To the Graylog community at large, I’ve been having issues with log enrichment. Specifically, I’ve been having issues with getting geolocation data to properly be enriched with my logs. And the goal and need for this data is to build site and heatmaps through visualization dashboards within Grafana.
I’ve been following mostly Taylor Walton’s SIEM stack build if any of you are familiar with his work. Where I’m having issues with is getting Graylog to even do it! The Geo-Location Process is enabled and has the correct Message Processor order, and supposedly just doing this is supposed to enable this feature (yes I also have the MaxMind GeoLite2 mmdb for both ASN and City, even Country).
And yet, when I go to look that the Windows endpoint logs and check on my “sysmon_event3” type logs, there is nothing about geolocation data anywhere within any kind of field.
So I’ve gone so far as to create Lookup Tables, Pipelines and Rules and none of that worked either! I even pointed the damn Rules to use the field “data_win_eventdata_destinationIp” to enrich from and that didn’t even work.
So I’m desperate for some help. I’ll keep making posts about this subject until someone finally responds. And I’ll post screenshots and configurations upon request. No sense in posting it now if no one is going to even respond to help. Thanks!