thank u for explantion. I want to new field(src_ip _geo_location it is in created in rule.) implementation on my widget but not seeing why ? how can add ? for my world map widget . @gsmith @ihe
Hi @er213
Two more questions, please answer both:
- can you please seach for
NOT src_ip:192.168.*
Do you have any results for the last two days? - can you search for
_exists_: src_ip _geo_locationin your stream for the last 2 days? Do you have any results?
Click Edit on the right:
and then add the field on the left in fields:
If you want to have a new world-map:
- add a new Aggregation on the left:
- click Edit
- choose world map as type
- group by src_ip_geo_loaction. The screen is slightly different here, put in your name.
- select metric as count()
- to have more than the 15 default values increase the limit if neccesary.
you need to write
_exists_:src_ip_geo_loaction
and not
_exists_: src_ip _geo_loaction
Hey @er213
Click on " Search", then if you can you show us what you see in the search box? This is located on the left pane , the “X”.
My naming convention is a little different, I remove most of the under scores.
Note sure @er213
have you tired clicking the " all including reserved"? if so do you get the same out come?
Wish I was there to help ya, but unfortunately I’m not. TBH its probably something were over looking. It seams from what you posted, look correct, but I personally would double check all my configurations to ensure those are 100%.
Next If you can, show the top values of src_ip, should be a drop down arrow next to that field.
Maybe extend the time range perhaps 5 or 7 days.
I’m basically troubleshooting
1 Like
Ok I see now. Well @er213 private IP addresses don’t work in the environment. What you need is Public Addresses like this…
Perhaps a firewall/router at home and send those logs to Graylog, this way you have web site FQDN/Public addresses available for Graylog
I believe that was where @ihe was guiding you.
Let’s put it this way , I bet on one of my 8 devices at home right now I have the same or similar IP Address as you do , so in that case how would you get the geographical location "52.3759,4.8975"
(i.e. that’s what the Geodatabases uses to make the red dotes) of a device that has 192,168,0.0-255. 
EDIT: @er213 I could be wrong, this might be part of the problem.
Google " what is my ip address" that should show you you public address, BTW I would NOT show that address on any forum. that why I stated send firewall or router logs to Graylog
i see my public adress on web page. but graylog use my prıvate adress. and not showed new fields @gsmith
do I need to make changes to the urls in the conf file? for example, I assigned http_publish_url
a public address, but the graylog interface did not work. I turned into the old. what am I supposed to do?
@gsmith @ihe
Hi @er213
as long as you only have private/RFC-Adresses in your field, you will never get any Geo-Coordinates.
At the moment you are focusing on your src_ip. Are there maybe some destinations, which are not from 192.168.0.0/16?
I understand your logs in a way, that they come from a linux box with ufw as a firewall. If the logs from this system contain some IP-addresses from the outside world, you will be able to do some geo-based enrichment. If you see your public IP on some webpages, it is your address behind your device doing NAT. You can read more about NAT here: Network Address Translation Definition | How NAT Works | Computer Networks | CompTIA.
1 Like
i tried to connect with nat (from the network settings), but the graylog interface with the 10.0 address did not open, whereas the 9000 port was resting.I couldn’t figure out how to add a public address.
@ihe @gsmith
Hey @er213
You don’t add it, you need to get it by send it in the log files and extracting it through means. This would depend on what logs you send.