We’re running the GeoIP Resolver to get the additional fields XXX_country_code etc.
According to the docs, the GeoIP Resolver needs to be last in order to get those additional GeoIP fields. (I noted that if the GeoIP Resolver was first in the list, only the “source” field would get the additional GeoIP data)
Unfortunately, it doesn’t work to create a stream with filter based on the additional GeoIP fields, like:
Field ssh_accepted_ip_country_code must not match regular expression DK
as the GeoIP Resolver seems to executed after the stream filtering is done.
it highly depends on the order of your processing. But you could for example create a processing pipeline that does the geo_ip lookup with the new lookup tables and route that after to a stream.
That’s not correct. The GeoIP Resolver simply has to run after the stage which creates the message fields it’s supposed to process. So if the messages contain the relevant fields (consisting only of an IP address and nothing else), it can be placed as the first filter.
Could you please point me to the documentation where you’ve read that?
Messages are assigned to streams in the “Message Filter Chain” message processor (StreamMatcherFilter). If you want to create a stream rule which requires that field, you have to run the GeoIP Resolver before the Message Filter Chain.
Right,
the fields I want to do GeoIP lookup upon are extracted (with a extractor) from a “input” source, so the extractor needs to be run before otherwise no custom fields with IPs will be available…
Summaring the above, I guess what I wanted to do today isn’t possible with the current workflow, as both the extractor(s) filtering & stream filtering occurs in the same “Message Processors Conf” component, namely in the “Message Filter Chain”.
How could the pipeline processor help out ?
sorry, I meant to ask for an pipeline processor example
