Check these things:
- Check your processing order, your order is wrong, if you use pipeline rules. Please move your Message Filter chain before Pipeline Processor.
- Check if your geoip lookup table works. Put a internet ip address to section Test Lookup in field Key, and it should return GEO information.
- If not, check your data adaptor if you use correct
Database typefor your downloaded file. I useGeoLite2-City.mmdband Database type:City Database. If you use only Country database, change correct type. - Best is to put MaxDB databases to
/etc/graylog/serverdirectory, check if graylog service can read file. - You need extracted field with ip addresss, for example
src_ipwith only ip adresses to use in lookup table. I couldn’t see any ip field in your fields screenshot. So create extractor or pipeline rule for ip field extraction first. - You can use geo ip lookup table in several parts: Extractor, Converter, Decorator or Pipeline Rule.
- There is no special geoip map icon in field.
- If you want to create World Map widget, create widget from field src_ip_geo_location (or Show top values) and change Visualization type to World Map.
- If you use Selinux (CentOS, RHEL) try to disable to check, if it’s not blocking access to geoip db file.
For example I used this pipeline rule, to geoip from field src_ip.
rule “GeoIP lookup: src_ip”
when
has_field(“src_ip”)
then
let geo = lookup(“geoip”, to_string($message.src_ip));
set_field(“src_ip_geo_location”, geo[“coordinates”]);
set_field(“src_ip_geo_country”, geo[“country”].iso_code);
set_field(“src_ip_geo_city”, geo[“city”].names.en);
end