Hi, Maybe I missed something, but it looks to me the Geo-Location Processor only tries to resolve the sender address of the message, and not any fields.
On a graylog-beta-2.0.0-beta.1-1.ova I just enabled the Plugin under configuration and added the DB file from Maxmind. Graylog Settings: Geo-Location Processor If enabled, the GeoIP processor plugin scans all fields of every message for IPv4 addresses and puts the location information into a field named fieldname_geolocation where "fieldname" is the name of the field in which an IP address has been found. Enabled:yes Database type: City database Database path: /etc/graylog/GeoLite2-City.mmdb then i send just an sample msg line into Graylog: root@graylog-beta:~# echo '8.8.8.8 - test message' | ncat -w1 -u 127.0.0.1 514 With Subystem Indexer Logging set to Debug i get this: 2016-04-01_07:21:22.17052 2016-04-01 07:21:22,159 DEBUG: org.graylog.plugins .map.geoip.GeoIpResolverEngine - Could not get location from IP 127.0.0.1 2016-04-01_07:21:22.17079 com.maxmind.geoip2.exception. AddressNotFoundException: The address 127.0.0.1 is not in the database. 2016-04-01_07:21:22.17149 at com.maxmind.geoip2.DatabaseReader.get( DatabaseReader.java:161) ~[graylog-plugin-map-widget-1.0.0-beta.1.jar:?] 2016-04-01_07:21:22.17230 at com.maxmind.geoip2.DatabaseReader.city( DatabaseReader.java:217) ~[graylog-plugin-map-widget-1.0.0-beta.1.jar:?] 2016-04-01_07:21:22.17284 at org.graylog.plugins.map.geoip. GeoIpResolverEngine.extractGeoLocationInformation(GeoIpResolverEngine.java: 100) [graylog-plugin-map-widget-1.0.0-beta.1.jar:?] 2016-04-01_07:21:22.17429 at org.graylog.plugins.map.geoip. GeoIpResolverEngine.filter(GeoIpResolverEngine.java:74) [graylog-plugin-map- widget-1.0.0-beta.1.jar:?] 2016-04-01_07:21:22.17572 at org.graylog.plugins.map.geoip.processor. GeoIpProcessor.process(GeoIpProcessor.java:79) [graylog-plugin-map-widget- 1.0.0-beta.1.jar:?] 2016-04-01_07:21:22.17587 at org.graylog2.buffers.processors. ServerProcessBufferProcessor.handleMessage(ServerProcessBufferProcessor.java :56) [graylog.jar:?] 2016-04-01_07:21:22.17656 at org.graylog2.shared.buffers.processors. ProcessBufferProcessor.dispatchMessage(ProcessBufferProcessor.java:82) [ graylog.jar:?] 2016-04-01_07:21:22.18244 at org.graylog2.shared.buffers.processors. ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:61) [graylog.jar :?] 2016-04-01_07:21:22.18651 at org.graylog2.shared.buffers.processors. ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:35) [graylog.jar :?] 2016-04-01_07:21:22.18660 at com.lmax.disruptor.WorkProcessor.run( WorkProcessor.java:139) [graylog.jar:?] 2016-04-01_07:21:22.18663 at com.codahale.metrics. InstrumentedThreadFactory$InstrumentedRunnable.run(InstrumentedThreadFactory .java:66) [graylog.jar:?] 2016-04-01_07:21:22.18665 at java.lang.Thread.run(Thread.java:745) [?: 1.8.0_74] -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/fe0b0719-0821-4bca-a1f2-366b3ba7cbc6%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
