Hi guys,
thanks for all the good resources and sharing of your experiences!
I also followed the guides,
How to Set Up Graylog GeoIP Configuration
Implementing Geolocation with Graylog Pipelines
It seems to work somehow but my problem is that all lookups resolve to the same coordinates and country. Can someone tell me if this behavior is some kind of fallback function?
winlogbeat_winlog_event_data_DestinationIp_geo_country:"AT"
winlogbeat_winlog_event_data_DestinationIp_geo_location:"48.2048,16.3801"
There what I configures:
-
System > Configuration:
-
Lookup Tables > Data Adapters:
The .mmdb file is up-to-date and is shared with my docker containter where graylog runs!
- Lookup Tables > Caches:
-
Lookup Tables > Lockup Table:
-
Pipelines > Manage rules:
rule "GeoIP lookup: winlogbeat_winlog_event_data_DestinationIp"
when
has_field("winlogbeat_winlog_event_data_DestinationIp")
then
let geo = lookup("geoiplookup", to_string($message.winlogbeat_winlog_event_data_DestinationIp));
set_field("winlogbeat_winlog_event_data_DestinationIp_geo_location", geo["coordinates"]);
set_field("winlogbeat_winlog_event_data_DestinationIp_geo_country", geo["country"].iso_code);
set_field("winlogbeat_winlog_event_data_DestinationIp_geo_city", geo["city"].names.en);
end
- Pipelines > Manage pipelines > Edit:
** Pileline connections > correct Stream is set
** actually seeing Throughput from time to time (not much traffic - its a lab environment)
- Pipelines overview:
- Files are available:
Did I miss any important step?
Where / How can I do some extended troubleshooting?
(I can’t find any server logs in my docker container)
