GeoIP private and public IP

Hello everybody,

I retrieve apache reverse proxy log on my Graylog. I have a field which contains the source IP (it can be most of the time public IP but it can be private IP as well).
I used an extractor which convert that field to the lookup table of maxmind geoip.
The problem is that the lookup table doesn’t work with the private IP and doesn’t tranform the field to give me coordinates. I added the map to the dashboard, when a false coordinate is added (from an private IP) the dashboard crash and i’ve got a “Something went wrong.” with the monkey background.
How can I resolve the problem ?

Regards.

Check these great articles, I think pipeline rules will be your rescue:


2 Likes

Hi @shoothub, the second link was exactly what i was looking for !
It worked like a charm thank you. For the people who are searching the same thing, here it is the rule source i used in my pipeline to create the right field where source_ip is the field which give me the ip adress and map the lookup table which transform the IP in coordinates:

rule “dst_ip geoip lookup”
when
has_field(“source_ip”) && ! in_private_net(to_string($message.source_ip))
then
let geo = lookup(“map”, to_string($message.source_ip));
set_field(“dst_ip_geolocation”, geo[“coordinates”]);
end

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.