Hi Jochen,
An Example message can look like this
<189>date=2016-08-30 time=08:34:23 devname=fw-cluster1
devid=FGT3HD4895600243 logid=0001000014 type=traffic subtype=local
level=notice vd=mgmt-domain srcip=80.0.0.1 srcport=12345 srcintf="agg1.208"
dstip=80.0.0.2 dstport=162 dstintf="mgmt-1" sessionid=1582245083 proto=17
action=deny policyid=0 dstcountry="Germany" srccountry="Germany"
trandisp=noop service="snmptrap-udp" app="snmptrap-udp" duration=0
sentbyte=0 rcvdbyte=0 sentpkt=0
With help of the pipeline-rule I extract values like
- 10.208.1.1
- 80.0.0.1
- 212.6.1.1
Some of the addresses are private others are public. I'm not sure how the
plugin handles private IP-ranges. Should I see at least an empty
_geolocation field?
Regards,
Jan
Am Montag, 29. August 2016 16:57:55 UTC+2 schrieb Jochen Schalanda:
>
> Hi Jan,
>
> please post some examples of the content of the "FW_SourceIP" field of the
> messages in your Graylog instance.
>
> Cheers,
> Jochen
>
> On Monday, 29 August 2016 14:30:51 UTC+2, Jan wrote:
>>
>> Hi all,
>>
>> I've just activated the Geo-Location processor within my Graylog
>> environment and noticed that it does not create _geolocation fields for any
>> of my custom fields containing an IP-address.
>> Other fields like "source" work fine so I think this is not a general
>> issue with the plugin. I changed the order for message processing to 1.
>> Pipeline Processor, 2. Message Filter Chain and 3. GeoIP Resolver
>> cause I extract a lot of fields within pipeline rules.
>>
>> As an example I create a field called "FW_SourceIP":
>>
>> let matcherSrcIp = regex(
>> ".*srcip=((?<![0-9])(?:(?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5]))(?![0-9])).*"
>> , to_string($message.message));
>> set_field("FW_SourceIP", to_ip(matcherSrcIp["0"]));
>>
>> I'm able to use the created field and use it without any problems but I
>> never get a field "FW_SourceIP_geolocation".
>> The field is stored as a string within the ES index.
>>
>> Has anyone used this combinition of fields, pipeline rules and the GeoIP
>> plugin?
>>
>> Regards,
>> Jan
>>
>>
--
You received this message because you are subscribed to the Google Groups
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/graylog2/471db105-f10e-4ad9-84c6-c56262910b93%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
