Hello,
I follow the doc, and it’s works with the TCP raw input.
But, in my case, I use syslog TCP input.
source field is my local server, not user IP. So I create a new field called “clientIP” with an extractor.
clientIP is an IPv4 value.
How to get GeoIP fields from this “clientIP” ?
GeoIP resolver is launch after all others processors like pipeline, filter etc… in configuration menu.
Thank you very much for your help
you might find this of intereset: https://blog.reconinfosec.com/geolocation-in-graylog/
Thank you
Now I have :
2019-01-30T15:43:19.661+01:00 ERROR [MapDataResource] Map data query failed: Invalid geo data term for field “clientIP”: xxx.xxx.xxx.xxx (required: , - example: 1.23,3.11)
I don’t know why he doesn’t want an IP address 
I don’t understand 
I thought that GeoIP gives me : city, country, geo data (longitute and latitude) etc…; from an IP
So I extract the data and give it to the pipeline rule.
I follow this doc: http://docs.graylog.org/en/2.5/pages/geolocation.html?highlight=geoip
In your link :
creating rules for our two normalized IP fields and looking up the information we are interested in
then
let geo = lookup(“geoip-lookup”, to_string($message.src_ip));
Where am I wrong ?
Sorry I had mapped the Error you had posted to the creation of a map-widget.
Did you download and enabled the geo database?
Yes, GeoIP is configured. If I try the example given in the doc, it works.
GeoIP is loaded :
2019-01-30T16:23:52.569+01:00 INFO [LookupTableService] Starting lookup table GeoIP-lookup/5c51ba4382e42031dd3886c9 [@42437137] using cache geoip-cache/5c51b9f382e42031dd388671 [@1c501e9f], data adapter geoip/5c51b9a682e42031dd38861a [@6fe7bf42] 2019-01-30T16:23:52.569+01:00 INFO [LookupTableService] Replaced previous lookup table GeoIP-lookup [@2f6d132] 2019-01-30T16:25:36.572+01:00 INFO [LookupTableService] Starting lookup table geoip-lookup/5c51ba4382e42031dd3886c9 [@637a07c1] using cache geoip-cache/5c51b9f382e42031dd388671 [@1c501e9f], data adapter geoip/5c51b9a682e42031dd38861a [@6fe7bf42]
My pipeline rule :
rule “clientIP_geoIP”
when
has_field(“clientIP”)
then
let geo = lookup(“geoip-lookup”, to_string($message.clientIP));
set_field(“clientIP_geolocation”, geo[“coordinates”]);
set_field(“clientIP_geo_country_code”, geo[“country”].iso_code);
set_field(“clientIP_geo_country_name”, geo[“country”].names.en);
set_field(“clientIP_geo_city_name”, geo[“city”].names.en);
end
In my stream, I don’t see the geoloc fields I have added.
So when I try to create a world map, I have this error :
2019-01-31T14:04:53.922+01:00 ERROR [MapDataResource] Map data query failed: Invalid geo data term for field “clientIP”: 109.27.146.47 (required: , - example: 1.23,3.11)
what geo ip database did you use?
WoW, I don’t understand but it works now !
Thank you 
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.
