I’m using a GELF input to get Apache2 logs into Graylog (after a complete reset). I’m stuck on how to create a geolocation field properly. I believe the correct way is to do this via a pipeline, but I’m pretty sure that I’m doing it incorrectly and I don’t know why.
I’ve created the proper lookup tables, which seems pretty straight forward. First the Data Adapter, then the Cache, then the actual table. Everything went fine, without issues, and here are my tables:
Next, I created a stream to put the Apache2 messages in their own index (and remove them from the main index) based on a specific tag that I add to the message. This works as expected.
Next I went to Pipelines… I created a pipeline, and it appears to be receiving the messages:
I created the rule, and that also appears to be getting messages (also good, I believe LOL):
Now… Here is the rule source:
Also of note is the order of my Message Processors… I’m not sure if this is correct, but I’ve seen guides recommend this order.
When I look at the messages, they don’t have any of the dst_ip_geo* fields. Any idea what I’m doing wrong?