GeoIP not working: WARN [MaxMindIpResolver] Error creating DatabaseReader for 'MaxMindIpAsnResolver' with config file ''

I recently setup Graylog5.1.5 on a Redhat9.2 vM, and followed the Geolocation Guides( Geolocation & How to Set Up Graylog GeoIP Configuration ).

I got GeoLite2 setup downloading latest /usr/share/GeoIP/GeoLite2-City.mmdb and I enabled the ‘GeoIP Resolver’ in the ‘Message Processor’ and Geo-Location Proccessor plugin.

Messages Processors:

|1|AWS Instance Name Lookup|active|
|2|Pipeline Processor|active|
|3|GeoIP Resolver|active|
|4|Message Filter Chain|active|
|5|Stream Rule Processor|active|

Geo-Location Processor:

Enabled: Yes
Enforce default Graylog schema: Yes
Database vendor type: MaxMind GeoIP
City database path: /usr/share/GeoIP/GeoLite2-City.mmdb
ASN database path: /usr/share/GeoIP/GeoLite2-ASN.mmdb
Database refresh interval: 10 MINUTES
Pull files from S3 bucket: No

Lookup Tables:
Data Adapter Type: GeoIP Maxmind

Title: GeoIP
Description: GeoIP Lookup Table
Database file path: /usr/share/GeoIP/GeoLite2-City.mmdb
Database type: City database
Check interval: 1 minutes

Cache

Title: GeoIP
Description: GeoIP Cache
Maximum entries: 1000
Expire after access: 1 hours
Expire after write: Never

Lookup Table

Title: GeoIP
Description: GeoIP Lookup
Data adapter: GeoIP
Cache: GeoIP

Pipeline: GeoIP lookup: src_ip

rule "GeoIP lookup: src_ip"
when
  has_field("src_ip")
then
let geo = lookup("geoip", to_string($message.src_ip));
set_field("src_ip_geo_location", geo["coordinates"]);
set_field("src_ip_geo_country", geo["country"].iso_code);
set_field("src_ip_geo_city", geo["city"].names.en);
end

PIPELINE: GeoIP lookup: dst_ip

rule "GeoIP lookup: dst_ip"
when
  has_field("dst_ip_is_internal") && $message.dst_ip_is_internal == false
then
let geo = lookup("geoip-lookup", to_string($message.src_ip));
set_field("dst_ip_geolocation", geo["coordinates"]);
set_field("dst_ip_geo_country_code", geo["country"].iso_code);
set_field("dst_ip_geo_country_name", geo["country"].names.en);
set_field("dst_ip_geo_city_name", geo["city"].names.en);
end

Graylog reports the Adapter, Cache, and Lookuptable start without error:

2023-09-22T14:57:53.850-07:00 INFO  [LookupTableService] Data Adapter geoip/650e0de198d0012a1c83d864 [@516e7578] RUNNING
2023-09-22T14:58:31.945-07:00 INFO  [LookupTableService] Cache geoip/650e0e0798d0012a1c83d8b5 [@307bbb03] STARTING
2023-09-22T14:58:31.946-07:00 INFO  [LookupTableService] Cache geoip/650e0e0798d0012a1c83d8b5 [@307bbb03] RUNNING
2023-09-22T14:59:13.907-07:00 INFO  [LookupTableService] Starting lookup table geoip/650e0e3198d0012a1c83d90f [@1254c39a] using cache geoip/650e0e0798d0012a1c83d8b5 [@307bbb03], data adapter geoip/650e0de198d0012a1c83d864 [@516e7578]

THE PROBLEM: I see no enriched log entries…

Hey @SoMoney

I assume you have the field called dst_ip_is_internal && src_ip already?

My field looked like this without an under score.

rule "GeoIP lookup: srcip"

when

  has_field("srcip")

then

let geo = lookup("geoip", to_string($message.srcip));

 set_field("srcip_location", geo["coordinates"]);

 set_field("srcip_country", geo["country"].iso_code);

 set_field("srcip_city", geo["city"].names.en);
 
 
end

if everything else is correct , try these setting/s

image858×209 10.7 KB

I would ensure that you have those fields, perhaps your fields are named differently.

has_field("dst_ip_is_internal")

Doh! I didnt create the fields… The config guide made it sound like these would be created if Enforce default Graylog schema was enabled. I had this working in 4.8 and don’t recall creating those fields to get this going then but I must have.

Okay Added src_ip extractor on my input. changed my pipeline to point to that instead and I now see geo fields. Thank gsmith for the extra set of eyes I needed!

I made a Regex to pull x.x.x.x but excude 10.x,192.x, and 127.x):
^(?!10\.|192\.|127\.)(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})$

But I noted an IP:1.0.2.3 hit on my vcenter log when it saw this
/usr/lib/vmware/common-jars/bc-fips-1.0.2.3.jar

What do you use for your srcip extractor?

Hey @SoMoney

No problem man, glad to help

ill post it in a few

I used this.

image1223×224 13.9 KB

regex_value: srcip=+?((?:\d+\.){3}\d+).+

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.