Hello, I am trying to get geolocation working.
# cat /etc/redhat-release
CentOS Linux release 7.2.1511 (Core)
# yum -y install geoip
# geoipupdate
MD5 Digest of installed database is 4cc97d426fbd0af868ae339aa9093061
/usr/share/GeoIP/GeoLiteCountry.dat is up to date, no updates required
GeoIP Database up to date
MD5 Digest of installed database is ac8d4ff284c73fd1120fb7980f8811b4
/usr/share/GeoIP/GeoLiteCity.dat is up to date, no updates required
GeoIP Database up to date
# geoiplookup -f /usr/share/GeoIP/GeoLiteCity.dat google.com
GeoIP City Edition, Rev 1: US, CA, California, Mountain View, 94043, 37.419201,
-122.057404, 807, 650
I have configured /usr/share/GeoIP/GeoLiteCity.dat as the database path and
GeoIP Resolver as the last message processor to run. Is it correct that if
I append “_geolocation” to a grok pattern that is an IP this should start
working?
Grok pattern for extractor
%{CISCOFW302013_302014_302015_302016}
Grok pattern
CISCOFW302013_302014_302015_302016 %{CISCO_ACTION:action}(?:
%{CISCO_DIRECTION:direction})? %{WORD:protocol} connection %{INT:connection_id}
for %{DATA:src_interface}:%{IP:src_ip}/%{INT:src_port}(
\(%{IP:src_mapped_ip_geolocation}/%{INT:src_mapped_port}\))?(\(%{DATA:src_fwuser}\))?
to %{DATA:dst_interface}:%{IP:dst_ip}/%{INT:dst_port}(
\(%{IP:dst_mapped_ip_geolocation}/%{INT:dst_mapped_port}\))?(\(%{DATA:dst_fwuser}\))?(
duration %{TIME:duration} bytes %{INT:bytes})?(?: %{CISCO_REASON:reason})?(
\(%{DATA:user}\))?
Test message:
ASA %ASA-6-302013: Built outbound TCP connection 304484017 for
outside:8.8.8.8/443 (8.8.8.8/443) to inside:10.102.109.83/54496 (8.8.4.4/54496)
When I click world map for “src_mapped_ip_geolocation” I get the pop up
error that says:
Could not load map information Map widget is only available for fields
containing geo data.
Thanks
--
You received this message because you are subscribed to the Google Groups
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/graylog2/fa8292b4-b31a-420b-adaf-536f95dc774f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.