Geolocation 0 message error

Hi, we are trying to add geolocation plugin to our working Graylog server and followed guidelines but there is no messages received by pipeline, fields (country, city …) and map is not showing at all.

rule “GeoIP lookup: src_ip”

when

has_field(“src_ip”)

then

let geo = lookup(“geoip”, to_string($message.src_ip));

set_field(“src_ip_geo_location”, geo[“coordinates”]);

set_field(“src_ip_geo_country”, geo[“country”].iso_code);

set_field(“src_ip_geo_city”, geo[“city”].names.en);

end

Graylog Image 2020-11-04 at 12.01.101600×682 103 KB

Graylog Image 2020-11-04 at 12.01.331600×704 78.3 KB

Graylog Image 2020-11-04 at 12.06.321600×794 128 KB

Graylog Image 2020-11-04 at 11.59.451600×802 139 KB

Graylog Image 2020-11-04 at 12.00.481600×729 122 KB

1. First check your lookup table, if it returns correct geoip field if you type some internet IP in Lookup Tables section?
2. I don’t see field src_ip in your example message screenshot.
3. Maps requires geoip fields with coordinates to be present by geoip lookup to show world map.
4. Check if you correctly setup your pipeline - assign pipeline rule to right stage (e.g. 0) and setup pipeline connection.
5. Try to debug pipeline rule with debug function, and check logs:
   add line to your pipeline rule:
   debug(concat("Src_ip: ", to_string($message.src_ip)));
   And then check graylog log four debug function output:
   sudo tail -f /var/log/graylog-server/server.log

@denizilhan
I was able to get mine to work, by setting my message processor order like this.

image611×598 22.8 KB

And then I set my stage to -1 in my environment.

image1016×79 4.33 KB

It didnt come through right away, i think i waited like15 to 20 minutes. Sorry its been awhile.

Agree with @shoothub you need those field to make it happen.

Hope this helps

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.