Hi folks,
My latest sandbox project is Graylog…I have v6 on Ubuntu 22 setup and working with OpenSearch and Mongo, just like the documentation at GrayLog said to. I have logs from my pfSense boxes rolling in and directed to a firewalls stream and going to a firewalls index…so far all is good.
Now I want to setup GeoLocation using MaxMind, so, once again, per the Graylog (and some other) docs I setup the GeoLocation plugin, arranged the proccessors, setup the Lookup Table, and created a Pipeline using stage0 with a rule. The Geolookup works, I can test it using the test lookup in the lookup tables page and it works there, but it is not injecting the geolocation data into the log.
This is the rule I am using:
rule “GeoIP lookup: Source”
when
has_field(“SourceIP”)
then
let geo = lookup(“geoip”, to_string($message.src_ip));
set_field(“src_ip_geo_location”, geo[“coordinates”]);
set_field(“src_ip_geo_country”, geo[“country”].iso_code);
set_field(“src_ip_geo_city”, geo[“city”].names.en);
end (taken from i walkthrough site on the web that I dont remember, but the only change to it was to adjust the “has_field” from src_ip to SourceIP that the extractor delivers.
Here is the pipeline order:
AWS Instance name lookup (disabled)
Message Filter Chain
Pipeline Processor
GeoIP Resolver
Stream Rule Processor (disabled)
I am pretty much convinced the problem is with one of those 2 configs…is anyone able to help me figure it out?
Roy