Geolocation / GeoIP confusion on 3.x

Running Graylog 3.0.2

I’m brand new to Graylog and looking for some guidance.

I’ve read through the setup for Geolocation and followed to the best of my ability here:

https://docs.graylog.org/en/3.0/pages/geolocation.html#configure-geolocation

  • I have log data coming in from multiple Apache2 servers via GELF and can see that data in search.
  • On our single graylog server, I’ve setup geoipupdate on cron for our MaxMind account.
  • I configured the Data Adapter, Cache, and Lookup Table (hopefully correctly). (No red error message for path to MaxMind file)
  • I setup a pipeline with single rule as follows:
rule "source_ip geoip lookup"
when
  has_field("source_ip")
then
  let geo = lookup("geoip-lookup", to_string($message.source_ip));
  set_field("source_ip_geolocation", geo["coordinates"]);
  set_field("source_ip_geo_country_code", geo["country"].iso_code);
  set_field("source_ip_geo_country_name", geo["country"].names.en);
  set_field("source_ip_geo_city_name", geo["city"].names.en);
end

I think I’m close, but not seeing any source_ip_xxxxx field appear in search. I must be missing something - any guidance or direction would be greatly appreciated.

Many thanks!

UPDATE: Solved

My problem:

My call to lookup() pointed to a non-existent Table called geoip-lookup (I labeled mine differently).

Solution: Change either the lookup() call or Table name so they reflect one-another.

I’ll leave this here in hopes it helps someone else.

Thanks!

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.