Pipeline rule is not working for postfix log

Graylog Central (peer support)
,
1

Good Morning

I’m trying to create a pipeline rule to have the following information
src_ip_geo_country_code from a postfix log coming from an udp syslog, where I already applied an extractor for the ip field, but the rule does not work and does not create this field, would anyone help me?

Log example:

Server postfix/smtpd[125]: lost connection after AUTH from PC25[192.168.40.12]

Rule Pipeline:

rule “GeoIP lookup: src_ip”
when
has_field(“message”)
then
let geo = lookup(“geoip-lookup”, to_string($message.ip));
set_field(“src_ip_geo_location”, geo[“coordinates”]);
set_field(“src_ip_geo_country_code”, geo[“country”].iso_code);
set_field(“src_ip_geo_country”, geo[“country”].iso_code);
end

Extractor configuration

Source field: client
Store as field: ip
Regular expression: ((?:\d{1,3}.){3}\d{1,3})

2
  1. First don’t try to use GeoIP for local (LAN) IP addresses, it can’t work. GeoIP works only for Internet IP addresses.
  2. Better condition is to use field with ip and not message.
    has_field("ip")
  3. You use same function geo[“country”].iso_code in 2 fields, it’s probably a typo.
  4. Try to debug, if condition works by putting debug function in body:
    let debug_message = concat("GeoIP from IP ", to_string($message.ip));
    debug(debug_message);

And then check logs in graylog box using:
sudo tail -f /var/log/graylog-server/server.log
4. Check your processing order, so Pipeline is after Extractor
https://docs.graylog.org/en/3.3/pages/pipelines/stream_connections.html#the-importance-of-message-processor-ordering
5. These blog posts also can be really helpful.


3

Thank you very much for the feedback, I made the change to search by ip that you suggested and called the debug, however this error came back, you know what could be?

" 2020-07-10T10:47:12.558-03:00 WARN [MaxmindDataAdapter] Unable to look up country data for IP address /189.14.204.248, returning empty result.
java.lang.UnsupportedOperationException: Invalid attempt to open a GeoLite2-City database using the country method
bash: 2020-07-10T10:47:12.558-03:00: command not found…"

The pipeline configuration looks like this

rule “GeoIP lookup: src_ip”
when
has_field(“ip”)
then
let geo = lookup(“geoip-lookup”, to_string($message.ip));
let debug_message = concat("GeoIP from IP ", to_string($message.ip));
set_field(“src_ip_geo_location”, geo[“coordinates”]);
set_field(“src_ip_geo_country_code”, geo[“country”].iso_code);
set_field(“src_ip_geo_city”, geo[“city”].names.en);
end

4
  1. Please paste your lookup configuration and permissions of geoip db
  2. Check that you use righ geoip db file
  3. Check your permissions for geoip file, it should be readable by user graylog
  4. Check your lookup table for geoip, if you insert ip it should return geoip information
  5. Your problem is probably in geoip db and not pipeline rule at all
1 Like
5

ok, i will see that part.
Thank you very much for the guidance

6

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.