[graylog2] Enabling geolocation

Thu, 20 Oct 2016 16:10:06 -0700 


Hello, I am trying to get geolocation working. 

# cat /etc/redhat-release
CentOS Linux release 7.2.1511 (Core)

# yum -y install geoip

# geoipupdate
MD5 Digest of installed database is 4cc97d426fbd0af868ae339aa9093061
/usr/share/GeoIP/GeoLiteCountry.dat is up to date, no updates required
GeoIP Database up to date
MD5 Digest of installed database is ac8d4ff284c73fd1120fb7980f8811b4
/usr/share/GeoIP/GeoLiteCity.dat is up to date, no updates required
GeoIP Database up to date

# geoiplookup -f /usr/share/GeoIP/GeoLiteCity.dat google.com
GeoIP City Edition, Rev 1: US, CA, California, Mountain View, 94043, 37.419201, 
-122.057404, 807, 650

I have configured /usr/share/GeoIP/GeoLiteCity.dat as the database path and 
GeoIP Resolver as the last message processor to run. Is it correct that if 
I append “_geolocation” to a grok pattern that is an IP this should start 
working?

Grok pattern for extractor

%{CISCOFW302013_302014_302015_302016}

Grok pattern

CISCOFW302013_302014_302015_302016 %{CISCO_ACTION:action}(?: 
%{CISCO_DIRECTION:direction})? %{WORD:protocol} connection %{INT:connection_id} 
for %{DATA:src_interface}:%{IP:src_ip}/%{INT:src_port}( 
\(%{IP:src_mapped_ip_geolocation}/%{INT:src_mapped_port}\))?(\(%{DATA:src_fwuser}\))?
 to %{DATA:dst_interface}:%{IP:dst_ip}/%{INT:dst_port}( 
\(%{IP:dst_mapped_ip_geolocation}/%{INT:dst_mapped_port}\))?(\(%{DATA:dst_fwuser}\))?(
 duration %{TIME:duration} bytes %{INT:bytes})?(?: %{CISCO_REASON:reason})?( 
\(%{DATA:user}\))?

Test message:

ASA %ASA-6-302013: Built outbound TCP connection 304484017 for 
outside:8.8.8.8/443 (8.8.8.8/443) to inside:10.102.109.83/54496 (8.8.4.4/54496)

When I click world map for “src_mapped_ip_geolocation” I get the pop up 
error that says:

Could not load map information Map widget is only available for fields 
containing geo data.

Thanks
​

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/fa8292b4-b31a-420b-adaf-536f95dc774f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to