Before you post: Your responses to these questions will help the community help you. Please complete this template if you’re asking a support question.
Don’t forget to select tags to help index your topic!
1. Describe your incident:
I’m needing assistance with getting the GeoIP functionality of Graylog working so that I may then take the latitude and longitude coordinates and create visual maps on dashboards.
2. Describe your environment:
-
OS Information: Debian12 “Bookworm”
-
Package Version: Graylog Open 6.1.7
-
Service logs, configurations, and environment variables:
None that are relevant to this situation I’m pretty sure…
3. What steps have you already taken to try and solve the problem?
Besides re-write the pipeline rules so many different ways? Well, I’ve also abused our underpaid A.I assistant ChatGPT to no end trying to resolve this issue and can’t seem to figure it out.
4. How can the community help?
First off, I’ve been following along Taylor Walton’s SIEM stack setup, so if you’re familiar with him and his work, you’ll know that my stack uses Wazuh for backend storage while using Graylog for the log ingestion.
I’m pretty sure there is nothing wrong with the stack itself causing this issue and has everything to do with me not being able to figure this out. Hence why I’m reaching out to the community for assistance.
Here in this blog post, is all the screenshots for the pipeline configuration:
I could really use some outside help and perspective with this because I’m not seeing a solution between my research and ChatGPT and Gemini, so I’m at a loss now! Any assistance and help with this would be greatly appreciated!
So the specifics are this:
I’m trying to have Graylog pull up the geolocation information from the IP address from the field “data_win_eventdata_destinationIp” and the other one “data_win_eventdata_sourceIp”. If you check the screenshots, I was even successful in getting my Rule Simulation to work!
However, no matter what and with new and current logs coming in, I’m unable to get the new fields with the different geolocation data to populate in the logs as desired! I’m at a complete loss.
