships by default with the GeoLite2 City and GeoLite2 Country geoip2 databases from Maxmind made available under the CCA-ShareAlike 3.0 license. For more details see, http://dev.maxmind.com/geoip/geoip2/geolite2/
The GeoIP processor can run with other geoip2 databases from Maxmind. The files must be copied into the geoip config directory,
database_file option should be used to specify the filename of the custom database. Custom database files must be compressed
with gzip. The geoip config directory is located at
$ES_HOME/config/ingest-geoip and holds the shipped databases too.
This plugin can be installed using the plugin manager:
sudo bin/elasticsearch-plugin install ingest-geoip
The plugin must be installed on every node in the cluster, and each node must be restarted after installation.
This plugin can be downloaded for offline install from https://artifacts.elastic.co/downloads/elasticsearch-plugins/ingest-geoip/ingest-geoip-6.1.4.zip.
The plugin can be removed with the following command:
sudo bin/elasticsearch-plugin remove ingest-geoip
The node must be stopped before removing the plugin.
Intro to Kibana
ELK for Logs & Metrics