Hi Edmundo,
The hint with the configutation made it, changed it and now it seems to work :) <https://lh3.googleusercontent.com/-2FjsWE3k_CE/Vv5wm2TkQXI/AAAAAAAAABA/lUz4B0F5gNcW2JFef3fpYhjVSk7SvxCbQ/s1600/config_changed.png> <https://lh3.googleusercontent.com/-NIlNPC1N8xU/Vv5wvjDgZGI/AAAAAAAAABI/LC67YWfMjBgL7v83yk_IBDQbzjIHuQboA/s1600/config_changed_map.png> Thank you so far :) <https://lh3.googleusercontent.com/-2FjsWE3k_CE/Vv5wm2TkQXI/AAAAAAAAABA/lUz4B0F5gNcW2JFef3fpYhjVSk7SvxCbQ/s1600/config_changed.png> Am Freitag, 1. April 2016 14:40:38 UTC+2 schrieb Micha -: > > > Sure :) > > > Is unchanged i think on my other manual installation with more or less > Productiv Traffic it looks same. But here a screenshot from the VM: > > > > <https://lh3.googleusercontent.com/-1YoS84W8Z8I/Vv5rySuqBoI/AAAAAAAAAAw/91sof8Iy5fUWuiRgoSppAFvb66rq4qkZQ/s1600/config.png> > > > > > Am Freitag, 1. April 2016 14:31:50 UTC+2 schrieb Edmundo Alvarez: >> >> It looks like it's running before extractors in your Graylog instance. >> Could you please share with us your "Message Processors Configuration" in >> System -> Configurations? >> >> Edmundo >> >> > On 01 Apr 2016, at 13:36, Micha - <[email protected]> wrote: >> > >> > Hi Edmundo, >> > >> > Thanks for your reply - but then i guess should work since i have >> already an extractor and a field (client_ip) with only the IP Address - but >> it doesnt. >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > Seems still to me like it only resolves the sender Address, hmrpf >> > >> > Am Freitag, 1. April 2016 13:10:19 UTC+2 schrieb Edmundo Alvarez: >> > Hi Michael, >> > >> > The Geo-location resolver looks for IPs in all fields that _only_ >> contain an IP address. That means, you need to extract the IP to it's own >> field (using an extractor or sending logs with something like GELF), to >> make the geo-location work. >> > >> > The description text is unfortunately outdated, but will take care of >> fixing it for the next release. >> > >> > I hope that helps. >> > >> > Regards, >> > Edmundo >> > >> > > On 01 Apr 2016, at 09:55, [email protected] wrote: >> > > >> > > Hi, >> > > >> > > Maybe I missed something somewhere, but it looks to me like >> Geo-Location Processor only tries to resolve the sender address of the >> message, and not any fields like stated in the description >> > > >> > > "scans all fields of every message for IPv4 addresses" >> > > >> > > >> > > On a graylog-beta-2.0.0-beta.1-1.ova I just enabled the Plugin under >> configuration and added the DB file from Maxmind. >> > > >> > > Graylog Settings: >> > > >> > > Geo-Location Processor >> > > >> > > If enabled, the GeoIP processor plugin scans all fields of every >> message for IPv4 addresses and puts the location information into a field >> named fieldname_geolocation where "fieldname" is the name of the field in >> which an IP address has been found. >> > > >> > > Enabled: yes >> > > Database type: City database >> > > Database path: /etc/graylog/GeoLite2-City.mmdb >> > > >> > > root@graylog-beta:~# ll /etc/graylog/GeoLite2-City.mmdb >> > > -rw-rw-r-- 1 root root 36745923 Mar 29 08:05 >> /etc/graylog/GeoLite2-City.mmdb >> > > >> > > >> > > when i send a sample msg line into Graylog: >> > > root@graylog-beta:~# echo '8.8.8.8 - test message' | ncat -w1 -u >> 127.0.0.1 51 >> > > >> > > >> > > >> > > >> > > >> > > With Subystem Indexer Logging set to Debug i get this: >> > > 2016-04-01_07:21:22.17052 2016-04-01 07:21:22,159 DEBUG: >> org.graylog.plugins.map.geoip.GeoIpResolverEngine - Could not get location >> from IP 127.0.0.1 >> > > 2016-04-01_07:21:22.17079 >> com.maxmind.geoip2.exception.AddressNotFoundException: The address >> 127.0.0.1 is not in the database. >> > > 2016-04-01_07:21:22.17149 at >> com.maxmind.geoip2.DatabaseReader.get(DatabaseReader.java:161) >> ~[graylog-plugin-map-widget-1.0.0-beta.1.jar:?] >> > > 2016-04-01_07:21:22.17230 at >> com.maxmind.geoip2.DatabaseReader.city(DatabaseReader.java:217) >> ~[graylog-plugin-map-widget-1.0.0-beta.1.jar:?] >> > > 2016-04-01_07:21:22.17284 at >> org.graylog.plugins.map.geoip.GeoIpResolverEngine.extractGeoLocationInformation(GeoIpResolverEngine.java:100) >> >> [graylog-plugin-map-widget-1.0.0-beta.1.jar:?] >> > > 2016-04-01_07:21:22.17429 at >> org.graylog.plugins.map.geoip.GeoIpResolverEngine.filter(GeoIpResolverEngine.java:74) >> >> [graylog-plugin-map-widget-1.0.0-beta.1.jar:?] >> > > 2016-04-01_07:21:22.17572 at >> org.graylog.plugins.map.geoip.processor.GeoIpProcessor.process(GeoIpProcessor.java:79) >> >> [graylog-plugin-map-widget-1.0.0-beta.1.jar:?] >> > > 2016-04-01_07:21:22.17587 at >> org.graylog2.buffers.processors.ServerProcessBufferProcessor.handleMessage(ServerProcessBufferProcessor.java:56) >> >> [graylog.jar:?] >> > > 2016-04-01_07:21:22.17656 at >> org.graylog2.shared.buffers.processors.ProcessBufferProcessor.dispatchMessage(ProcessBufferProcessor.java:82) >> >> [graylog.jar:?] >> > > 2016-04-01_07:21:22.18244 at >> org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:61) >> >> [graylog.jar:?] >> > > 2016-04-01_07:21:22.18651 at >> org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:35) >> >> [graylog.jar:?] >> > > 2016-04-01_07:21:22.18660 at >> com.lmax.disruptor.WorkProcessor.run(WorkProcessor.java:139) >> [graylog.jar:?] >> > > 2016-04-01_07:21:22.18663 at >> com.codahale.metrics.InstrumentedThreadFactory$InstrumentedRunnable.run(InstrumentedThreadFactory.java:66) >> >> [graylog.jar:?] >> > > 2016-04-01_07:21:22.18665 at >> java.lang.Thread.run(Thread.java:745) [?:1.8.0_74] >> > > >> > > Regards >> > > Micha >> > > >> > > >> > > -- >> > > You received this message because you are subscribed to the Google >> Groups "Graylog Users" group. >> > > To unsubscribe from this group and stop receiving emails from it, >> send an email to [email protected]. >> > > To view this discussion on the web visit >> https://groups.google.com/d/msgid/graylog2/908b3309-0a13-4fff-8c77-664af336d4a0%40googlegroups.com. >> >> >> > > For more options, visit https://groups.google.com/d/optout. >> > >> > >> > -- >> > You received this message because you are subscribed to the Google >> Groups "Graylog Users" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> an email to [email protected]. >> > To view this discussion on the web visit >> https://groups.google.com/d/msgid/graylog2/364393e1-bec0-4a97-9695-2e7f6a1cd70f%40googlegroups.com. >> >> >> > For more options, visit https://groups.google.com/d/optout. >> >> -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/7126102e-4b7b-4610-ac71-b8a3a176c987%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
