Netscaler GeoIP logging

martijnk · January 10, 2024, 8:56am

Hello,

I’ve pointed Netscaler Syslog to graylog and I’m retrieving logs. Now I’m trying to add GeoIP to the logging.

I want to do this on Client_ip value in the following message that’s being logged in the ‘message’ field.

09/01/2024:14:34:43 GMT VMPDCNADC01 0-PPE-0 : default SSLVPN TCPCONNSTAT 3486158 0 : Context x@x.com@84.198.xx.xx - SessionId: 62198 - User x@x.com - Client_ip 84.198.xx.xx - Nat_ip 84.198.xx.xx - Vserver 10.250.64.14:443 - Source 84.198.xx.xx:59994 - Destination 10.250.64.13:443 - Start_time "09/01/2024:14:34:43 GMT" - End_time "09/01/2024:14:34:43 GMT" - Duration 00:00:00  - Total_bytes_send 0 - Total_bytes_recv 2738 - Total_compressedbytes_send 0 - Total_compressedbytes_recv 0 - Compression_ratio_send 0.00% - Compression_ratio_recv 0.00% - Access Allowed - Group(s) "N/A"

I followed all the steps here, creating the pipeline:

I can confirm GeoIP lookup is working by testing this in the lookup table. It finds my country/city.

I’ve created the pipeline connected it to stage 0 and to the stream.

rule "src_ip"
when
  has_field("Client_ip")
then
let geo = lookup("src_ip", to_string($message.Client_ip));
set_field("src_ip_geo_location", geo["coordinates"]);
set_field("src_ip_geo_country", geo["country"].iso_code);
set_field("src_ip_geo_city", geo["city"].names.en);
end

But on new log messages no values are being displayed for GeoIP, the values are just missing.

Any idea what I’m doing wrong? I’m kinda new to Graylog so this is all a bit confusing to me. Thanks

drewmiranda-gl · January 11, 2024, 5:49pm

Greetings, i believe i responded to you on your reddit thread.

Same questions though:

What happens if you go directly to the lookup table and put that same IP? Do you get a result back?
What happens if you copy the message from the search page using the “copy message” button when expanding the message and paste that into the pipeline simulator?

Also, just to verify, your logs are being parsed and you have a field in the message named Client_ip, correct?

martijnk · January 12, 2024, 8:39am

Ah right, sorry for the crosspost but my post here was marked as spam. So I posted it on Reddit. I guess they posted it anyway.

drewmiranda-gl · January 12, 2024, 9:11pm

sorry about that! I replied to your reply there

system · January 26, 2024, 9:11pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
GrayLog3 GeoIP does not work! Graylog Central (peer support) pipeline-rules	4	1213	May 7, 2020
Geolocation / GeoIP confusion on 3.x Graylog Central (peer support)	2	1021	July 1, 2019
GeoIP doesn't seem to be working Graylog Central (peer support)	5	1295	August 9, 2022
Graylog with NGINX udp proxy, keep source ip Graylog Central (peer support) pipeline-rules	2	695	November 19, 2020
GeoLocation. Looking for advise? Graylog Central (peer support)	4	683	June 21, 2017

Netscaler GeoIP logging

Related Topics