GeoIP on custom fields


(Kornflex) #1

Hello,

I follow the doc, and it’s works with the TCP raw input.

But, in my case, I use syslog TCP input.
source field is my local server, not user IP. So I create a new field called “clientIP” with an extractor.
clientIP is an IPv4 value.

How to get GeoIP fields from this “clientIP” ?

GeoIP resolver is launch after all others processors like pipeline, filter etc… in configuration menu.

Thank you very much for your help


(Jan Doberstein) #2

you might find this of intereset: https://blog.reconinfosec.com/geolocation-in-graylog/


(Kornflex) #3

Thank you

Now I have :
2019-01-30T15:43:19.661+01:00 ERROR [MapDataResource] Map data query failed: Invalid geo data term for field “clientIP”: xxx.xxx.xxx.xxx (required: , - example: 1.23,3.11)

I don’t know why he doesn’t want an IP address :confused:


(Jan Doberstein) #4
  • Did you download the geo map?
  • when you want to get a map, you do that on the geo data (longitute and latitude) and not the ip.

(Kornflex) #5

I don’t understand :confused:

I thought that GeoIP gives me : city, country, geo data (longitute and latitude) etc…; from an IP

So I extract the data and give it to the pipeline rule.

I follow this doc: http://docs.graylog.org/en/2.5/pages/geolocation.html?highlight=geoip
In your link :

creating rules for our two normalized IP fields and looking up the information we are interested in

then
let geo = lookup(“geoip-lookup”, to_string($message.src_ip));

Where am I wrong ?


(Jan Doberstein) #6

Sorry I had mapped the Error you had posted to the creation of a map-widget.

Did you download and enabled the geo database?


(Kornflex) #7

Yes, GeoIP is configured. If I try the example given in the doc, it works.

GeoIP is loaded :
2019-01-30T16:23:52.569+01:00 INFO [LookupTableService] Starting lookup table GeoIP-lookup/5c51ba4382e42031dd3886c9 [@42437137] using cache geoip-cache/5c51b9f382e42031dd388671 [@1c501e9f], data adapter geoip/5c51b9a682e42031dd38861a [@6fe7bf42] 2019-01-30T16:23:52.569+01:00 INFO [LookupTableService] Replaced previous lookup table GeoIP-lookup [@2f6d132] 2019-01-30T16:25:36.572+01:00 INFO [LookupTableService] Starting lookup table geoip-lookup/5c51ba4382e42031dd3886c9 [@637a07c1] using cache geoip-cache/5c51b9f382e42031dd388671 [@1c501e9f], data adapter geoip/5c51b9a682e42031dd38861a [@6fe7bf42]

My pipeline rule :
rule “clientIP_geoIP”
when
has_field(“clientIP”)
then
let geo = lookup(“geoip-lookup”, to_string($message.clientIP));
set_field(“clientIP_geolocation”, geo[“coordinates”]);
set_field(“clientIP_geo_country_code”, geo[“country”].iso_code);
set_field(“clientIP_geo_country_name”, geo[“country”].names.en);
set_field(“clientIP_geo_city_name”, geo[“city”].names.en);
end

In my stream, I don’t see the geoloc fields I have added.

So when I try to create a world map, I have this error :
2019-01-31T14:04:53.922+01:00 ERROR [MapDataResource] Map data query failed: Invalid geo data term for field “clientIP”: 109.27.146.47 (required: , - example: 1.23,3.11)


(Jan Doberstein) #8

what geo ip database did you use?


(Kornflex) #9

This one : https://dev.maxmind.com/geoip/geoip2/geolite2/


(Kornflex) #10

WoW, I don’t understand but it works now !

Thank you :slight_smile:


(system) closed #11

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.