Netscaler GeoIP logging

martijnk · January 10, 2024, 8:56am

Hello,

I’ve pointed Netscaler Syslog to graylog and I’m retrieving logs. Now I’m trying to add GeoIP to the logging.

I want to do this on Client_ip value in the following message that’s being logged in the ‘message’ field.

09/01/2024:14:34:43 GMT VMPDCNADC01 0-PPE-0 : default SSLVPN TCPCONNSTAT 3486158 0 : Context x@x.com@84.198.xx.xx - SessionId: 62198 - User x@x.com - Client_ip 84.198.xx.xx - Nat_ip 84.198.xx.xx - Vserver 10.250.64.14:443 - Source 84.198.xx.xx:59994 - Destination 10.250.64.13:443 - Start_time "09/01/2024:14:34:43 GMT" - End_time "09/01/2024:14:34:43 GMT" - Duration 00:00:00  - Total_bytes_send 0 - Total_bytes_recv 2738 - Total_compressedbytes_send 0 - Total_compressedbytes_recv 0 - Compression_ratio_send 0.00% - Compression_ratio_recv 0.00% - Access Allowed - Group(s) "N/A"

I followed all the steps here, creating the pipeline:

I can confirm GeoIP lookup is working by testing this in the lookup table. It finds my country/city.

I’ve created the pipeline connected it to stage 0 and to the stream.

rule "src_ip"
when
  has_field("Client_ip")
then
let geo = lookup("src_ip", to_string($message.Client_ip));
set_field("src_ip_geo_location", geo["coordinates"]);
set_field("src_ip_geo_country", geo["country"].iso_code);
set_field("src_ip_geo_city", geo["city"].names.en);
end

But on new log messages no values are being displayed for GeoIP, the values are just missing.

Any idea what I’m doing wrong? I’m kinda new to Graylog so this is all a bit confusing to me. Thanks

drewmiranda-gl · January 11, 2024, 5:49pm

Greetings, i believe i responded to you on your reddit thread.

Same questions though:

What happens if you go directly to the lookup table and put that same IP? Do you get a result back?
What happens if you copy the message from the search page using the “copy message” button when expanding the message and paste that into the pipeline simulator?

Also, just to verify, your logs are being parsed and you have a field in the message named Client_ip, correct?

martijnk · January 12, 2024, 8:39am

Ah right, sorry for the crosspost but my post here was marked as spam. So I posted it on Reddit. I guess they posted it anyway.

drewmiranda-gl · January 12, 2024, 9:11pm

sorry about that! I replied to your reply there

system · January 26, 2024, 9:11pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
GeoIP Setup - Need help Graylog Add-ons	14	328	February 9, 2024
GrayLog3 GeoIP does not work! Graylog Central (peer support) pipeline-rules	4	1285	May 7, 2020
Creating GeoIP dashboard Graylog Central (peer support)	1	114	May 17, 2024
Geolocation issues Graylog Central (peer support) pipeline-rules	3	705	September 15, 2021
Can not open GeoIP on Aggregation Graylog Central (peer support)	2	411	February 10, 2022

Netscaler GeoIP logging

Related topics