Bringing this from github #37
Trying to set this up. Follow the doc to the letter. I was able to get the geo fields,
<field>_geolocation, when i ran the command:
nc -w1 <graylog_host> 5555 <<< '22.214.171.124'
Unfortunately it does not work with normal logs that come in. On my input i have an extractor that copies the IP from the message into gl2_remote_ip field, which works.
Trying to extract data from message into gl2_remote_ip, leaving the original intact. Condition Will only attempt to run if the message matches the regular expression from ([0-9]+.[0-9]+.[0-9]+.[0-9]+|\S+)(\s|:\s) Configuration regex_value: from ([0-9]+.[0-9]+.[0-9]+.[0-9]+|\S+)(\s|:\s)
GeoIP Resolver to last (3) in “Message Processors Configuration”.
# Processor Status 1 Pipeline Processor active 2 Message Filter Chain active 3 GeoIP Resolver active
This is how the Plugin is configured:
Enabled: yes Database type: City database Database path: /etc/graylog/server/GeoLite2-City.mmdb
The DB exists and has the correct permissions:
ll /etc/graylog/server/GeoLite2-City.mmdb -rw-r--r-- 1 root root 53531421 Mar 29 19:46 /etc/graylog/server/GeoLite2-City.mmdb
Not really to sure what is going on. Any input is appreciated.
Hope this makes sense.
CentOS Linux release 7.3.1611 (Core)