Do you use the Message Filter Chain (=Rules in the Stream overview) to filter your message into streams? And are your logs on another stream than all messages? I would guess that your pipline is run first, but the messages are not in the according streams at that moment.
yes, this “Manage Rules” I was thinking of.
If you filter your message here from all messages to ufw stream you will not be able to run pipelines on the stream. First your Pipelines run, and then you push your messages into the right stream. See the order for this in your first post. The pipeline will simply not have any messages for processing.
I assume this rule to be attached to a Pipeline in a stage. And I assume this Pipeline to be attached to the stream “ufw stream”, correct?
If this is the case this happens:
the pipelines run, with the messages in theirs streams. Your pipeline is attached to the stream ufw stream.
the Message Filter Chain will run and put the messages out of “all messges” into ufw stream
there is no more processing with pipelines, as is already happend.
I think you will need to switch the order of Pipeline Processor and Message Filter Chain in your processing.
Your Pipeline is attached to All Messages, in this case it is correct to have the filter-chain after the Pipelines.
Try this Rule
rule "geolocation coords lookup"
when
has_field("src_ip")
then
let result = lookup_value("geoip", $message.src_ip);
set_field(field:"src_ip_geo_location", value:result);
end
How did you configure your Lookup-Table for “geoip”?
192.168.0.0/16 is RFC space and not routed in the internet. Every local lan could use it - geo-ip makes no sense in this case. Try a public IP instead:
From what I seen so far is… 192.168.x.x. is a private address so you will not see the “Red” dot on the widget , it works on the Public IP Addresses. that why 8.8.8.8 works. It a DNS public server and your address 192.168.xxx.xxx which is private.