I’m using a GELF input to get Apache2 logs into Graylog (after a complete reset). I’m stuck on how to create a geolocation field properly. I believe the correct way is to do this via a pipeline, but I’m pretty sure that I’m doing it incorrectly and I don’t know why.
I’ve created the proper lookup tables, which seems pretty straight forward. First the Data Adapter, then the Cache, then the actual table. Everything went fine, without issues, and here are my tables:
Next, I created a stream to put the Apache2 messages in their own index (and remove them from the main index) based on a specific tag that I add to the message. This works as expected.
Next I went to Pipelines… I created a pipeline, and it appears to be receiving the messages:
The fields are created, AWESOME. But, the actual geolocation field is created as a “string” type and in order for me to use it in Grafana, I need to to be a “geohash” type… Is there a different value I should be pulling from the GeoIP Database?
Ok. So I have solved the issue, but I needed to manually update the base template for these logs. This was tricky LOL.
Is there any way to edit the default index template in Graylog directly before the index is created? I used Cerebro because I couldn’t figure out how to do it in Graylog.
