Can I get source IP from messaged logged via GELF UDP?

I am sending custom log messages via GELF UDP protocol and I am struggling to get the sender IP in Graylog dashboard. Is it possible?

I have tried to access gl2_remote_ip but that does not seem to exist. I was unable to view hidden properties such as gl2_remote_ip, how to do that?

I am using graylog 4.0.

Any help would be appreciated. Thanks!

Hello and Welcome,

If I understand you correct, then yes this can be done.
What have you tried so far? as in did you do a global search for “source” then add it to the dashboard?

Maybe something here will enlighten you.
https://docs.graylog.org/en/4.0/pages/dashboards.html

Thanks for the reply! I did read through the docs but I didn’t find any info about how to get source IP addresses.

The messages I log do have source set, but that’s just a string I fill-up on the sender side (I am sending the app name). Do I need to fill it up with IP? I was hoping that graylog would automatically get it from the UDP connection. I have found some info about the hidden gl2_remote_ip field that gets added to logged data automatically, but I was unable to access it.

Here is a bug from 2017 that talks about this:

Here is my code of a rule that is trying to access it:

rule "GeoIP lookup"
when
  has_field("gl2_remote_ip")
then

let geo = lookup("geoip", to_string($message.gl2_remote_ip));
set_field("src_ip_geo_location", geo["coordinates"]);
set_field("src_ip_geo_country", geo["country"].iso_code);
set_field("src_ip_geo_city", geo["city"].names.en);

end

Here is the raw message I am sending:

{
"version":"1.1",
"host":"myApp",
"short_message":"Test message",
"timestamp":1620186027.725,
"level":6
}

Im kind of confused your first post compared to your second post.
If were talking about source IP address to a dashboard then something like this

As for you pipe line with Geo IP I’m not sure. but here is mine on that subject.

rule "GeoIP lookup: src_ip"

when
       has_field("src_ip")
then
      let geo = lookup("geoip", to_string($message.src_ip));
      set_field("src_ip_geo_location", geo["coordinates"]);
      set_field("src_ip_geo_country", geo["country"].iso_code);
      set_field("src_ip_geo_city", geo["city"].names.en);
end

Here is the results from that.

EDIT: What kind of device is sending logs?
I set mine up like this from here.

Hope that helps.

It is my desktop app. I wrote the code for sending. This message is sent:

{
"version":"1.1",
"host":"myApp",
"short_message":"Test message",
"timestamp":1620186027.725,
"level":6
}

And it looks like this in graylog:
image

I’m unsure but I believe this has to do with your Lookup Tables.

Do you have MaxMind GeoLite2 Database?

Thanks for the replies. So I was testing many different things in the Simulator and I have found out that when I omit the host field from the message, graylog fills it up with the source IP and then everything works fine (using let geo = lookup("geoip", to_string($message.source)) in the rule). The issue is that the host field is mandatory according to GELF specification and omitting it causes warnings that mandatory host field is missing (for example in the server log file).

So my question now is how to get the source IP without omitting the host field? Because if I put any string to the host field, I will get that instead of IP. Or, why is the host field mandatory if it works without it?

Hello,

I’m sorry but not sure whats is going on. I must of misunderstood you original question.

The second post shows configuration of GEO IP pipeline. Then you went into the third post showing us you destop app with the message sent.

It seams that you have a couple different things going on and I’m unsure where to start helping you at this point. I did show how get the source and add it to the dashboard from my first post. I also showed you the correct way to set up your GEO IP ( link provided).

To sum it up from what I see here is:
Using GELF UDP input, but what kind of log shipper are you using?
Wrote some code on your desktop.
Using Geo IP to get the ipaddress from your desktop and you want it on your dashboard.

I’m not sure what your code looks like or did you post it already? If you provide what log shipper your using and what OS is on oyur desktop this might help.
Showing us your end results on what you want in greater detail would be much apperciated, :slight_smile:

The following links may help you, it seams like your using GEO IP to get your IP address from your desktop?

https://docs.graylog.org/en/4.0/pages/geolocation.html#faqs
https://docs.graylog.org/en/4.0/pages/geolocation.html
https://docs.graylog.org/en/4.0/pages/lookuptables.html#lookuptables

I appreciate all your help. I think am am still not describing the problem right. My problem from the first post is that I am unable to get source IP for my logs. I am intending to use these for geo-location and other things but that is not what I am struggling with, I got that part working.

I am sending logs via UDP protocol according to the GELF spec posted here:
https://docs.graylog.org/en/4.0/pages/gelf.html#gelf-payload-specification

I am not sure what log shipper is but I use no third-party code, I literally open an UDP connection and send payload similar to this:

{
"version":"1.1",
"host":"myApp",
"short_message":"Test message",
"timestamp":1620186027.725,
"level":6
}

This log is received by graylog’s GELF UDP input node and everything works fine, I can see all the posted fields from my messages, except I do not know where to get IP address (that I do not send as part of the log message but I expect graylog to know it).

By trial and error I have found that by omitting a mandatory host field in GELF message I will get the source IP substituted there, but this generates a lot of warnings since my messages are missing a mandatory field.

So I still don’t know how to get source IP when host field is preset in my message. And again, I do not want to send it as another field, I wanted to get it automatically on the receiving side.

Perhaps I can file a bug on github.