Pipelines Configuration

geox · May 17, 2021, 7:18am

Hello,

I’ve followed step-by-step that article:

There’re two things that confuses me:

1 . I created a pipeline, I connected Stage0 with a Stage Rule sucessfully.
However this message appears :

This pipeline is currently not connected to any streams. You have to connect a pipeline to at least one stream to make it process incoming messages. Note that this is not required if you intend to use this pipeline only for search result transformation using decorators.

Is it mandatory to create a stream ? The article not mentions something like that.
Check please the screenshot:

After following all these steps according to the article , how Im going to view the field: src_ip_geo_location ?
Please note , that all the log information is reaching my Graylog setup through Sidecar/Beats from the server nodes.

shoothub · May 17, 2021, 12:12pm

Check docs, to better understanding:
https://docs.graylog.org/en/4.0/pages/pipelines/stream_connections.html

geox · May 17, 2021, 1:02pm

Thanks , but this article (Stream connections — Graylog 4.0.0 documentation) doesn’t really mention anything valuable, just some vague points that pipelines do not process any messages.

Any other ideas ?
Its rather unclear how the geolocation configuration is connected with pipelines and streams.

shoothub · May 17, 2021, 1:18pm

For a pipeline to actually do any work it must first be connected to one or more streams.

So it’s mandatory to connect pipeline to stream. If you want to process all messages connect to default stream All messages.

https://docs.graylog.org/en/4.0/pages/pipelines/usage.html#connect-pipelines-to-streams

Geolocation uses lookup table which convert IP to geoip parameters like state, city and so on. This lookup table is used in pipeline rule, which uses function lookup() to get this paramaters and store them as custom fields. Pipeline rule runs in specific stage of pipeline. And pipeline is connected to stream to run.

Please read at least these sections to better understanding how it works:
https://docs.graylog.org/en/4.0/pages/pipelines.html
https://docs.graylog.org/en/4.0/pages/lookuptables.html
https://docs.graylog.org/en/4.0/pages/geolocation.html

geox · May 17, 2021, 2:13pm

Thanks for the reply.
I’ve already done the following steps

1.Download the Geolocation Database
2.Configure Data Adapters
3.Configure Caches
4.Configure Lookup Tables
5.Configure Pipeline Rules

I have created a new Stream , named “Geolocation” with the following rule:

Then , I connected this Stream with the Pipeline:

2021-05-17 17_06_08-Graylog - Pipelines

How Im gonna view now the Geolocation IPs now ?
In the Fields, the following are visible:

thanks a lot!

gsmith · May 18, 2021, 1:41am

@geox
Hello,

Try using the search. Should look something like this below. If not you may have something missed configured.

shoothub · May 18, 2021, 8:38am

Hi @geox , for which field do you try to use geo ip location. In howto you have posted they used field src_ip with IP address that was used for geo location. I don’t see this field in your fields list. Please post you pipeline rule you used, and field which contains ip address.

geox · May 18, 2021, 8:47am

thanks for the reply!

The pipeline rule is:

rule “GeoIP lookup: src_ip”
when
has_field(“src_ip”)
then
let geo = lookup(“geoip”, to_string($message.src_ip));

set_field(“src_ip_geo_location”, geo[“coordinates”]);
set_field(“src_ip_geo_country”, geo[“country”].iso_code);
set_field(“src_ip_geo_city”, geo[“city”].names.en);
end

shoothub · May 18, 2021, 8:55am

You’ve used pipeline rule which uses field src_ip with ip address which convert to geoip fields. But I don’t see this field src_ip in your field list.

Which field in your message contains IP address you want to use as input for GeoIP? If field has different name as src_ip change pipeline rule and replace src_ip with your real field name which contains internet IP address.

geox · May 18, 2021, 9:37am

You were right , I made the following adjustments:

rule “GeoIP lookup: IP”
when
has_field(“IP”)
then
let geo = lookup(“geoip”, to_string($message.IP));

set_field(“IP_geo_location”, geo[“coordinates”]);
set_field(“IP_geo_country”, geo[“country”].iso_code);
set_field(“IP_geo_city”, geo[“city”].names.en);
end

Im not sure if the Stream that I have connected with the Pipeline is correct:

and the Stream Rule:

thanks a lot for your support!

shoothub · May 18, 2021, 9:39am

It seam ok if stream contains all messages for which you want to use geoip.

geox · May 18, 2021, 10:03am

I should have seen fields like:

IP_geo_location
IP_geo_country
IP_geo_city

but unfortunately nothing yet:

Is there something else that I should check?

shoothub · May 18, 2021, 10:12am

Check:

If your logs are correctly forwarded to stream
Check your processing order. Please move your Message Filter chain before Pipeline Processor in System Configuration - Message Processors Configuration
Try to debug pipeline rule using debug() function like this:
debug(concat("IP: ", to_string($message.IP)));
And then check logs:
sudo tail -f /var/log/graylog-server/server.log

geox · May 18, 2021, 10:25am

thanks for the support so far!

system · June 1, 2021, 3:04pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Pipeline on new stream not working Graylog Central (peer support) pipeline-rules	3	2658	July 7, 2021
Geolocation issues Graylog Central (peer support) pipeline-rules	3	707	September 15, 2021
GeoIP Setup - Need help Graylog Add-ons	14	340	February 9, 2024
Geo-ip mapping ANY ipv4 field Graylog Central (peer support) pipeline-rules	4	485	August 20, 2020
Geolocation 0 message error Graylog Central (peer support) pipeline-rules , debuggingpl	3	690	November 19, 2020

Pipelines Configuration

Related topics