thank u for explantion. I want to new field(src_ip _geo_location it is in created in rule.) implementation on my widget but not seeing why ? how can add ? for my world map widget . @gsmith @ihe
Hi @er213
Two more questions, please answer both:
- can you please seach for
NOT src_ip:192.168.*
Do you have any results for the last two days? - can you search for
_exists_: src_ip _geo_locationin your stream for the last 2 days? Do you have any results?
Click Edit on the right:
and then add the field on the left in fields:
If you want to have a new world-map:
- add a new Aggregation on the left:
- click Edit
- choose world map as type
- group by src_ip_geo_loaction. The screen is slightly different here, put in your name.
- select metric as count()
- to have more than the 15 default values increase the limit if neccesary.
new field src_ip_geo_locaion ( when created add pipeline rule)not seeing. and not adding @ihe
you need to write
_exists_:src_ip_geo_loaction
and not
_exists_: src_ip _geo_loaction
not showed @ihe
Hey @er213
Click on " Search", then if you can you show us what you see in the search box? This is located on the left pane , the “X”.
My naming convention is a little different, I remove most of the under scores.
not showed src_ip_geo_location field. so what is problem ? ı dont understand . @gsmith
Note sure @er213
have you tired clicking the " all including reserved"? if so do you get the same out come?
Wish I was there to help ya, but unfortunately I’m not. TBH its probably something were over looking. It seams from what you posted, look correct, but I personally would double check all my configurations to ensure those are 100%.
Next If you can, show the top values of src_ip, should be a drop down arrow next to that field.
Maybe extend the time range perhaps 5 or 7 days.
I’m basically troubleshooting
when ı was clicked show top values : @gsmith
Ok I see now. Well @er213 private IP addresses don’t work in the environment. What you need is Public Addresses like this…
Perhaps a firewall/router at home and send those logs to Graylog, this way you have web site FQDN/Public addresses available for Graylog
I believe that was where @ihe was guiding you.
Let’s put it this way , I bet on one of my 8 devices at home right now I have the same or similar IP Address as you do , so in that case how would you get the geographical location "52.3759,4.8975"
(i.e. that’s what the Geodatabases uses to make the red dotes) of a device that has 192,168,0.0-255. 
EDIT: @er213 I could be wrong, this might be part of the problem.
how can add public adress in graylog . i cant found it @gsmith
Google " what is my ip address" that should show you you public address, BTW I would NOT show that address on any forum. that why I stated send firewall or router logs to Graylog
i see my public adress on web page. but graylog use my prıvate adress. and not showed new fields @gsmith
Hi @er213
as long as you only have private/RFC-Adresses in your field, you will never get any Geo-Coordinates.
At the moment you are focusing on your src_ip. Are there maybe some destinations, which are not from 192.168.0.0/16?
I understand your logs in a way, that they come from a linux box with ufw as a firewall. If the logs from this system contain some IP-addresses from the outside world, you will be able to do some geo-based enrichment. If you see your public IP on some webpages, it is your address behind your device doing NAT. You can read more about NAT here: Network Address Translation Definition | How NAT Works | Computer Networks | CompTIA.
Hey @er213
You don’t add it, you need to get it by send it in the log files and extracting it through means. This would depend on what logs you send.