Okay, 1) read this :
http://docs.graylog.org/en/2.1/pages/geolocation.html 2) make sure the message processor configuration option dialog have this order : - 1) Pipeline..... - 2) Message filterchain... -3) Geolocation... 3) check your gelocation database (graylog is compatible with geolocation'smaxmind city) 4) make sure you have a field with just an ipv4 adress without mask (field *ipfield* who contains : *8.8.8.8 *for example) 5) wait..several minute... a *ipfield_geolocation* will be automatically create contains geolocation latitude and longitude. 6) tick on it and select worldmap widget and voila ! On Friday, October 21, 2016 at 1:09:31 AM UTC+2, d3pr3cat3d wrote: > > Hello, I am trying to get geolocation working. > > # cat /etc/redhat-release > CentOS Linux release 7.2.1511 (Core) > > # yum -y install geoip > > # geoipupdate > MD5 Digest of installed database is 4cc97d426fbd0af868ae339aa9093061 > /usr/share/GeoIP/GeoLiteCountry.dat is up to date, no updates required > GeoIP Database up to date > MD5 Digest of installed database is ac8d4ff284c73fd1120fb7980f8811b4 > /usr/share/GeoIP/GeoLiteCity.dat is up to date, no updates required > GeoIP Database up to date > > # geoiplookup -f /usr/share/GeoIP/GeoLiteCity.dat google.com > GeoIP City Edition, Rev 1: US, CA, California, Mountain View, 94043, > 37.419201, -122.057404, 807, 650 > > I have configured /usr/share/GeoIP/GeoLiteCity.dat as the database path > and GeoIP Resolver as the last message processor to run. Is it correct that > if I append “_geolocation” to a grok pattern that is an IP this should > start working? > > Grok pattern for extractor > > %{CISCOFW302013_302014_302015_302016} > > Grok pattern > > CISCOFW302013_302014_302015_302016 %{CISCO_ACTION:action}(?: > %{CISCO_DIRECTION:direction})? %{WORD:protocol} connection > %{INT:connection_id} for %{DATA:src_interface}:%{IP:src_ip}/%{INT:src_port}( > \(%{IP:src_mapped_ip_geolocation}/%{INT:src_mapped_port}\))?(\(%{DATA:src_fwuser}\))? > to %{DATA:dst_interface}:%{IP:dst_ip}/%{INT:dst_port}( > \(%{IP:dst_mapped_ip_geolocation}/%{INT:dst_mapped_port}\))?(\(%{DATA:dst_fwuser}\))?( > duration %{TIME:duration} bytes %{INT:bytes})?(?: %{CISCO_REASON:reason})?( > \(%{DATA:user}\))? > > Test message: > > ASA %ASA-6-302013: Built outbound TCP connection 304484017 for > outside:8.8.8.8/443 (8.8.8.8/443) to inside:10.102.109.83/54496 > (8.8.4.4/54496) > > When I click world map for “src_mapped_ip_geolocation” I get the pop up > error that says: > > Could not load map information Map widget is only available for fields > containing geo data. > > Thanks > > geolocation <http://docs.graylog.org/en/2.1/pages/geolocation.html> -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/12d06723-d9ad-44e7-930d-a01dfa3a53e3%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
