Geolocation for logged in users

Hi Community,

I have added the internal graylog plugin where I am able to see logged in users, but the question is what is required to be able to see where they are logging in from?


Please elaborate on what you want to achieve.

Hi Jochen,

I have activated the Geolocation service which is working just fine in case of a raw tcp input, but in case of the internal logs input of graylog there is no “source_geolocation” attribute present for example. What I want to achieve is to find out the geolocation of each user that is trying to log in to the graylog rest api.


The Geo Location processor adds a field with the suffix “_location” for every message field which contains an IPv4 address (and nothing else), so if there’s no field which contains the remote IP address of the client, you’ll have to extract it from the log message first.

I did that already using a grok pattern.

What’s the order of message processors in your Graylog cluster (see System/Configurations)?
How exactly are you applying the Grok pattern, via an extractor or via a pipeline rule?

Message processors:

The grok pattern is done using an extractor.

As you can see, the GeoIP Resolver runs first, i. e. before any extractors or pipeline rules have been executed.

You’ll have to change the order accordingly, if you want the GeoIP Resolver to know about any message fields created by extractors or pipeline rules.

So, the Message Filter Chain should be passed before the GeoIP Resolver.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.