Hi all,
I have a problem with the GeoIP pipeline configuration. Specifically the rule isn’t creating the custom fields I set for the Geo data. My log sources are two Nginx servers with custom JSON logging and fields. I used a content pack for this from the Marketplace, it was made for Graylog 3 and I am running Graylog 4.0.8 is the only real difference.
I have searched the google-sphere, which includes many many posts from this site, and I’m still not getting this to fully work. For GeoIP, I’m using the pipeline method, with all the pieces in place. Testing via the Lookup Tables test function I see results. The rule is correct as far as I can tell, here it is:
rule "remote_addr geoip lookup"
when
has_field("remote_addr")
then
let geo = lookup("geoip-lookup", to_string("remote_addr"));
set_field("geo_location", geo["coordinates"]);
set_field("geo_country_code", geo["country"].iso_code);
set_field("geo_country_name", geo["country"].names.en);
set_field("geo_city_name", geo["city"].names.en);
end
Yes, the field remote_addr is correct. I have already extracted it properly into its own IP field. Based on several things I have read, as long as the field contains an IP address, then GeoIP will (should) work. Here is a screen grab showing the Lookup Table test. The IP was pulled from the logs:
Additionally, if I create a decorator from the Lookup Table in Configurations, the decoration field is created and populated when viewing a log’s details. The world map does not see this decoration field as usable.
I’m happy to share whatever is needed. I’m really hoping it is something simple.
Regards,
Jeff
P.S. Is there a manual method for creating custom fields? Maybe if I force create the fields it will work?
J
