Okay, 1) read this :
http://docs.graylog.org/en/2.1/pages/geolocation.html 2) make sure the message processor configuration option dialog have this order : - 1) Pipeline..... - 2) Message filterchain... -3) Geolocation... 3) check your gelocation database (graylog is compatible with geolocation'smaxmind city) 4) make sure you have a field with just an ipv4 adress without mask (field *ipfield* who contains : *8.8.8.8 *for example) 5) wait..several minute... a *ipfield_geolocation* will be automatically create contains geolocation latitude and longitude. 6) tick on it and select worldmap widget and voila ! On Friday, October 21, 2016 at 1:09:31 AM UTC+2, d3pr3cat3d wrote: > > Hello, I am trying to get geolocation working. > > # cat /etc/redhat-release > CentOS Linux release 7.2.1511 (Core) > > # yum -y install geoip > > # geoipupdate > MD5 Digest of installed database is 4cc97d426fbd0af868ae339aa9093061 > /usr/share/GeoIP/GeoLiteCountry.dat is up to date, no updates required > GeoIP Database up to date > MD5 Digest of installed database is ac8d4ff284c73fd1120fb7980f8811b4 > /usr/share/GeoIP/GeoLiteCity.dat is up to date, no updates required > GeoIP Database up to date > > # geoiplookup -f /usr/share/GeoIP/GeoLiteCity.dat google.com > GeoIP City Edition, Rev 1: US, CA, California, Mountain View, 94043, > 37.419201, -122.057404, 807, 650 > > I have configured /usr/share/GeoIP/GeoLiteCity.dat as the database path > and GeoIP Resolver as the last message processor to run. Is it correct that > if I append “_geolocation” to a grok pattern that is an IP this should > start working? > > Grok pattern for extractor > > %{CISCOFW302013_302014_302015_302016} > > Grok pattern > > CISCOFW302013_302014_302015_302016 %{CISCO_ACTION:action}(?: > %{CISCO_DIRECTION:direction})? %{WORD:protocol} connection > %{INT:connection_id} for %{DATA:src_interface}:%{IP:src_ip}/%{INT:src_port}( > \(%{IP:src_mapped_ip_geolocation}/%{INT:src_mapped_port}\))?(\(%{DATA:src_fwuser}\))? > to %{DATA:dst_interface}:%{IP:dst_ip}/%{INT:dst_port}( > \(%{IP:dst_mapped_ip_geolocation}/%{INT:dst_mapped_port}\))?(\(%{DATA:dst_fwuser}\))?( > duration %{TIME:duration} bytes %{INT:bytes})?(?: %{CISCO_REASON:reason})?( > \(%{DATA:user}\))? > > Test message: > > ASA %ASA-6-302013: Built outbound TCP connection 304484017 for > outside:8.8.8.8/443 (8.8.8.8/443) to inside:10.102.109.83/54496 > (8.8.4.4/54496) > > When I click world map for “src_mapped_ip_geolocation” I get the pop up > error that says: > > Could not load map information Map widget is only available for fields > containing geo data. > > Thanks > > geolocation <http://docs.graylog.org/en/2.1/pages/geolocation.html> -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/12d06723-d9ad-44e7-930d-a01dfa3a53e3%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
