Geolocation issues

Graylog Central (peer support)
1

Description of your problem

I’ve followed the following guide to setup geolocating - How to Set Up Graylog GeoIP Configuration | Graylog
I can see the new fields src_ip_city_name, src_ip_country_code, src_ip_geolocation however they are not populated. I’ve got a src_ip field setup for my log and that is populated.

I’m able to test my lookup table against an ip which comes back with all the IP coordinate details.

My message processor configuration order is:
1- Message filter chain
2- Pipline processor
3- GeoIP resolver
4- AWS instance Name lookup (disabled)

The pipeline rule is stage is -1 - its the only pipeline rule i have setup.

Any help would be appreciated.

Environmental information

Operating system information

  • Ubuntu

Package versions

  • Graylog 4.1
  • MongoDB v4.0.26
  • Elasticsearch 6.8.18
rule "GeoIP lookup: Source_IP"

when

  has_field("src_ip")

then

  let geo = lookup("geoip-lookup", to_string($message.src_ip));

set_field("src_ip_geo_location", geo["coordinates"]);

set_field("src_ip_geo_country", geo["country"].iso_code);

set_field("src_ip_geo_city", geo["city"].names.en);

end

For longer code or configuration bits, please enclose your snippet in a summary block like this:

Summary of your code snippet or config here 
Your code goes inside the triple backticks
2

Hello && Welcome

I might be able to help. So, let me get this right. The fields are shown but there is no data under these fields accept for src_ip field?

I don’t know if you seen this, but it has a little more information.

https://docs.graylog.org/en/4.0/pages/geolocation.html

That link above is what I followed to create this.

image

image
image967×378 17.3 KB

It seams your almost there but may have missed something but I’m not sure what. If I was going to take a guess it would be the MaxMind database. Its been awhile but I had to create account with them to get the database and made sure that the permissions were set for Graylog to access it.

Hope that helps.

3

Thanks @gsmith. I managed to get it working by removing the pipeline and adding in a grok extractor to convert the IP field to IPV4, for some reason the regular expression extractor did not work.
Both extractors would show my IP’s as the IPV4 field but the geolocation would only work with the grok extractor.

1 Like
4

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.