Geolocation (again) problems

Graylog Central (peer support)
1

Before you post: Your responses to these questions will help the community help you. Please complete this template if you’re asking a support question.
Don’t forget to select tags to help index your topic!

1. Describe your incident:
After setting up the geolocation processor as in Geolocation, and adding an extractor for the IIS logs to have a field (called source_ip), I still cannot find the geolocation fields to use.

2. Describe your environment:

  • OS Information:

Distributor ID: Ubuntu
Description: Ubuntu 20.04.5 LTS
Release: 20.04
Codename: focal

  • Package Version:
    Graylog 4.3.9+e2c6648 on graylog01 (Private Build 17.0.4 on Linux 5.4.0-131-generic)

ii elasticsearch-oss 7.10.2 amd64 Distributed RESTful search engine built for the cloud
ic graylog-4.2-repository 1-4 all Package to install Graylog 4.2 GPG key and repository
ii graylog-4.3-repository 1-6 all Package to install Graylog 4.3 GPG key and repository
ii graylog-enterprise-integrations-plugins 4.3.9-1 all Graylog Enterprise Integrations plugins
ii graylog-enterprise-plugins 4.3.9-1 amd64 Graylog Enterprise plugins
ii graylog-integrations-plugins 4.3.9-1 all Graylog Integrations plugins
ii graylog-server 4.3.9-1 all Graylog server
ii mongodb-org 4.0.28 amd64 MongoDB open source document-oriented database system (metapackage)
ii mongodb-org-mongos 4.0.28 amd64 MongoDB sharded cluster query router
ii mongodb-org-server 4.0.28 amd64 MongoDB database server
ii mongodb-org-shell 4.0.28 amd64 MongoDB shell client
ii mongodb-org-tools 4.0.28 amd64 MongoDB tools

  • Service logs, configurations, and environment variables:

cat /etc/graylog/server/server.conf | egrep -v “^\s*(#|$)”
is_master = true
node_id_file = /etc/graylog/server/node-id
password_secret = xxx
root_password_sha2 = xxx
root_timezone = America/New_York
bin_dir = /usr/share/graylog-server/bin
data_dir = /var/lib/graylog-server
plugin_dir = /usr/share/graylog-server/plugin
http_bind_address = 10.0.0.55:9000
http_external_uri = https://logs.domain.com/
http_enable_cors = true
rotation_strategy = count
elasticsearch_max_docs_per_index = 20000000
elasticsearch_max_number_of_indices = 20
retention_strategy = delete
elasticsearch_shards = 4
elasticsearch_replicas = 0
elasticsearch_index_prefix = graylog
allow_leading_wildcard_searches = false
allow_highlighting = false
elasticsearch_analyzer = standard
output_batch_size = 500
output_flush_interval = 1
output_fault_count_threshold = 5
output_fault_penalty_seconds = 30
processbuffer_processors = 5
outputbuffer_processors = 3
processor_wait_strategy = blocking
ring_size = 65536
inputbuffer_ring_size = 65536
inputbuffer_processors = 2
inputbuffer_wait_strategy = blocking
message_journal_enabled = true
message_journal_dir = /var/lib/graylog-server/journal
lb_recognition_period_seconds = 3
mongodb_uri = mongodb://localhost/graylog
mongodb_max_connections = 1000
mongodb_threads_allowed_to_block_multiplier = 5
proxied_requests_thread_pool_size = 32

path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
cluster.name: graylog
action.auto_create_index: false

3. What steps have you already taken to try and solve the problem?

  • I upgraded from 4.2 to the latest 4.3.9 and followed the instructions at Geolocation
  • Old topic Geolocation not working tried to cover the same problem but no solution was posted
  • Older topics use a different way of adding geolocation fields to log entries using lookup tables, but it was not described in the instructions, so I assumed it is no longer valid for v3.5.9

4. How can the community help?
Please share/advise what can be wrong

Helpful Posting Tips: Tips for Posting Questions that Get Answers [Hold down CTRL and link on link to open tips documents in a separate tab]

2

Hello @mhammady

Is it possible to show the GeoIP configuration ( i.e. Pipeline, data table , etc…) made and perhaps a sample of the logs?

3

Also post your Message Processors Configuration (system/Configurations) as well as your Geo-Location Processor setting on the same page.

I think this is one where you want the Message Filter Chain to come before the Pipeline Processor…

1 Like
4

@gsmith & @tmacgbay

Thank you for your response. I didn’t create any pipeline or LUT… It was not mentioned in the Geolocation document!!!

In fact, the 1st paragraph on the geolocation using pipeline and LUTs document mentions “Geolocation can be automatically built into the Graylog platform by using the “GeoIP Resolver” plugin with a MaxMind database. However, you can further improve your ability to extract meaningful and useful data by leveraging the functionality of pipelines and lookup tables”, so I was expecting that by setting up only the geolocation processor, it will be able to create the geolocation fields automatically without the need of adding additional pipelines or LUTs…

Was I mistaken in this assumption? Shall I follow Implementing Geolocation with Graylog Pipelines - Graylog or How to Set Up Graylog GeoIP Configuration - Graylog instructions and disregard the Geo-Location Processor plugin?

My Message Processors Configuration:

image
image911×285 9.05 KB

My Geo-Location Processor:

image
image911×234 11.4 KB

5

Hello,

Message Filter Chain should be before Pipeline Processor.

6

Hi @gsmith, I just tried that but I still cannot see the geolocation fields. please note that I removed the enterprise add-ons as it was giving many log errors caused by lack of license.

My current Message Processors Configuration is as follows:

image

7

hey,

It may take a few minutes, but that what does need to happen when using pipelines.
Can you post you pipeline/rule?

8

@gsmith , As I mentioned earlier, I didn’t create a pipeline or LUTs. As the geolocation document mentioned, I just added the processor plugin information. Also, I added a message extractor to the input to make sure that there will be a valid IP field (I named it source_ip) to be used for geolocation…

image
image408×516 7.33 KB

9

hey @mhammady

Have a look here, this may help.

EDIT: here is mine.

image
image1055×705 48.2 KB

image
image1330×852 101 KB

10

Thank you @gsmith

I’m familiar with this technique, but I was hoping that I can use the GeoIP addon as is… this document does not depend on the addon, it creates a LUT to be used in a pipeline. I appreciate you sharing your configuration though… I shall disable the Geolocation plugin and start building the LUT and its pipeline…

Thanks again for your help

11

Hey,

:+1:

Its probably for the better. I understand the plugin is easier but later on if you upgrade it may not work. This way if you build it, it should stay working without any problems. My setup went through GL version 2.5 thru 4.3 and its still working good.

12

Hi @gsmith

I did create the LUts and the pipeline, but I’m getting this in the /var/log/graylog-server/server.log

WARN [LookupTableService] Lookup table < geoip > does not exist

The new fields are not added, so I assume it is related to this error.

Of course, I downloaded the latest MaxMind lite (free) DBs and added them to the /etc/graylog/server/
Server restart didn’t solve this problem…

Any idea why this is happening?

13

hey,

You need to create the lookup tables , what direction are you using?

14

Thanks for the quick reply. I created the lookup table as follows…

image
image1273×664 16.4 KB

image
image950×594 15.9 KB

image
image938×685 19.2 KB

15

Ok i tested this against mine, Not sure if this will help ya. but here is where i seen different settings

Data adapter file path

/usr/share/elasticsearch/modules/ingest-geoip/GeoLite2-City.mmdb

You cache is same as mine

Perhaps match the table correctly.

image
image1341×825 36.7 KB

Reason I stated this was from this error
Lookup table < geoip > does not exist

16

@mhammady

If you created a piepline like this…

rule "GeoIP lookup: srcip"

when

  has_field("somefield")

then

let geo = lookup("geoip", to_string($message.srcip));

 set_field("src_ip_geo_location", geo["coordinates"]);

 set_field("src_ip_geo_country", geo["country"].iso_code);

 set_field("src_ip_geo_city", geo["city"].names.en);
 
 debug(geo);

end

Make sure the correct naming convention is the same.

Specially this part, noticed it states "geoip "

let geo = lookup("geoip", to_string($message.srcip))
18

hi @mhammady
how did you pull the public ip to the logs?

i followed the same steps (pipeline rules adapter lookup table…) but why is my ip address private? can you help?

image

19

@er213 this log is for IIS. If I understood your question correctly, your problem is showing the real IP in the IIS log, then you need to add the X-Forwarded-For as a custom field in IIS. This has nothing to do with Graylog

20

Hi @gsmith … Thank you SO MUCH for your help. It worked now for me. The problem was in the name of the LUT. In all examples it was geoip, but when I created it, I created the table with the name GeoIPtbl

image
image1857×34 2.22 KB

All what I needed to do is to update my lookup line to be

let geo = lookup("GeoIPtbl", to_string($message.source_ip));

1 Like
21

how can i do this, I’m new to networking, can you help @mhammady