GEO IP Not Working

Graylog Central (peer support)
1

Hey Everyone,

I have tried millions of times to get GEO Ip working on our instance. I have installed it, reinstalled it, configured it, rebooted, re read every piece of documentation but cannot get it to show up still. ny help would be greatly appreciated!

Thank you

2

And what is your exact problem? What steps did you make, a where you stucked? What version of graylog do you use?

3

I followed these steps http://docs.graylog.org/en/3.2/pages/geolocation.html#setup

Here are some screen shots. Pretty much I cannot see geoip map in the fields section or no where to enable it to view the map on dashboard.

image
image1664Ă—376 24.5 KB

4

image
image1112Ă—1072 74.6 KB

5

I’ve followed these great articles without problem:


6

Yes I couldnt tell you the amount of times I have viewed these articles.

7

I recently succeeded setting up geoIP config following those guidelines. However, I had an issue with filepath. Since I do not administer host machine, other party put tables in wrong directory. You might want to check it too.

8

Check these things:

  1. Check your processing order, your order is wrong, if you use pipeline rules. Please move your Message Filter chain before Pipeline Processor.
  2. Check if your geoip lookup table works. Put a internet ip address to section Test Lookup in field Key, and it should return GEO information.
  3. If not, check your data adaptor if you use correct Database type for your downloaded file. I use GeoLite2-City.mmdb and Database type: City Database. If you use only Country database, change correct type.
  4. Best is to put MaxDB databases to /etc/graylog/server directory, check if graylog service can read file.
  5. You need extracted field with ip addresss, for example src_ip with only ip adresses to use in lookup table. I couldn’t see any ip field in your fields screenshot. So create extractor or pipeline rule for ip field extraction first.
  6. You can use geo ip lookup table in several parts: Extractor, Converter, Decorator or Pipeline Rule.
  7. There is no special geoip map icon in field.
  8. If you want to create World Map widget, create widget from field src_ip_geo_location (or Show top values) and change Visualization type to World Map.
  9. If you use Selinux (CentOS, RHEL) try to disable to check, if it’s not blocking access to geoip db file.

For example I used this pipeline rule, to geoip from field src_ip.

rule “GeoIP lookup: src_ip”
when
has_field(“src_ip”)
then
let geo = lookup(“geoip”, to_string($message.src_ip));
set_field(“src_ip_geo_location”, geo[“coordinates”]);
set_field(“src_ip_geo_country”, geo[“country”].iso_code);
set_field(“src_ip_geo_city”, geo[“city”].names.en);
end

1 Like
9
  1. Corrected it. Thank you.
  2. This works. It displays GEO information.
  3. [root@logs ~]# ls -l /etc/graylog/server/
    total 69384
    -rw-r–r-- 1 root root 6723056 Jan 14 11:23 GeoLite2-ASN.mmdb
    -rw-r–r-- 1 root root 60206461 Jan 14 11:23 GeoLite2-City.mmdb
    -rw-r–r-- 1 root root 4035535 Jan 14 11:23 GeoLite2-Country.mmdb
    -rw-r–r-- 1 root root 2008 Mar 19 14:58 log4j2.xml
    -rw-r–r--. 1 root root 37 Jan 13 15:20 node-id
    -rw-r–r-- 1 root root 31571 Feb 4 14:10 server.conf
    -rw-r–r-- 1 root root 33575 Jan 31 10:24 server.conf.rpmnew
  4. See #3
  5. image
    image3176Ă—400 59.1 KB
  6. rule “GeoIP lookup: src_ip”
    when
    has_field(“src_ip”)
    then
    let geo = lookup(“geoip”, to_string($message.src_ip));

set_field(“src_ip_geo_location”, geo[“coordinates”]);
set_field(“src_ip_geo_country”, geo[“country”].iso_code);
set_field(“src_ip_geo_city”, geo[“city”].names.en);
end

10

Sorry, I didn’t see extracted field src_ip in your screenshot. Do you have extractor or pipeline rule, which extract src_ip from message field?

11

Hi I have some problems to
Can you write pipeline for extract IP from gl2_remote_ip, If I want to use next GrayLog GeoIP Config

12

Hi @polinafrolov,
I didn’t understand your question. Do you want to create pipeline rule which add geo ip information from gl2_remote_ip field?

14

I am so sorry for my not uderstand question
Let me begin from start:
I want to config Graylog Server (Graylog 3.2.4 install on Ubuntu 18.04) to use GeoIP
I read this articles:



But I haven’t this field “src_ip”
I uderstand that I must use extractor or pipiline rule,but I cann’t write correct rule for it!
Can you help me?

15

Hi @polinafrolov,

it’s a basic concepts for graylog to extract fields from message. Which source log do you use, please post example…

16

I use this type of logs
RSYSLOG_SyslogProtocol23Format
I had added it on my other Ubuntu Server
And for I want to use GeoIP
Yes I uderstand that is basic concepts
Plz help
I am stuck

17

Hi @polinafrolov,
you post only generic type of log, RSYSLOG_SyslogProtocol23Format means syslog RFC5424 standard log. But it’s too generic, there is no generic extractor for source ip address for use in GeoIP. Which source (program, web server, firewall?) do you try to add GeoIP information?

19

@shoothub
I want to show all of my server on World Map
It possible get information from gl2_remote_ip to srp_ip
and then put it on World Map and show all of my VPS Server?
Next we plane to use UFW and Nginx\Apache log

20

@shoothub
For example can I use thish code:
rule “GeoIP lookup: src_ip”
when
has_field(“gl2_remote_ip”)
then
let geo = lookup(“geoip”, to_string($message.gl2_remote_ip));
set_field(“gl2_remote_ip_geo_location”, geo[“coordinates”]);
set_field(“gl2_remote_ip_geo_country”, geo[“country”].iso_code);
set_field(“gl2_remote_ip_geo_city”, geo[“city”].names.en);
end

21

he @polinafrolov

did you servers all have public IPs? Because only for that IPs you have entries in the public available GeoIP Database.

But at all the code used in GEO IP Not Working will work.

22

Hi
Thx for attention
Yes all is fine and works
Closed