Geo IP Pipeline GeoIP Database for more informations

Hello All

I am new at Graylog with programming pipeline rules. But i was successful. BUT, there’s a but.

I am trying to extract also this value.

traits370×482 63.5 KB

My working geo ip entries are the following:

rule “geo ip dst geoparser”
when
has_field(“dst”)
then
set_fields(
fields:key_value(
value:to_string($message.message),
trim_value_chars:“",'”,
trim_key_chars:“",'”
)
);
let geo = lookup(“geoip”, to_string($message.dst));
set_field(“dst_ip_geo_location”, geo[“coordinates”]);
set_field(“dst_country_code”, geo[“country”].iso_code);
set_field(“dst_ip_geo_city”, geo[“city”].names.en);
end

As for country iso_code i made a rule like that which does not extract anything. I think it has to do with true false.

Can somebody help me to get it working? I need more experience with coding… So maybee for someone it’s a easy thing.

My new pipeline:

rule “check_anonymous_ip”
when
has_field(“dst”)
then
set_fields(
fields:key_value(
value:to_string($message.message),
trim_value_chars:“",'”,
trim_key_chars:“",'”
)
);
// Perform the GeoIP lookup
let geo = lookup(“geoip”, to_string($message.dst));
set_field(“src_is_anonymous_proxy”, geo[“traits”].is_anonymous_proxy);
end

Or is the plugin limited that it’s not able to extract more than the first 3 entries? I don’t think so.

Any help is realy appreciated.

Best,

Fabius

It’s possible its because of the true false, maybe try forsing it to to_string and see what happens, or to troubleshoot i like to work up the ladder and set a field at a higher level of the variable to dump how exactly the data looks to the pipeline. So set_field(to_string(geo[“traits”]))) etc

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.