Geo-ip mapping ANY ipv4 field

JTHL · August 3, 2020, 5:38pm

In Graylog 2.2x with the geo-ip mapping plugin, it SEEMED like ANY field containing an ipv4 IP address would get enriched with geo-ip data.

It SEEMS like 3.3x’s documentation is saying you have to manually build a pipeline and know the field names ahead of time. With lots of data sources coming in, I am rarely going to be able to know for sure they will all be named like src_ip, source_ip, ip_source, or ip.

Is there a way to build the pipeline the old way?
rather than :
when
has_field(“src_ip”)
then

something like :
when
socket.inet_aton(whatever.field.value.variable.is)
then
… which requires
import socket

Does this make sense?

Ponet · August 4, 2020, 7:33am

I’ve got a 3.3.3 system running with GeoIP resolver enabled. Didn’t need to implement any pipeline rules.
Just provide the GeoLite2 database and it should work…

JTHL · August 5, 2020, 6:58pm

Ok so…
https://docs.graylog.org/en/3.3/pages/geolocation.html
According to this 3.3 doc, you can either do it the new way (pipeline) or the old way (2.5 style message processor)

So when you say it is working for you, you did it the old way?

Ponet · August 6, 2020, 5:49pm

Yes, I am using the message processor.

system · August 20, 2020, 5:49pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Geolocation issues Graylog Central (peer support) pipeline-rules	3	705	September 15, 2021
Pipeline does not work (caching or something?) Graylog Central (peer support)	4	301	July 24, 2023
Pipeline for creating a GeoIP dashboard Graylog Central (peer support) pipeline-rules , dashboards	12	1720	August 26, 2022
Pipeline rule is not working for postfix log Graylog Central (peer support) pipeline-rules , debuggingpl	5	1527	July 24, 2020
Pipelines Configuration Graylog Central (peer support) pipeline-rules , debuggingpl	14	1408	June 1, 2021

Geo-ip mapping ANY ipv4 field

Related topics