I’ve activated Geolocation according to the documentation http://docs.graylog.org/en/2.2/pages/geolocation.html and it automatically started to work for the generic “source” field (I did get a source_geolocation etc. which I can make a map widget of etc.)
But the “source” field is uninteresting, so I’ve created extractor that extracts IP-addresses from various logs, for example the ssh log. (done via a regexp extractor)
However, although the new field “ssh_remote_ip” now exists (with valid IP addresses), the GeoIP resolver doesn’t pickup those, as no “ssh_remote_ip_geolocation” etc. field(s) are being generated.
The isn’t anything about GeoIP in /var/log/graylog-server/server.log either
What could be going wrong?
I should probably have mentioned that this is Graylog version 2.2.3