Graylog GeoIP Configuration

Hello Community, I’m trying to configure Geo Ip location using MaxMind database I did All steps saw I have seen in articles

**My environment
Graylog ova

  • OS Information:
    ubuntu.

**Steps I did so far

  • Downloaded MaxMind GeoLite2-City.mmdb file and put it in /etc/graylog/server location.

  • Created adapter, cache and lookup table.

  • Created pipeline and rule.

is there any one who can help me with what I’m Missing

Thanks

If you are in the lookup table edit screen can you enter an ip address and successfully get a response?

Thanks for the replay Joel

Yes I can put an IP adress and I got responds

I put google Ip Address and I got this :-

{
“single_value”: “34.0544,-118.2441”,
“multi_value”: {
“continent”: {
“code”: “NA”,
“geoname_id”: 6255149,
“names”: {
“de”: “Nordamerika”,
“ru”: “Северная Америка”,
“pt-BR”: “América do Norte”,
“ja”: “北アメリカ”,
“en”: “North America”,
“fr”: “Amérique du Nord”,
“zh-CN”: “北美洲”,
“es”: “Norteamérica”
}
},
“country”: {
“confidence”: null,
“geoname_id”: 6252001,
“is_in_european_union”: false,
“iso_code”: “US”,
“names”: {
“de”: “Vereinigte Staaten”,
“ru”: “США”,
“pt-BR”: “EUA”,
“ja”: “アメリカ”,
“en”: “United States”,
“fr”: “États Unis”,
“zh-CN”: “美国”,
“es”: “Estados Unidos”
}

Okay so if you are not getting anything when using the pipeline then you probably have an issue in thr pipeline. If you can post your pipeline rule we can have a look at your code.

Here is my Pipeline rule bro

rule “GeoIP lookup: src_ip”

when

has_field(“src_ip”)

then

let geo = lookup(“geoip”, to_string($message.src_ip));

set_field(“src_ip_location”, geo[“coordinates”]);

set_field(“src_ip_country”, geo[“country”].iso_code);

set_field(“src_ip_city”, geo[“city”].names.en);

end

Did you post all of the output from the lookup table, because there are a whole bunch of fields you are referencing in your pipeline that are not in your earlier post?

Hello @tijaabo

Just chimming in.

By chance do you have this field ( src_ip) generated already? if not, it might be you issue.
EDIT: Here is a good post on this subject

EDIT:2 Sorry for the edits, The one thing I do not see in this post is the Geo-Location Processor which is located → System/Configurations the path configured in my environment, may not be the same in yours but does need to be configured && enabled.

hey @gsmith thanks for the replay bro

yes, I have “src_ip” in my field

However in my Geo_Location Processor I have only
Database path /etc/graylog/server/Geolite2-City.mmdb as shown belows picture

Am I missing some thing here couse I see yours have ASN database Path

thanks.

@Joel_Duffield here is the lookup table return values

{
“single_value”: “34.0544,-118.2441”,
“multi_value”: {
“continent”: {
“code”: “NA”,
“geoname_id”: 6255149,
“names”: {
“de”: “Nordamerika”,
“ru”: “Северная Америка”,
“pt-BR”: “América do Norte”,
“ja”: “北アメリカ”,
“en”: “North America”,
“fr”: “Amérique du Nord”,
“zh-CN”: “北美洲”,
“es”: “Norteamérica”
}
},
“country”: {
“confidence”: null,
“geoname_id”: 6252001,
“is_in_european_union”: false,
“iso_code”: “US”,
“names”: {
“de”: “Vereinigte Staaten”,
“ru”: “США”,
“pt-BR”: “EUA”,
“ja”: “アメリカ”,
“en”: “United States”,
“fr”: “États Unis”,
“zh-CN”: “美国”,
“es”: “Estados Unidos”
}
},
“traits”: {
“autonomous_system_number”: null,
“autonomous_system_organization”: null,
“connection_type”: null,
“domain”: null,
“ip_address”: “8.8.8.8”,
“is_anonymous”: false,
“is_anonymous_proxy”: false,
“is_anonymous_vpn”: false,
“is_hosting_provider”: false,
“is_legitimate_proxy”: false,
“is_public_proxy”: false,
“is_satellite_provider”: false,
“is_tor_exit_node”: false,
“isp”: null,
“organization”: null,
“user_type”: null
},
“city”: {
“confidence”: null,
“geoname_id”: 5368361,
“names”: {
“de”: “Los Angeles”,
“ru”: “Лос-Анджелес”,
“pt-BR”: “Los Angeles”,
“ja”: “ロサンゼルス”,
“en”: “Los Angeles”,
“fr”: “Los Angeles”,
“zh-CN”: “洛杉矶”,
“es”: “Los Ángeles”
}
},
“represented_country”: {
“confidence”: null,
“geoname_id”: null,
“is_in_european_union”: false,
“iso_code”: null,
“names”: {},
“type”: null
},
“coordinates”: “34.0544,-118.2441”,
“location”: {
“accuracy_radius”: 1000,
“average_income”: null,
“latitude”: 34.0544,
“longitude”: -118.2441,
“metro_code”: 803,
“population_density”: null,
“time_zone”: “America/Los_Angeles”
},
“postal”: {
“code”: “90009”,
“confidence”: null
},
“registered_country”: {
“confidence”: null,
“geoname_id”: 6252001,
“is_in_european_union”: false,
“iso_code”: “US”,
“names”: {
“de”: “Vereinigte Staaten”,
“ru”: “США”,
“pt-BR”: “EUA”,
“ja”: “アメリカ”,
“en”: “United States”,
“fr”: “États Unis”,
“zh-CN”: “美国”,
“es”: “Estados Unidos”
}
},
“subdivisions”: [
{
“confidence”: null,
“geoname_id”: 5332921,
“iso_code”: “CA”,
“names”: {
“de”: “Kalifornien”,
“ru”: “Калифорния”,
“pt-BR”: “Califórnia”,
“ja”: “カリフォルニア州”,
“en”: “California”,
“fr”: “Californie”,
“zh-CN”: “加州”,
“es”: “California”
}
}
]
},
“string_list_value”: null,
“has_error”: false,
“ttl”: 9223372036854776000
}

Hey @tijaabo
welcome to the forum.

If I understand correctly, the geo location fields are not set.
Is the “Message Processors Configuration” order correct?

https://go2docs.graylog.org/5-0/making_sense_of_your_log_data/geolocation.html

yes it’s correct bro as shown here

@H077E in my Geo_Location it shown only Database path /etc/graylog/server/Geolite2-City.mmdb
am I missing ASN database Geolite2-City.

I understand.
Did you look in /var/log/graylog-server/server.log?

I don’t use the built in Geo-IP lookup. I solved it differently

I tried it on my test system (GL-Open 5.0.3, OpenSearch, Debian 11). It is working. It’s not a bug.

@tijaabo is a WAF or mod_security in front of it?
Your picture looks completely different

Hey,

Try setting your Pipeline Processor after Message filter Chain. See if that works, might take a second to see results.

Thanks @gsmith @H077E @Joel_Duffield for the replies and answers I finally solved.

The issue was in the Message Processors Configuration order I put pipeline processor before message filter chain I changed and made message filter chain above pipeline, and it worked fine.

Thank you, guys, for the help and replies again.

2 Likes

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.