GeoIP doesn't seem to be working

adambirds · July 24, 2022, 12:01am

1. Describe your incident:

I am setting up a new Graylog server. My use is case is bringing in Nginx Logs and I want to be able to use the geo-locate function on the IPs to determine where most of traffic is coming from and which are the top IPs. But I can’t seem to get the geo-locate to work. The IPs are in the field remote_addr. I have configured the locations to the maxmind databases and it finds these correctly. I seem to have seen a lot of mentioning about the Message Processor order, but can’t seem to see any solid instruction as to what is needed. Mine currently is:

Message Filter Chain (active)
Pipeline Processor (active)
GeoIP Resolver (active)
AWS Instance Name Lookup (disabled)

The content pack I am using for Nginx SysLOG is GitHub - scriptingislife/graylog-content-pack-nginx-syslog: This content pack supports the NGINX syslog feature.

2. Describe your environment:

OS Information: Docker
Package Version: 4.3.3
Service logs, configurations, and environment variables: Not sure how to show logs.

3. What steps have you already taken to try and solve the problem?

Researching and playing around with the message processor order.

4. How can the community help?

Need some solid advice on how to fix it.

adambirds · July 24, 2022, 12:43am

I just realised that the Message Processor Order above had stopped my streams getting the messages. So I had to swap 1 and 2.

So my current order is:

Pipeline Processor
Message Filter Chain
GeoIP Resolver

However I still don’t see any Geo info despite the logs being in the correct streams now.

tmacgbay · July 25, 2022, 5:51am

Are you following instructions from this blog post on how to set up Graylog GeoIP Configuration This uses the pipeline to target fields that you specifically need… or are you following the documentation for scanning all messages that contain IPs and let the GEO-Location processor handle them?

H2Cyber · July 25, 2022, 4:20pm

@ adambirds : please post a screenshot of your Geolocation settings (System → Configurations. You can find the Geolocation settings under the Plugins / Geo-Location Processor section).

gsmith · July 26, 2022, 12:45am

@adambirds

GEO IP Not Working - #8 by shoothub

system · August 9, 2022, 12:45am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
GeoLocation. Looking for advise? Graylog Central (peer support)	4	683	June 21, 2017
GrayLog3 GeoIP does not work! Graylog Central (peer support) pipeline-rules	4	1215	May 7, 2020
Geolocation / GeoIP confusion on 3.x Graylog Central (peer support)	2	1022	July 1, 2019
Graylog 4.0.2 Docker, Nginx Reverse Proxy - GeoIP not caching Graylog Central (peer support) pipeline-rules , debuggingpl	1	509	February 27, 2021
Netscaler GeoIP logging Graylog Central (peer support) pipeline-rules	4	138	January 26, 2024

GeoIP doesn't seem to be working

Related Topics