I have tried millions of times to get GEO Ip working on our instance. I have installed it, reinstalled it, configured it, rebooted, re read every piece of documentation but cannot get it to show up still. ny help would be greatly appreciated!
I recently succeeded setting up geoIP config following those guidelines. However, I had an issue with filepath. Since I do not administer host machine, other party put tables in wrong directory. You might want to check it too.
Check your processing order, your order is wrong, if you use pipeline rules. Please move your Message Filter chain before Pipeline Processor.
Check if your geoip lookup table works. Put a internet ip address to section Test Lookup in field Key, and it should return GEO information.
If not, check your data adaptor if you use correct Database type for your downloaded file. I use GeoLite2-City.mmdb and Database type: City Database. If you use only Country database, change correct type.
Best is to put MaxDB databases to /etc/graylog/server directory, check if graylog service can read file.
You need extracted field with ip addresss, for example src_ip with only ip adresses to use in lookup table. I couldnât see any ip field in your fields screenshot. So create extractor or pipeline rule for ip field extraction first.
You can use geo ip lookup table in several parts: Extractor, Converter, Decorator or Pipeline Rule.
There is no special geoip map icon in field.
If you want to create World Map widget, create widget from field src_ip_geo_location (or Show top values) and change Visualization type to World Map.
If you use Selinux (CentOS, RHEL) try to disable to check, if itâs not blocking access to geoip db file.
For example I used this pipeline rule, to geoip from field src_ip.
rule âGeoIP lookup: src_ipâ
when
has_field(âsrc_ipâ)
then
let geo = lookup(âgeoipâ, to_string($message.src_ip));
set_field(âsrc_ip_geo_locationâ, geo[âcoordinatesâ]);
set_field(âsrc_ip_geo_countryâ, geo[âcountryâ].iso_code);
set_field(âsrc_ip_geo_cityâ, geo[âcityâ].names.en);
end
I am so sorry for my not uderstand question
Let me begin from start:
I want to config Graylog Server (Graylog 3.2.4 install on Ubuntu 18.04) to use GeoIP
I read this articles:
But I havenât this field âsrc_ipâ
I uderstand that I must use extractor or pipiline rule,but I cannât write correct rule for it!
Can you help me?
I use this type of logs
RSYSLOG_SyslogProtocol23Format
I had added it on my other Ubuntu Server
And for I want to use GeoIP
Yes I uderstand that is basic concepts
Plz help
I am stuck
Hi @polinafrolov,
you post only generic type of log, RSYSLOG_SyslogProtocol23Format means syslog RFC5424 standard log. But itâs too generic, there is no generic extractor for source ip address for use in GeoIP. Which source (program, web server, firewall?) do you try to add GeoIP information?
@shoothub
I want to show all of my server on World Map
It possible get information from gl2_remote_ip to srp_ip
and then put it on World Map and show all of my VPS Server?
Next we plane to use UFW and Nginx\Apache log
@shoothub
For example can I use thish code:
rule âGeoIP lookup: src_ipâ
when
has_field(âgl2_remote_ipâ)
then
let geo = lookup(âgeoipâ, to_string($message.gl2_remote_ip));
set_field(âgl2_remote_ip_geo_locationâ, geo[âcoordinatesâ]);
set_field(âgl2_remote_ip_geo_countryâ, geo[âcountryâ].iso_code);
set_field(âgl2_remote_ip_geo_cityâ, geo[âcityâ].names.en);
end