Step 4: Configure Dependencies

Contests, Podcasts, Blogs, Give-Aways & Polls Contests & Give-Aways
,
1

Once you’ve installed your dependencies in Step 3, it’s time to configure them.

In Step 4,post your experiences in configuring your dependencies as you moved along the Graylog User’s Journey.

* What dependencies did you configure?  How did it go?  If it went well, let us know.  Post a tip or two.
  • If you had any issues during the configurations, let us know. The community is here to help.

Posting a valid++ response to this question is worth 1 point.

For EACH STEP (there are 12 in all) in Graylog User’s Journey in which you post a valid++ response, you get a chance to win a $100 Amazon Gift Certificate! One lucky winner will have up to 12 chances to win. Go to “From the Graylog Book” to find the steps.

++Validity of response is subject to the community manager’s approval.

4

GeoIP is definitely first dependency that people install and configure. Follow recommended steps in step 3 of GraylogBook. My tips for configuration and use geoip:

  1. First check if geop lookup table works by enter internet ip address in System/Lookup Tables
  2. Check if your field src_ip or another you want to use for geoip contains correct internet ip address. Use extractors or pipeline rules to extract it.
  3. If your pipeline rules don’t work, check check your processing order. Please move your Message Filter chain before Pipeline Processor in System Configuration - Message Processors Configuration
  4. If you want to extract country names use this snippet:
    let geo = lookup("geoip", to_string($message.src_ip)); set_field("src_ip_geo_country_name", geo["country"].names.en);
  5. If you want to use word map widget, you need to extract coordinates to new field and create word map widget on this field:
    let geo = lookup("geoip", to_string($message.src_ip)); set_field("src_ip_geo_location", geo["coordinates"]);
  6. Use pipeline function in_private_net to exclude local LAN RFC1918 addreses in GeoIP lookups:
    when has_field("src_ip") && ! in_private_net(to_string($message.src_ip)) then
  7. Try to update your GeoIP DB from time to time, so it’s accurate. You can use script geoipupdate
    https://dev.maxmind.com/geoip/updating-databases?lang=en
  8. If you want to extract coordinates (and word map widget), use MaxMind City database and not Country.
  9. Try to use pipeline function debug, if condition works by putting debug function in body:
    let debug_message = concat("GeoIP from IP ", to_string($message.src_ip)); debug(debug_message);
    And then check logs in graylog box using: sudo tail -f /var/log/graylog-server/server.log
    Functions — Graylog 4.0.0 documentation
2 Likes
5

Thanks, soothub, for posting responses to each step thus far, This post is awesome.