Hi, Maybe I missed something, but it looks to me the Geo-Location Processor only tries to resolve the sender address of the message, and not any fields.
On a graylog-beta-2.0.0-beta.1-1.ova I just enabled the Plugin under configuration and added the DB file from Maxmind. Graylog Settings: Geo-Location Processor If enabled, the GeoIP processor plugin scans all fields of every message for IPv4 addresses and puts the location information into a field named fieldname_geolocation where "fieldname" is the name of the field in which an IP address has been found. Enabled:yes Database type: City database Database path: /etc/graylog/GeoLite2-City.mmdb then i send just an sample msg line into Graylog: root@graylog-beta:~# echo '8.8.8.8 - test message' | ncat -w1 -u 127.0.0.1 514 With Subystem Indexer Logging set to Debug i get this: 2016-04-01_07:21:22.17052 2016-04-01 07:21:22,159 DEBUG: org.graylog.plugins .map.geoip.GeoIpResolverEngine - Could not get location from IP 127.0.0.1 2016-04-01_07:21:22.17079 com.maxmind.geoip2.exception. AddressNotFoundException: The address 127.0.0.1 is not in the database. 2016-04-01_07:21:22.17149 at com.maxmind.geoip2.DatabaseReader.get( DatabaseReader.java:161) ~[graylog-plugin-map-widget-1.0.0-beta.1.jar:?] 2016-04-01_07:21:22.17230 at com.maxmind.geoip2.DatabaseReader.city( DatabaseReader.java:217) ~[graylog-plugin-map-widget-1.0.0-beta.1.jar:?] 2016-04-01_07:21:22.17284 at org.graylog.plugins.map.geoip. GeoIpResolverEngine.extractGeoLocationInformation(GeoIpResolverEngine.java: 100) [graylog-plugin-map-widget-1.0.0-beta.1.jar:?] 2016-04-01_07:21:22.17429 at org.graylog.plugins.map.geoip. GeoIpResolverEngine.filter(GeoIpResolverEngine.java:74) [graylog-plugin-map- widget-1.0.0-beta.1.jar:?] 2016-04-01_07:21:22.17572 at org.graylog.plugins.map.geoip.processor. GeoIpProcessor.process(GeoIpProcessor.java:79) [graylog-plugin-map-widget- 1.0.0-beta.1.jar:?] 2016-04-01_07:21:22.17587 at org.graylog2.buffers.processors. ServerProcessBufferProcessor.handleMessage(ServerProcessBufferProcessor.java :56) [graylog.jar:?] 2016-04-01_07:21:22.17656 at org.graylog2.shared.buffers.processors. ProcessBufferProcessor.dispatchMessage(ProcessBufferProcessor.java:82) [ graylog.jar:?] 2016-04-01_07:21:22.18244 at org.graylog2.shared.buffers.processors. ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:61) [graylog.jar :?] 2016-04-01_07:21:22.18651 at org.graylog2.shared.buffers.processors. ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:35) [graylog.jar :?] 2016-04-01_07:21:22.18660 at com.lmax.disruptor.WorkProcessor.run( WorkProcessor.java:139) [graylog.jar:?] 2016-04-01_07:21:22.18663 at com.codahale.metrics. InstrumentedThreadFactory$InstrumentedRunnable.run(InstrumentedThreadFactory .java:66) [graylog.jar:?] 2016-04-01_07:21:22.18665 at java.lang.Thread.run(Thread.java:745) [?: 1.8.0_74] -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/fe0b0719-0821-4bca-a1f2-366b3ba7cbc6%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.