Geo-ip mapping ANY ipv4 field

In Graylog 2.2x with the geo-ip mapping plugin, it SEEMED like ANY field containing an ipv4 IP address would get enriched with geo-ip data.

It SEEMS like 3.3x’s documentation is saying you have to manually build a pipeline and know the field names ahead of time. With lots of data sources coming in, I am rarely going to be able to know for sure they will all be named like src_ip, source_ip, ip_source, or ip.

Is there a way to build the pipeline the old way?
rather than :

something like :
… which requires
import socket

Does this make sense?

I’ve got a 3.3.3 system running with GeoIP resolver enabled. Didn’t need to implement any pipeline rules.
Just provide the GeoLite2 database and it should work…


Ok so…
According to this 3.3 doc, you can either do it the new way (pipeline) or the old way (2.5 style message processor)

So when you say it is working for you, you did it the old way?

Yes, I am using the message processor.

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.