Hi all,
I've just activated the Geo-Location processor within my Graylog
environment and noticed that it does not create _geolocation fields for any
of my custom fields containing an IP-address.
Other fields like "source" work fine so I think this is not a general issue
with the plugin. I changed the order for message processing to 1. Pipeline
Processor, 2. Message Filter Chain and 3. GeoIP Resolver
cause I extract a lot of fields within pipeline rules.
As an example I create a field called "FW_SourceIP":
let matcherSrcIp = regex(
".*srcip=((?<![0-9])(?:(?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5]))(?![0-9])).*"
, to_string($message.message));
set_field("FW_SourceIP", to_ip(matcherSrcIp["0"]));
I'm able to use the created field and use it without any problems but I
never get a field "FW_SourceIP_geolocation".
The field is stored as a string within the ES index.
Has anyone used this combinition of fields, pipeline rules and the GeoIP
plugin?
Regards,
Jan
--
You received this message because you are subscribed to the Google Groups
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/graylog2/adc16989-a4a6-4277-9331-6c14a18fb6e8%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
