Thanks for the reply. But even if I remove “_geolocation” it still does not
work.
for example:
%{IP:src_mapped_ip}
Or are you saying that I should have a field named “ip_geolocation”? I dont
have one.
I also have another tag named “asa_src_ip” and the same pop error is given.
I am making sure that I see internet IP addresses only.
Is there a debug option? If so how do I enable it?
Also verified that the graylog user can read the geolite file
# ls -l /usr/share/GeoIP/GeoLiteCity.dat
-rw-r--r--. 1 root root 17765572 Oct 15 16:02 /usr/share/GeoIP/GeoLiteCity.dat
`
On Thursday, October 20, 2016 at 4:09:31 PM UTC-7, d3pr3cat3d wrote:
Hello, I am trying to get geolocation working.
>
> # cat /etc/redhat-release
> CentOS Linux release 7.2.1511 (Core)
>
> # yum -y install geoip
>
> # geoipupdate
> MD5 Digest of installed database is 4cc97d426fbd0af868ae339aa9093061
> /usr/share/GeoIP/GeoLiteCountry.dat is up to date, no updates required
> GeoIP Database up to date
> MD5 Digest of installed database is ac8d4ff284c73fd1120fb7980f8811b4
> /usr/share/GeoIP/GeoLiteCity.dat is up to date, no updates required
> GeoIP Database up to date
>
> # geoiplookup -f /usr/share/GeoIP/GeoLiteCity.dat google.com
> GeoIP City Edition, Rev 1: US, CA, California, Mountain View, 94043,
> 37.419201, -122.057404, 807, 650
>
> I have configured /usr/share/GeoIP/GeoLiteCity.dat as the database path
> and GeoIP Resolver as the last message processor to run. Is it correct that
> if I append “_geolocation” to a grok pattern that is an IP this should
> start working?
>
> Grok pattern for extractor
>
> %{CISCOFW302013_302014_302015_302016}
>
> Grok pattern
>
> CISCOFW302013_302014_302015_302016 %{CISCO_ACTION:action}(?:
> %{CISCO_DIRECTION:direction})? %{WORD:protocol} connection
> %{INT:connection_id} for %{DATA:src_interface}:%{IP:src_ip}/%{INT:src_port}(
> \(%{IP:src_mapped_ip_geolocation}/%{INT:src_mapped_port}\))?(\(%{DATA:src_fwuser}\))?
> to %{DATA:dst_interface}:%{IP:dst_ip}/%{INT:dst_port}(
> \(%{IP:dst_mapped_ip_geolocation}/%{INT:dst_mapped_port}\))?(\(%{DATA:dst_fwuser}\))?(
> duration %{TIME:duration} bytes %{INT:bytes})?(?: %{CISCO_REASON:reason})?(
> \(%{DATA:user}\))?
>
> Test message:
>
> ASA %ASA-6-302013: Built outbound TCP connection 304484017 for
> outside:8.8.8.8/443 (8.8.8.8/443) to inside:10.102.109.83/54496
> (8.8.4.4/54496)
>
> When I click world map for “src_mapped_ip_geolocation” I get the pop up
> error that says:
>
> Could not load map information Map widget is only available for fields
> containing geo data.
>
> Thanks
>
>
On Thursday, October 20, 2016 at 4:09:31 PM UTC-7, d3pr3cat3d wrote:
Hello, I am trying to get geolocation working.
>
> # cat /etc/redhat-release
> CentOS Linux release 7.2.1511 (Core)
>
> # yum -y install geoip
>
> # geoipupdate
> MD5 Digest of installed database is 4cc97d426fbd0af868ae339aa9093061
> /usr/share/GeoIP/GeoLiteCountry.dat is up to date, no updates required
> GeoIP Database up to date
> MD5 Digest of installed database is ac8d4ff284c73fd1120fb7980f8811b4
> /usr/share/GeoIP/GeoLiteCity.dat is up to date, no updates required
> GeoIP Database up to date
>
> # geoiplookup -f /usr/share/GeoIP/GeoLiteCity.dat google.com
> GeoIP City Edition, Rev 1: US, CA, California, Mountain View, 94043,
> 37.419201, -122.057404, 807, 650
>
> I have configured /usr/share/GeoIP/GeoLiteCity.dat as the database path
> and GeoIP Resolver as the last message processor to run. Is it correct that
> if I append “_geolocation” to a grok pattern that is an IP this should
> start working?
>
> Grok pattern for extractor
>
> %{CISCOFW302013_302014_302015_302016}
>
> Grok pattern
>
> CISCOFW302013_302014_302015_302016 %{CISCO_ACTION:action}(?:
> %{CISCO_DIRECTION:direction})? %{WORD:protocol} connection
> %{INT:connection_id} for %{DATA:src_interface}:%{IP:src_ip}/%{INT:src_port}(
> \(%{IP:src_mapped_ip_geolocation}/%{INT:src_mapped_port}\))?(\(%{DATA:src_fwuser}\))?
> to %{DATA:dst_interface}:%{IP:dst_ip}/%{INT:dst_port}(
> \(%{IP:dst_mapped_ip_geolocation}/%{INT:dst_mapped_port}\))?(\(%{DATA:dst_fwuser}\))?(
> duration %{TIME:duration} bytes %{INT:bytes})?(?: %{CISCO_REASON:reason})?(
> \(%{DATA:user}\))?
>
> Test message:
>
> ASA %ASA-6-302013: Built outbound TCP connection 304484017 for
> outside:8.8.8.8/443 (8.8.8.8/443) to inside:10.102.109.83/54496
> (8.8.4.4/54496)
>
> When I click world map for “src_mapped_ip_geolocation” I get the pop up
> error that says:
>
> Could not load map information Map widget is only available for fields
> containing geo data.
>
> Thanks
>
>
On Thursday, October 20, 2016 at 4:09:31 PM UTC-7, d3pr3cat3d wrote:
Hello, I am trying to get geolocation working.
>
> # cat /etc/redhat-release
> CentOS Linux release 7.2.1511 (Core)
>
> # yum -y install geoip
>
> # geoipupdate
> MD5 Digest of installed database is 4cc97d426fbd0af868ae339aa9093061
> /usr/share/GeoIP/GeoLiteCountry.dat is up to date, no updates required
> GeoIP Database up to date
> MD5 Digest of installed database is ac8d4ff284c73fd1120fb7980f8811b4
> /usr/share/GeoIP/GeoLiteCity.dat is up to date, no updates required
> GeoIP Database up to date
>
> # geoiplookup -f /usr/share/GeoIP/GeoLiteCity.dat google.com
> GeoIP City Edition, Rev 1: US, CA, California, Mountain View, 94043,
> 37.419201, -122.057404, 807, 650
>
> I have configured /usr/share/GeoIP/GeoLiteCity.dat as the database path
> and GeoIP Resolver as the last message processor to run. Is it correct that
> if I append “_geolocation” to a grok pattern that is an IP this should
> start working?
>
> Grok pattern for extractor
>
> %{CISCOFW302013_302014_302015_302016}
>
> Grok pattern
>
> CISCOFW302013_302014_302015_302016 %{CISCO_ACTION:action}(?:
> %{CISCO_DIRECTION:direction})? %{WORD:protocol} connection
> %{INT:connection_id} for %{DATA:src_interface}:%{IP:src_ip}/%{INT:src_port}(
> \(%{IP:src_mapped_ip_geolocation}/%{INT:src_mapped_port}\))?(\(%{DATA:src_fwuser}\))?
> to %{DATA:dst_interface}:%{IP:dst_ip}/%{INT:dst_port}(
> \(%{IP:dst_mapped_ip_geolocation}/%{INT:dst_mapped_port}\))?(\(%{DATA:dst_fwuser}\))?(
> duration %{TIME:duration} bytes %{INT:bytes})?(?: %{CISCO_REASON:reason})?(
> \(%{DATA:user}\))?
>
> Test message:
>
> ASA %ASA-6-302013: Built outbound TCP connection 304484017 for
> outside:8.8.8.8/443 (8.8.8.8/443) to inside:10.102.109.83/54496
> (8.8.4.4/54496)
>
> When I click world map for “src_mapped_ip_geolocation” I get the pop up
> error that says:
>
> Could not load map information Map widget is only available for fields
> containing geo data.
>
> Thanks
>
>
--
You received this message because you are subscribed to the Google Groups
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/graylog2/2a3c0d4b-43bd-4532-9479-fb5547d0b7d4%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
