GeoIP Country lookup fields not mapping

I would like to use the following rule, but I noticed that the “is_in_european_union” option isn’t being set.
The other fields are being set correctly.

rule "geoip-lookup"
when
  has_field("ClientIP")
then
  let geo = lookup("geoip-lookup-table", to_string($message.ClientIP));
  set_field("ClientIpGeolocation", geo["coordinates"]);
  set_field("ClientIpGeoCountryCode", geo["country"].iso_code);
  set_field("ClientIpGeoCountry", geo["country"].names.en);
  set_field("ClientIpGeoCountryGdpr", geo["country"].is_in_european_union);
  set_field("ClientIpGeoCityCode", geo["city"].names.en);

end

Any suggestions on how to make this work.

@justinjett
Hello and Welcome.

If I could ask you a couple question? What version of graylog are you using?
Could you link your documention used for your setup/configuration?

Maybe this might help,I found this while I was Googling.

https://dev.maxmind.com/geoip/geoip2/web-services/#represented_country

This is how I set mine up, using the link below but I’m also not in the EU, so not sure.

Hope that helps

When using represented_country it doesn’t seem to work either.

The is_in_european_union data doesn’t seem to be loading from the lookup database but I’m not sure why since the iso_code is loading correctly and it’s in the same array that is_in_european_union is in (https://dev.maxmind.com/geoip/geoip2/web-services/#country).

I am running the latest version of Graylog (4.0.6)

I’ll also note that, the is_in_european_union key doesn’t appear to work when using any of the objects that it is listed in:

https://dev.maxmind.com/geoip/geoip2/web-services/#country
https://dev.maxmind.com/geoip/geoip2/web-services/#registered_country
https://dev.maxmind.com/geoip/geoip2/web-services/#represented_country

I can see it in the lookup table when I query an IP via the test lookup, so I know the key is present in the database.

{
  "single_value": "37.751,-97.822",
  "multi_value": {
    "continent": {
      "code": "NA",
      "geoname_id": 6255149,
      "names": {
        "de": "Nordamerika",
        "ru": "Северная Америка",
        "pt-BR": "América do Norte",
        "ja": "北アメリカ",
        "en": "North America",
        "fr": "Amérique du Nord",
        "zh-CN": "北美洲",
        "es": "Norteamérica"
      }
    },
    "country": {
      "confidence": null,
      "geoname_id": 6252001,
      "is_in_european_union": false,
      "iso_code": "US",
      "names": {
        "de": "USA",
        "ru": "США",
        "pt-BR": "Estados Unidos",
        "ja": "アメリカ合衆国",
        "en": "United States",
        "fr": "États-Unis",
        "zh-CN": "美国",
        "es": "Estados Unidos"
      }
    },
    "traits": {
      "autonomous_system_number": null,
      "autonomous_system_organization": null,
      "connection_type": null,
      "domain": null,
      "ip_address": "8.8.8.8",
      "is_anonymous": false,
      "is_anonymous_proxy": false,
      "is_anonymous_vpn": false,
      "is_hosting_provider": false,
      "is_legitimate_proxy": false,
      "is_public_proxy": false,
      "is_satellite_provider": false,
      "is_tor_exit_node": false,
      "isp": null,
      "organization": null,
      "user_type": null
    },
    "city": {
      "confidence": null,
      "geoname_id": null,
      "names": {}
    },
    "represented_country": {
      "confidence": null,
      "geoname_id": null,
      "is_in_european_union": false,
      "iso_code": null,
      "names": {},
      "type": null
    },
    "coordinates": "37.751,-97.822",
    "location": {
      "accuracy_radius": 1000,
      "average_income": null,
      "latitude": 37.751,
      "longitude": -97.822,
      "metro_code": null,
      "population_density": null,
      "time_zone": "America/Chicago"
    },
    "postal": {
      "code": null,
      "confidence": null
    },
    "registered_country": {
      "confidence": null,
      "geoname_id": 6252001,
      "is_in_european_union": false,
      "iso_code": "US",
      "names": {
        "de": "USA",
        "ru": "США",
        "pt-BR": "Estados Unidos",
        "ja": "アメリカ合衆国",
        "en": "United States",
        "fr": "États-Unis",
        "zh-CN": "美国",
        "es": "Estados Unidos"
      }
    },
    "subdivisions": []
  },
  "string_list_value": null,
  "has_error": false,
  "ttl": 9223372036854776000
}

I also noticed that there was an error in DEBUG regarding the field.

2021-04-30T21:01:30.209Z DEBUG [FieldAccessExpression] Unable to read property isInEuropeanUnion from com.maxmind.geoip2.record.Country [ {"geoname_id":6252001,"is_in_european_union":false,"iso_code":"US","names":{"de":"USA","ru":"США","pt-BR":"Estados Unidos","ja":"アメリカ合衆国","en":"United States","fr":"États-Unis","zh-CN":"美国","es":"Estados Unidos"}} ]
2021-04-30T21:01:30.209Z DEBUG [FieldAccessExpression] [field access] property names of bean com.maxmind.geoip2.record.City: {}
2021-04-30T21:01:30.209Z DEBUG [FieldAccessExpression] Unable to read property en from {}
2021-04-30T21:01:30.210Z DEBUG [FieldAccessExpression] Unable to read property en from {}
2021-04-30T21:01:30.210Z DEBUG [PipelineInterpreter] [3c800050-a9f7-11eb-96a5-126c29ec5beb] rule `cloudflare-geoip-asn-lookup` matched running actions
2021-04-30T21:01:30.207Z DEBUG [FieldAccessExpression] Unable to read property is_in_european_union from com.maxmind.geoip2.record.Country [ {"geoname_id":6252001,"is_in_european_union":false,"iso_code":"US","names":{"de":"USA","ru":"США","pt-BR":"Estados Unidos","ja":"アメリカ合衆国","en":"United States","fr":"États-Unis","zh-CN":"美国","es":"Estados Unidos"}} ]
2021-04-30T21:01:30.210Z DEBUG [FieldAccessExpression] Unable to read property isInEuropeanUnion from com.maxmind.geoip2.record.Country [ {"geoname_id":6252001,"is_in_european_union":false,"iso_code":"US","names":{"de":"USA","ru":"США","pt-BR":"Estados Unidos","ja":"アメリカ合衆国","en":"United States","fr":"États-Unis","zh-CN":"美国","es":"Estados Unidos"}} ]

This was resolved. See GitHub issue for details.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.