It looks like it's running before extractors in your Graylog instance. Could you please share with us your "Message Processors Configuration" in System -> Configurations?
Edmundo > On 01 Apr 2016, at 13:36, Micha - <[email protected]> wrote: > > Hi Edmundo, > > Thanks for your reply - but then i guess should work since i have already an > extractor and a field (client_ip) with only the IP Address - but it doesnt. > > > > > > > > > > > > > > > > > Seems still to me like it only resolves the sender Address, hmrpf > > Am Freitag, 1. April 2016 13:10:19 UTC+2 schrieb Edmundo Alvarez: > Hi Michael, > > The Geo-location resolver looks for IPs in all fields that _only_ contain an > IP address. That means, you need to extract the IP to it's own field (using > an extractor or sending logs with something like GELF), to make the > geo-location work. > > The description text is unfortunately outdated, but will take care of fixing > it for the next release. > > I hope that helps. > > Regards, > Edmundo > > > On 01 Apr 2016, at 09:55, [email protected] wrote: > > > > Hi, > > > > Maybe I missed something somewhere, but it looks to me like Geo-Location > > Processor only tries to resolve the sender address of the message, and not > > any fields like stated in the description > > > > "scans all fields of every message for IPv4 addresses" > > > > > > On a graylog-beta-2.0.0-beta.1-1.ova I just enabled the Plugin under > > configuration and added the DB file from Maxmind. > > > > Graylog Settings: > > > > Geo-Location Processor > > > > If enabled, the GeoIP processor plugin scans all fields of every message > > for IPv4 addresses and puts the location information into a field named > > fieldname_geolocation where "fieldname" is the name of the field in which > > an IP address has been found. > > > > Enabled: yes > > Database type: City database > > Database path: /etc/graylog/GeoLite2-City.mmdb > > > > root@graylog-beta:~# ll /etc/graylog/GeoLite2-City.mmdb > > -rw-rw-r-- 1 root root 36745923 Mar 29 08:05 > > /etc/graylog/GeoLite2-City.mmdb > > > > > > when i send a sample msg line into Graylog: > > root@graylog-beta:~# echo '8.8.8.8 - test message' | ncat -w1 -u 127.0.0.1 > > 51 > > > > > > > > > > > > With Subystem Indexer Logging set to Debug i get this: > > 2016-04-01_07:21:22.17052 2016-04-01 07:21:22,159 DEBUG: > > org.graylog.plugins.map.geoip.GeoIpResolverEngine - Could not get location > > from IP 127.0.0.1 > > 2016-04-01_07:21:22.17079 > > com.maxmind.geoip2.exception.AddressNotFoundException: The address > > 127.0.0.1 is not in the database. > > 2016-04-01_07:21:22.17149 at > > com.maxmind.geoip2.DatabaseReader.get(DatabaseReader.java:161) > > ~[graylog-plugin-map-widget-1.0.0-beta.1.jar:?] > > 2016-04-01_07:21:22.17230 at > > com.maxmind.geoip2.DatabaseReader.city(DatabaseReader.java:217) > > ~[graylog-plugin-map-widget-1.0.0-beta.1.jar:?] > > 2016-04-01_07:21:22.17284 at > > org.graylog.plugins.map.geoip.GeoIpResolverEngine.extractGeoLocationInformation(GeoIpResolverEngine.java:100) > > [graylog-plugin-map-widget-1.0.0-beta.1.jar:?] > > 2016-04-01_07:21:22.17429 at > > org.graylog.plugins.map.geoip.GeoIpResolverEngine.filter(GeoIpResolverEngine.java:74) > > [graylog-plugin-map-widget-1.0.0-beta.1.jar:?] > > 2016-04-01_07:21:22.17572 at > > org.graylog.plugins.map.geoip.processor.GeoIpProcessor.process(GeoIpProcessor.java:79) > > [graylog-plugin-map-widget-1.0.0-beta.1.jar:?] > > 2016-04-01_07:21:22.17587 at > > org.graylog2.buffers.processors.ServerProcessBufferProcessor.handleMessage(ServerProcessBufferProcessor.java:56) > > [graylog.jar:?] > > 2016-04-01_07:21:22.17656 at > > org.graylog2.shared.buffers.processors.ProcessBufferProcessor.dispatchMessage(ProcessBufferProcessor.java:82) > > [graylog.jar:?] > > 2016-04-01_07:21:22.18244 at > > org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:61) > > [graylog.jar:?] > > 2016-04-01_07:21:22.18651 at > > org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:35) > > [graylog.jar:?] > > 2016-04-01_07:21:22.18660 at > > com.lmax.disruptor.WorkProcessor.run(WorkProcessor.java:139) > > [graylog.jar:?] > > 2016-04-01_07:21:22.18663 at > > com.codahale.metrics.InstrumentedThreadFactory$InstrumentedRunnable.run(InstrumentedThreadFactory.java:66) > > [graylog.jar:?] > > 2016-04-01_07:21:22.18665 at java.lang.Thread.run(Thread.java:745) > > [?:1.8.0_74] > > > > Regards > > Micha > > > > > > -- > > You received this message because you are subscribed to the Google Groups > > "Graylog Users" group. > > To unsubscribe from this group and stop receiving emails from it, send an > > email to [email protected]. > > To view this discussion on the web visit > > https://groups.google.com/d/msgid/graylog2/908b3309-0a13-4fff-8c77-664af336d4a0%40googlegroups.com. > > > > For more options, visit https://groups.google.com/d/optout. > > > -- > You received this message because you are subscribed to the Google Groups > "Graylog Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/graylog2/364393e1-bec0-4a97-9695-2e7f6a1cd70f%40googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/26F9ADDB-BF5B-4CB5-ADDD-95A50497BA9F%40graylog.com. For more options, visit https://groups.google.com/d/optout.
