Can anyone please have a quick look at my question posted at this link?
Hi, your setup looks good to me, but I’m somewhat of an amateur when it comes to graylog.
One thing that has been helpful to me in troubleshooting pipelines is to set up static messages within the rule that you can then check and see how it is running.
For instance, before the first step:
Set_field(“Step 1”,”Starting”)
There’s also a debug command that outputs to the graylog logs, but it looks like you may have a separate issue there. Hope that helps.
Definitely not a default value. It’s not working properly.
Have you tried testing out IPs in the lookup table data adapter? Does it work properly there?
Thanks for your input.
@joe.gross it looks like the Test Lookup (entering 8.8.8.8) is not working via Graylog GUI. I’m getting null values back.
While questioning the data source /usr/share/GeoIP/GeoLite2-City.mmdb
I come across the following script on How to use Maxmind GeoLite2 to obtain GeoIP data from the command line - Shabinx.com and was able to verify that the file / data source works without any problems!
Thanks to ED ALDRIDGE!!
I did some small adaptations in the script and wanted to share it with you.
Before you can run the script please do the following:
apt install jq mmdb-bin libmaxminddb-dev
sudo chmod +x lookup.sh
./lookup.sh
echo "Type the IP that you want to check, followed by [ENTER]:"
read inputIP
lookupASN=`mmdblookup --file /usr/share/GeoIP/GeoLite2-ASN.mmdb --ip $inputIP | sed -e ':a;N;$!ba;s/\n/ /g' |sed -e 's/ <[a-z0-9_]\+>/,/g' |sed -e 's/,\s\+}/}/g' | jq '"AS\(.autonomous_system_number) \(.autonomous_system_organization)"'`
lookupCITY=`mmdblookup --file /usr/share/GeoIP/GeoLite2-City.mmdb --ip $inputIP city names en |awk -F'"' '{print $2}'`
lookupORG=`mmdblookup --file /usr/share/GeoIP/GeoLite2-City.mmdb --ip $inputIP continent names en |awk -F'"' '{print $2}'`
lookupCOUNTRY=`mmdblookup --file /usr/share/GeoIP/GeoLite2-City.mmdb --ip $inputIP country names en |awk -F'"' '{print $2}'`
echo $inputIP","$lookupCITY","$lookupCOUNTRY","$lookupORG","$lookupASN
If you lookup IP’s which do not have any City, Country,… information there will be an error.
Got an error looking up the entry data - The lookup path does not match the data (key that doesn't exist, array index bigger than the array, expected array or map where none exists)
You can suppress this error by starting the script like this:
./lookup.sh 2> /dev/null
But so far no progress in troubleshooting the Graylog lookup table issue.
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.