It looks like it's running before extractors in your Graylog instance. Could you please share with us your "Message Processors Configuration" in System -> Configurations?
Edmundo > On 01 Apr 2016, at 13:36, Micha - <michael.e...@wuerth-it.com> wrote: > > Hi Edmundo, > > Thanks for your reply - but then i guess should work since i have already an > extractor and a field (client_ip) with only the IP Address - but it doesnt. > > > > > > > > > > > > > > > > > Seems still to me like it only resolves the sender Address, hmrpf > > Am Freitag, 1. April 2016 13:10:19 UTC+2 schrieb Edmundo Alvarez: > Hi Michael, > > The Geo-location resolver looks for IPs in all fields that _only_ contain an > IP address. That means, you need to extract the IP to it's own field (using > an extractor or sending logs with something like GELF), to make the > geo-location work. > > The description text is unfortunately outdated, but will take care of fixing > it for the next release. > > I hope that helps. > > Regards, > Edmundo > > > On 01 Apr 2016, at 09:55, michae...@wuerth-it.com wrote: > > > > Hi, > > > > Maybe I missed something somewhere, but it looks to me like Geo-Location > > Processor only tries to resolve the sender address of the message, and not > > any fields like stated in the description > > > > "scans all fields of every message for IPv4 addresses" > > > > > > On a graylog-beta-2.0.0-beta.1-1.ova I just enabled the Plugin under > > configuration and added the DB file from Maxmind. > > > > Graylog Settings: > > > > Geo-Location Processor > > > > If enabled, the GeoIP processor plugin scans all fields of every message > > for IPv4 addresses and puts the location information into a field named > > fieldname_geolocation where "fieldname" is the name of the field in which > > an IP address has been found. > > > > Enabled: yes > > Database type: City database > > Database path: /etc/graylog/GeoLite2-City.mmdb > > > > root@graylog-beta:~# ll /etc/graylog/GeoLite2-City.mmdb > > -rw-rw-r-- 1 root root 36745923 Mar 29 08:05 > > /etc/graylog/GeoLite2-City.mmdb > > > > > > when i send a sample msg line into Graylog: > > root@graylog-beta:~# echo '8.8.8.8 - test message' | ncat -w1 -u 127.0.0.1 > > 51 > > > > > > > > > > > > With Subystem Indexer Logging set to Debug i get this: > > 2016-04-01_07:21:22.17052 2016-04-01 07:21:22,159 DEBUG: > > org.graylog.plugins.map.geoip.GeoIpResolverEngine - Could not get location > > from IP 127.0.0.1 > > 2016-04-01_07:21:22.17079 > > com.maxmind.geoip2.exception.AddressNotFoundException: The address > > 127.0.0.1 is not in the database. > > 2016-04-01_07:21:22.17149 at > > com.maxmind.geoip2.DatabaseReader.get(DatabaseReader.java:161) > > ~[graylog-plugin-map-widget-1.0.0-beta.1.jar:?] > > 2016-04-01_07:21:22.17230 at > > com.maxmind.geoip2.DatabaseReader.city(DatabaseReader.java:217) > > ~[graylog-plugin-map-widget-1.0.0-beta.1.jar:?] > > 2016-04-01_07:21:22.17284 at > > org.graylog.plugins.map.geoip.GeoIpResolverEngine.extractGeoLocationInformation(GeoIpResolverEngine.java:100) > > [graylog-plugin-map-widget-1.0.0-beta.1.jar:?] > > 2016-04-01_07:21:22.17429 at > > org.graylog.plugins.map.geoip.GeoIpResolverEngine.filter(GeoIpResolverEngine.java:74) > > [graylog-plugin-map-widget-1.0.0-beta.1.jar:?] > > 2016-04-01_07:21:22.17572 at > > org.graylog.plugins.map.geoip.processor.GeoIpProcessor.process(GeoIpProcessor.java:79) > > [graylog-plugin-map-widget-1.0.0-beta.1.jar:?] > > 2016-04-01_07:21:22.17587 at > > org.graylog2.buffers.processors.ServerProcessBufferProcessor.handleMessage(ServerProcessBufferProcessor.java:56) > > [graylog.jar:?] > > 2016-04-01_07:21:22.17656 at > > org.graylog2.shared.buffers.processors.ProcessBufferProcessor.dispatchMessage(ProcessBufferProcessor.java:82) > > [graylog.jar:?] > > 2016-04-01_07:21:22.18244 at > > org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:61) > > [graylog.jar:?] > > 2016-04-01_07:21:22.18651 at > > org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:35) > > [graylog.jar:?] > > 2016-04-01_07:21:22.18660 at > > com.lmax.disruptor.WorkProcessor.run(WorkProcessor.java:139) > > [graylog.jar:?] > > 2016-04-01_07:21:22.18663 at > > com.codahale.metrics.InstrumentedThreadFactory$InstrumentedRunnable.run(InstrumentedThreadFactory.java:66) > > [graylog.jar:?] > > 2016-04-01_07:21:22.18665 at java.lang.Thread.run(Thread.java:745) > > [?:1.8.0_74] > > > > Regards > > Micha > > > > > > -- > > You received this message because you are subscribed to the Google Groups > > "Graylog Users" group. > > To unsubscribe from this group and stop receiving emails from it, send an > > email to graylog2+u...@googlegroups.com. > > To view this discussion on the web visit > > https://groups.google.com/d/msgid/graylog2/908b3309-0a13-4fff-8c77-664af336d4a0%40googlegroups.com. > > > > For more options, visit https://groups.google.com/d/optout. > > > -- > You received this message because you are subscribed to the Google Groups > "Graylog Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to graylog2+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/graylog2/364393e1-bec0-4a97-9695-2e7f6a1cd70f%40googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/26F9ADDB-BF5B-4CB5-ADDD-95A50497BA9F%40graylog.com. For more options, visit https://groups.google.com/d/optout.
