GeoLocation. Looking for advise?

Just looking for some advice or input on what could be going wrong here. Have 4 web servers all sending logs to graylog. Once set up geolocation was working perfectly with the provided logs. After a restart Geolocation stopped working. Logs are making it in just fine but now it is not finding the IP fields we were using anymore. Now here is the kicker. It does find them on one source but not the others even though everything is formatted Identically. So if querying for logs on a specific webnode geolocation DOES work but not if querying for either one or all of the others. Anybody else run into this or am I missing something? I feel it has to be something simple and I’m just overlooking something. Nothing has changed. Just started happening after the graylog restart.

what is the processing order? ( http://docs.graylog.org/en/2.2/pages/geolocation.html#configure-the-database ) and if in multi node environment, do all servers have the database and can access?

Does the field always contain only the IP?

Here is the processing order as copied from the webgui.

Processor Status

1 Pipeline Processor active
2 Message Filter Chain active
3 GeoIP Resolver active

Two node environment. Both nodes are ingesting and processing messages just fine from our sources. The field is always the same. We are using x-forwarded-for for our client ip information and like I said. All was working just fine until the restart. After which all is working great except for geolocation. Which itself does seem to be working. Just not detecting IP’s correctly from our X-Forwarded-For field from identically configured web nodes. I even checked on the logging format. They match exactly. Just odd that depending on source all things being equal that it picks up some but not others. Again. I feel it is something easy being overlooked but I’m really struggling to find it.

Sorry,

I have no Idea what could be wrong.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.