subject:"\[graylog2\] Geo\-Location Processor only resolves msg source address \?"

Re: [graylog2] Geo-Location Processor only resolves msg source address ?

2016-04-01 Thread Micha -



Hi Edmundo,

The hint with the configutation made it, changed it and now it seems to 
work :)






Thank you so far :)




Am Freitag, 1. April 2016 14:40:38 UTC+2 schrieb Micha -:
>
>
> Sure :)
>
>
> Is unchanged i think on my other manual installation with more or less 
> Productiv Traffic  it looks same. But here a screenshot from the VM:
>
>
>
> 
>  
>
>
>
> Am Freitag, 1. April 2016 14:31:50 UTC+2 schrieb Edmundo Alvarez:
>>
>> It looks like it's running before extractors in your Graylog instance. 
>> Could you please share with us your "Message Processors Configuration" in 
>> System -> Configurations? 
>>
>> Edmundo 
>>
>> > On 01 Apr 2016, at 13:36, Micha -  wrote: 
>> > 
>> > Hi Edmundo, 
>> > 
>> > Thanks for your reply - but then i guess should work since i have 
>> already an extractor and a field (client_ip) with only the IP Address - but 
>> it doesnt. 
>> > 
>> > 
>> > 
>> > 
>> > 
>> > 
>> > 
>> > 
>> > 
>> > 
>> > 
>> > 
>> > 
>> > 
>> > 
>> > 
>> > Seems still to me like it only resolves the sender Address, hmrpf   
>> > 
>> > Am Freitag, 1. April 2016 13:10:19 UTC+2 schrieb Edmundo Alvarez: 
>> > Hi Michael, 
>> > 
>> > The Geo-location resolver looks for IPs in all fields that _only_ 
>> contain an IP address. That means, you need to extract the IP to it's own 
>> field (using an extractor or sending logs with something like GELF), to 
>> make the geo-location work. 
>> > 
>> > The description text is unfortunately outdated, but will take care of 
>> fixing it for the next release. 
>> > 
>> > I hope that helps. 
>> > 
>> > Regards, 
>> > Edmundo 
>> > 
>> > > On 01 Apr 2016, at 09:55, michae...@wuerth-it.com wrote: 
>> > > 
>> > > Hi, 
>> > > 
>> > > Maybe I missed something somewhere, but it looks to me like 
>> Geo-Location Processor only tries to resolve the sender address of the 
>> message, and not any fields like stated in the description 
>> > > 
>> > >  "scans all fields of every message for IPv4 addresses" 
>> > > 
>> > > 
>> > > On a graylog-beta-2.0.0-beta.1-1.ova I just enabled the Plugin under 
>> configuration and added the DB file from Maxmind. 
>> > > 
>> > > Graylog Settings: 
>> > > 
>> > > Geo-Location Processor 
>> > > 
>> > > If enabled, the GeoIP processor plugin scans all fields of every 
>> message for IPv4 addresses and puts the location information into a field 
>> named fieldname_geolocation where "fieldname" is the name of the field in 
>> which an IP address has been found. 
>> > > 
>> > > Enabled: yes 
>> > > Database type:  City database 
>> > > Database path: /etc/graylog/GeoLite2-City.mmdb 
>> > > 
>> > > root@graylog-beta:~# ll /etc/graylog/GeoLite2-City.mmdb 
>> > > -rw-rw-r-- 1 root root 36745923 Mar 29 08:05 
>> /etc/graylog/GeoLite2-City.mmdb 
>> > > 
>> > > 
>> > > when i send a sample msg line into Graylog: 
>> > > root@graylog-beta:~# echo '8.8.8.8 - test message' |  ncat -w1 -u 
>> 127.0.0.1 51 
>> > > 
>> > > 
>> > > 
>> > > 
>> > > 
>> > > With  Subystem Indexer Logging set to Debug i get this: 
>> > > 2016-04-01_07:21:22.17052 2016-04-01 07:21:22,159 DEBUG: 
>> org.graylog.plugins.map.geoip.GeoIpResolverEngine - Could not get location 
>> from IP 127.0.0.1 
>> > > 2016-04-01_07:21:22.17079 
>> com.maxmind.geoip2.exception.AddressNotFoundException: The address 
>> 127.0.0.1 is not in the database. 
>> > > 2016-04-01_07:21:22.17149   at 
>> com.maxmind.geoip2.DatabaseReader.get(DatabaseReader.java:161) 
>> ~[graylog-plugin-map-widget-1.0.0-beta.1.jar:?] 
>> > > 2016-04-01_07:21:22.17230   at 
>> com.maxmind.geoip2.DatabaseReader.city(DatabaseReader.java:217) 
>> ~[graylog-plugin-map-widget-1.0.0-beta.1.jar:?] 
>> > > 2016-04-01_07:21:22.17284   at 
>> org.graylog.plugins.map.geoip.GeoIpResolverEngine.extractGeoLocationInformation(GeoIpResolverEngine.java:100)
>>  
>> [graylog-plugin-map-widget-1.0.0-beta.1.jar:?] 
>> > > 2016-04-01_07:21:22.17429   at 
>> org.graylog.plugins.map.geoip.GeoIpResolverEngine.filter(GeoIpResolverEngine.java:74)
>>  
>> [graylog-plugin-map-widget-1.0.0-beta.1.jar:?] 
>> > > 2016-04-01_07:21:22.17572   at 
>> org.graylog.plugins.map.geoip.processor.GeoIpProcessor.process(GeoIpProcessor.java:79)
>>  
>> [graylog-plugin-map-widget-1.0.0-beta.1.jar:?] 
>> > > 2016-04-01_07:21:22.17587   at 
>> org.graylog2.buffers.processors.ServerProcessBufferProcessor.handleMessage(ServerProcessBufferProcessor.java:56)
>>  
>> [graylog.jar:?] 
>> > >

Re: [graylog2] Geo-Location Processor only resolves msg source address ?

2016-04-01 Thread Micha -




Sure :)


Is unchanged i think on my other manual installation with more or less 
Productiv Traffic  it looks same. But here a screenshot from the VM:



 



Am Freitag, 1. April 2016 14:31:50 UTC+2 schrieb Edmundo Alvarez:
>
> It looks like it's running before extractors in your Graylog instance. 
> Could you please share with us your "Message Processors Configuration" in 
> System -> Configurations? 
>
> Edmundo 
>
> > On 01 Apr 2016, at 13:36, Micha -  
> wrote: 
> > 
> > Hi Edmundo, 
> > 
> > Thanks for your reply - but then i guess should work since i have 
> already an extractor and a field (client_ip) with only the IP Address - but 
> it doesnt. 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > Seems still to me like it only resolves the sender Address, hmrpf   
> > 
> > Am Freitag, 1. April 2016 13:10:19 UTC+2 schrieb Edmundo Alvarez: 
> > Hi Michael, 
> > 
> > The Geo-location resolver looks for IPs in all fields that _only_ 
> contain an IP address. That means, you need to extract the IP to it's own 
> field (using an extractor or sending logs with something like GELF), to 
> make the geo-location work. 
> > 
> > The description text is unfortunately outdated, but will take care of 
> fixing it for the next release. 
> > 
> > I hope that helps. 
> > 
> > Regards, 
> > Edmundo 
> > 
> > > On 01 Apr 2016, at 09:55, michae...@wuerth-it.com wrote: 
> > > 
> > > Hi, 
> > > 
> > > Maybe I missed something somewhere, but it looks to me like 
> Geo-Location Processor only tries to resolve the sender address of the 
> message, and not any fields like stated in the description 
> > > 
> > >  "scans all fields of every message for IPv4 addresses" 
> > > 
> > > 
> > > On a graylog-beta-2.0.0-beta.1-1.ova I just enabled the Plugin under 
> configuration and added the DB file from Maxmind. 
> > > 
> > > Graylog Settings: 
> > > 
> > > Geo-Location Processor 
> > > 
> > > If enabled, the GeoIP processor plugin scans all fields of every 
> message for IPv4 addresses and puts the location information into a field 
> named fieldname_geolocation where "fieldname" is the name of the field in 
> which an IP address has been found. 
> > > 
> > > Enabled: yes 
> > > Database type:  City database 
> > > Database path: /etc/graylog/GeoLite2-City.mmdb 
> > > 
> > > root@graylog-beta:~# ll /etc/graylog/GeoLite2-City.mmdb 
> > > -rw-rw-r-- 1 root root 36745923 Mar 29 08:05 
> /etc/graylog/GeoLite2-City.mmdb 
> > > 
> > > 
> > > when i send a sample msg line into Graylog: 
> > > root@graylog-beta:~# echo '8.8.8.8 - test message' |  ncat -w1 -u 
> 127.0.0.1 51 
> > > 
> > > 
> > > 
> > > 
> > > 
> > > With  Subystem Indexer Logging set to Debug i get this: 
> > > 2016-04-01_07:21:22.17052 2016-04-01 07:21:22,159 DEBUG: 
> org.graylog.plugins.map.geoip.GeoIpResolverEngine - Could not get location 
> from IP 127.0.0.1 
> > > 2016-04-01_07:21:22.17079 
> com.maxmind.geoip2.exception.AddressNotFoundException: The address 
> 127.0.0.1 is not in the database. 
> > > 2016-04-01_07:21:22.17149   at 
> com.maxmind.geoip2.DatabaseReader.get(DatabaseReader.java:161) 
> ~[graylog-plugin-map-widget-1.0.0-beta.1.jar:?] 
> > > 2016-04-01_07:21:22.17230   at 
> com.maxmind.geoip2.DatabaseReader.city(DatabaseReader.java:217) 
> ~[graylog-plugin-map-widget-1.0.0-beta.1.jar:?] 
> > > 2016-04-01_07:21:22.17284   at 
> org.graylog.plugins.map.geoip.GeoIpResolverEngine.extractGeoLocationInformation(GeoIpResolverEngine.java:100)
>  
> [graylog-plugin-map-widget-1.0.0-beta.1.jar:?] 
> > > 2016-04-01_07:21:22.17429   at 
> org.graylog.plugins.map.geoip.GeoIpResolverEngine.filter(GeoIpResolverEngine.java:74)
>  
> [graylog-plugin-map-widget-1.0.0-beta.1.jar:?] 
> > > 2016-04-01_07:21:22.17572   at 
> org.graylog.plugins.map.geoip.processor.GeoIpProcessor.process(GeoIpProcessor.java:79)
>  
> [graylog-plugin-map-widget-1.0.0-beta.1.jar:?] 
> > > 2016-04-01_07:21:22.17587   at 
> org.graylog2.buffers.processors.ServerProcessBufferProcessor.handleMessage(ServerProcessBufferProcessor.java:56)
>  
> [graylog.jar:?] 
> > > 2016-04-01_07:21:22.17656   at 
> org.graylog2.shared.buffers.processors.ProcessBufferProcessor.dispatchMessage(ProcessBufferProcessor.java:82)
>  
> [graylog.jar:?] 
> > > 2016-04-01_07:21:22.18244   at 
> org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:61)
>  
> [graylog.jar:?] 
> > > 2016-04-01_07:21:22.18651   at 
> org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:35)
>  
> [graylog.jar:?] 
> > > 2016-04-01_07:21:22.18660   at 
> com.lmax.disruptor.WorkProcessor.run(WorkProcessor.java:139) 
> [graylog.jar:?] 
> > > 2016-04-01_07:21:22.18663   at 
>

Re: [graylog2] Geo-Location Processor only resolves msg source address ?

2016-04-01 Thread Edmundo Alvarez

It looks like it's running before extractors in your Graylog instance. Could 
you please share with us your "Message Processors Configuration" in System -> 
Configurations?

Edmundo

> On 01 Apr 2016, at 13:36, Micha -  wrote:
> 
> Hi Edmundo,
> 
> Thanks for your reply - but then i guess should work since i have already an 
> extractor and a field (client_ip) with only the IP Address - but it doesnt. 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> Seems still to me like it only resolves the sender Address, hmrpf  
> 
> Am Freitag, 1. April 2016 13:10:19 UTC+2 schrieb Edmundo Alvarez:
> Hi Michael, 
> 
> The Geo-location resolver looks for IPs in all fields that _only_ contain an 
> IP address. That means, you need to extract the IP to it's own field (using 
> an extractor or sending logs with something like GELF), to make the 
> geo-location work. 
> 
> The description text is unfortunately outdated, but will take care of fixing 
> it for the next release. 
> 
> I hope that helps. 
> 
> Regards, 
> Edmundo 
> 
> > On 01 Apr 2016, at 09:55, michae...@wuerth-it.com wrote: 
> > 
> > Hi, 
> > 
> > Maybe I missed something somewhere, but it looks to me like Geo-Location 
> > Processor only tries to resolve the sender address of the message, and not 
> > any fields like stated in the description 
> > 
> >  "scans all fields of every message for IPv4 addresses" 
> > 
> > 
> > On a graylog-beta-2.0.0-beta.1-1.ova I just enabled the Plugin under 
> > configuration and added the DB file from Maxmind. 
> > 
> > Graylog Settings: 
> > 
> > Geo-Location Processor 
> > 
> > If enabled, the GeoIP processor plugin scans all fields of every message 
> > for IPv4 addresses and puts the location information into a field named 
> > fieldname_geolocation where "fieldname" is the name of the field in which 
> > an IP address has been found. 
> > 
> > Enabled: yes 
> > Database type:  City database 
> > Database path: /etc/graylog/GeoLite2-City.mmdb 
> > 
> > root@graylog-beta:~# ll /etc/graylog/GeoLite2-City.mmdb 
> > -rw-rw-r-- 1 root root 36745923 Mar 29 08:05 
> > /etc/graylog/GeoLite2-City.mmdb 
> > 
> > 
> > when i send a sample msg line into Graylog: 
> > root@graylog-beta:~# echo '8.8.8.8 - test message' |  ncat -w1 -u 127.0.0.1 
> > 51 
> > 
> > 
> > 
> > 
> > 
> > With  Subystem Indexer Logging set to Debug i get this: 
> > 2016-04-01_07:21:22.17052 2016-04-01 07:21:22,159 DEBUG: 
> > org.graylog.plugins.map.geoip.GeoIpResolverEngine - Could not get location 
> > from IP 127.0.0.1 
> > 2016-04-01_07:21:22.17079 
> > com.maxmind.geoip2.exception.AddressNotFoundException: The address 
> > 127.0.0.1 is not in the database. 
> > 2016-04-01_07:21:22.17149   at 
> > com.maxmind.geoip2.DatabaseReader.get(DatabaseReader.java:161) 
> > ~[graylog-plugin-map-widget-1.0.0-beta.1.jar:?] 
> > 2016-04-01_07:21:22.17230   at 
> > com.maxmind.geoip2.DatabaseReader.city(DatabaseReader.java:217) 
> > ~[graylog-plugin-map-widget-1.0.0-beta.1.jar:?] 
> > 2016-04-01_07:21:22.17284   at 
> > org.graylog.plugins.map.geoip.GeoIpResolverEngine.extractGeoLocationInformation(GeoIpResolverEngine.java:100)
> >  [graylog-plugin-map-widget-1.0.0-beta.1.jar:?] 
> > 2016-04-01_07:21:22.17429   at 
> > org.graylog.plugins.map.geoip.GeoIpResolverEngine.filter(GeoIpResolverEngine.java:74)
> >  [graylog-plugin-map-widget-1.0.0-beta.1.jar:?] 
> > 2016-04-01_07:21:22.17572   at 
> > org.graylog.plugins.map.geoip.processor.GeoIpProcessor.process(GeoIpProcessor.java:79)
> >  [graylog-plugin-map-widget-1.0.0-beta.1.jar:?] 
> > 2016-04-01_07:21:22.17587   at 
> > org.graylog2.buffers.processors.ServerProcessBufferProcessor.handleMessage(ServerProcessBufferProcessor.java:56)
> >  [graylog.jar:?] 
> > 2016-04-01_07:21:22.17656   at 
> > org.graylog2.shared.buffers.processors.ProcessBufferProcessor.dispatchMessage(ProcessBufferProcessor.java:82)
> >  [graylog.jar:?] 
> > 2016-04-01_07:21:22.18244   at 
> > org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:61)
> >  [graylog.jar:?] 
> > 2016-04-01_07:21:22.18651   at 
> > org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:35)
> >  [graylog.jar:?] 
> > 2016-04-01_07:21:22.18660   at 
> > com.lmax.disruptor.WorkProcessor.run(WorkProcessor.java:139) 
> > [graylog.jar:?] 
> > 2016-04-01_07:21:22.18663   at 
> > com.codahale.metrics.InstrumentedThreadFactory$InstrumentedRunnable.run(InstrumentedThreadFactory.java:66)
> >  [graylog.jar:?] 
> > 2016-04-01_07:21:22.18665   at java.lang.Thread.run(Thread.java:745) 
> > [?:1.8.0_74] 
> > 
> > Regards 
> > Micha 
> > 
> > 
> > -- 
> > You received this message because you are subscribed to the Google Groups 
> > "Graylog Users" group. 
> > To unsubscribe from this group and stop receiving emails from it, send an 
> > email to graylog2+u...@googlegroups.com. 
> > To view this discussion on the web visit 
>

Re: [graylog2] Geo-Location Processor only resolves msg source address ?

2016-04-01 Thread Micha -



Hi Edmundo,

Thanks for your reply - but then i guess should work since i have already 
an extractor and a field (client_ip) with only the IP Address - but it 
doesnt. 












Seems still to me like it only resolves the sender Address, hmrpf  

Am Freitag, 1. April 2016 13:10:19 UTC+2 schrieb Edmundo Alvarez:
>
> Hi Michael, 
>
> The Geo-location resolver looks for IPs in all fields that _only_ contain 
> an IP address. That means, you need to extract the IP to it's own field 
> (using an extractor or sending logs with something like GELF), to make the 
> geo-location work. 
>
> The description text is unfortunately outdated, but will take care of 
> fixing it for the next release. 
>
> I hope that helps. 
>
> Regards, 
> Edmundo 
>
> > On 01 Apr 2016, at 09:55, michae...@wuerth-it.com  wrote: 
> > 
> > Hi, 
> > 
> > Maybe I missed something somewhere, but it looks to me like Geo-Location 
> Processor only tries to resolve the sender address of the message, and not 
> any fields like stated in the description 
> > 
> >  "scans all fields of every message for IPv4 addresses" 
> > 
> > 
> > On a graylog-beta-2.0.0-beta.1-1.ova I just enabled the Plugin under 
> configuration and added the DB file from Maxmind. 
> > 
> > Graylog Settings: 
> > 
> > Geo-Location Processor 
> > 
> > If enabled, the GeoIP processor plugin scans all fields of every message 
> for IPv4 addresses and puts the location information into a field named 
> fieldname_geolocation where "fieldname" is the name of the field in which 
> an IP address has been found. 
> > 
> > Enabled: yes 
> > Database type:  City database 
> > Database path: /etc/graylog/GeoLite2-City.mmdb 
> > 
> > root@graylog-beta:~# ll /etc/graylog/GeoLite2-City.mmdb 
> > -rw-rw-r-- 1 root root 36745923 Mar 29 08:05 
> /etc/graylog/GeoLite2-City.mmdb 
> > 
> > 
> > when i send a sample msg line into Graylog: 
> > root@graylog-beta:~# echo '8.8.8.8 - test message' |  ncat -w1 -u 
> 127.0.0.1 51 
> > 
> > 
> > 
> > 
> > 
> > With  Subystem Indexer Logging set to Debug i get this: 
> > 2016-04-01_07:21:22.17052 2016-04-01 07:21:22,159 DEBUG: 
> org.graylog.plugins.map.geoip.GeoIpResolverEngine - Could not get location 
> from IP 127.0.0.1 
> > 2016-04-01_07:21:22.17079 
> com.maxmind.geoip2.exception.AddressNotFoundException: The address 
> 127.0.0.1 is not in the database. 
> > 2016-04-01_07:21:22.17149   at 
> com.maxmind.geoip2.DatabaseReader.get(DatabaseReader.java:161) 
> ~[graylog-plugin-map-widget-1.0.0-beta.1.jar:?] 
> > 2016-04-01_07:21:22.17230   at 
> com.maxmind.geoip2.DatabaseReader.city(DatabaseReader.java:217) 
> ~[graylog-plugin-map-widget-1.0.0-beta.1.jar:?] 
> > 2016-04-01_07:21:22.17284   at 
> org.graylog.plugins.map.geoip.GeoIpResolverEngine.extractGeoLocationInformation(GeoIpResolverEngine.java:100)
>  
> [graylog-plugin-map-widget-1.0.0-beta.1.jar:?] 
> > 2016-04-01_07:21:22.17429   at 
> org.graylog.plugins.map.geoip.GeoIpResolverEngine.filter(GeoIpResolverEngine.java:74)
>  
> [graylog-plugin-map-widget-1.0.0-beta.1.jar:?] 
> > 2016-04-01_07:21:22.17572   at 
> org.graylog.plugins.map.geoip.processor.GeoIpProcessor.process(GeoIpProcessor.java:79)
>  
> [graylog-plugin-map-widget-1.0.0-beta.1.jar:?] 
> > 2016-04-01_07:21:22.17587   at 
> org.graylog2.buffers.processors.ServerProcessBufferProcessor.handleMessage(ServerProcessBufferProcessor.java:56)
>  
> [graylog.jar:?] 
> > 2016-04-01_07:21:22.17656   at 
> org.graylog2.shared.buffers.processors.ProcessBufferProcessor.dispatchMessage(ProcessBufferProcessor.java:82)
>  
> [graylog.jar:?] 
> > 2016-04-01_07:21:22.18244   at 
> org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:61)
>  
> [graylog.jar:?] 
> > 2016-04-01_07:21:22.18651   at 
> org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:35)
>  
> [graylog.jar:?] 
> > 2016-04-01_07:21:22.18660   at 
> com.lmax.disruptor.WorkProcessor.run(WorkProcessor.java:139) 
> [graylog.jar:?] 
> > 2016-04-01_07:21:22.18663   at 
> com.codahale.metrics.InstrumentedThreadFactory$InstrumentedRunnable.run(InstrumentedThreadFactory.java:66)
>  
> [graylog.jar:?] 
> > 2016-04-01_07:21:22.18665   at java.lang.Thread.run(Thread.java:745) 
> [?:1.8.0_74] 
> > 
> > Regards 
> > Micha 
> > 
> > 
> > -- 
> > You received this message because you are subscribed to the Google 
> Groups "Graylog Users" group. 
> > To unsubscribe from this group and stop receiving emails from it, send 
> an email to graylog2+u...@googlegroups.com . 
> > To view this discussion on the web visit 
> https://groups.google.com/d/msgid/graylog2/908b3309-0a13-4fff-8c77-664af336d4a0%40googlegroups.com.
>  
>

Re: [graylog2] Geo-Location Processor only resolves msg source address ?

2016-04-01 Thread Edmundo Alvarez

Hi Michael,

The Geo-location resolver looks for IPs in all fields that _only_ contain an IP 
address. That means, you need to extract the IP to it's own field (using an 
extractor or sending logs with something like GELF), to make the geo-location 
work.

The description text is unfortunately outdated, but will take care of fixing it 
for the next release.

I hope that helps.

Regards,
Edmundo

> On 01 Apr 2016, at 09:55, michael.e...@wuerth-it.com wrote:
> 
> Hi,
> 
> Maybe I missed something somewhere, but it looks to me like Geo-Location 
> Processor only tries to resolve the sender address of the message, and not 
> any fields like stated in the description 
> 
>  "scans all fields of every message for IPv4 addresses"
> 
> 
> On a graylog-beta-2.0.0-beta.1-1.ova I just enabled the Plugin under 
> configuration and added the DB file from Maxmind.
> 
> Graylog Settings:
> 
> Geo-Location Processor
> 
> If enabled, the GeoIP processor plugin scans all fields of every message for 
> IPv4 addresses and puts the location information into a field named 
> fieldname_geolocation where "fieldname" is the name of the field in which an 
> IP address has been found.
> 
> Enabled: yes
> Database type:  City database
> Database path: /etc/graylog/GeoLite2-City.mmdb
> 
> root@graylog-beta:~# ll /etc/graylog/GeoLite2-City.mmdb
> -rw-rw-r-- 1 root root 36745923 Mar 29 08:05 /etc/graylog/GeoLite2-City.mmdb
> 
> 
> when i send a sample msg line into Graylog:
> root@graylog-beta:~# echo '8.8.8.8 - test message' |  ncat -w1 -u 127.0.0.1 51
> 
> 
> 
> 
> 
> With  Subystem Indexer Logging set to Debug i get this:
> 2016-04-01_07:21:22.17052 2016-04-01 07:21:22,159 DEBUG: 
> org.graylog.plugins.map.geoip.GeoIpResolverEngine - Could not get location 
> from IP 127.0.0.1
> 2016-04-01_07:21:22.17079 
> com.maxmind.geoip2.exception.AddressNotFoundException: The address 127.0.0.1 
> is not in the database.
> 2016-04-01_07:21:22.17149   at 
> com.maxmind.geoip2.DatabaseReader.get(DatabaseReader.java:161) 
> ~[graylog-plugin-map-widget-1.0.0-beta.1.jar:?]
> 2016-04-01_07:21:22.17230   at 
> com.maxmind.geoip2.DatabaseReader.city(DatabaseReader.java:217) 
> ~[graylog-plugin-map-widget-1.0.0-beta.1.jar:?]
> 2016-04-01_07:21:22.17284   at 
> org.graylog.plugins.map.geoip.GeoIpResolverEngine.extractGeoLocationInformation(GeoIpResolverEngine.java:100)
>  [graylog-plugin-map-widget-1.0.0-beta.1.jar:?]
> 2016-04-01_07:21:22.17429   at 
> org.graylog.plugins.map.geoip.GeoIpResolverEngine.filter(GeoIpResolverEngine.java:74)
>  [graylog-plugin-map-widget-1.0.0-beta.1.jar:?]
> 2016-04-01_07:21:22.17572   at 
> org.graylog.plugins.map.geoip.processor.GeoIpProcessor.process(GeoIpProcessor.java:79)
>  [graylog-plugin-map-widget-1.0.0-beta.1.jar:?]
> 2016-04-01_07:21:22.17587   at 
> org.graylog2.buffers.processors.ServerProcessBufferProcessor.handleMessage(ServerProcessBufferProcessor.java:56)
>  [graylog.jar:?]
> 2016-04-01_07:21:22.17656   at 
> org.graylog2.shared.buffers.processors.ProcessBufferProcessor.dispatchMessage(ProcessBufferProcessor.java:82)
>  [graylog.jar:?]
> 2016-04-01_07:21:22.18244   at 
> org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:61)
>  [graylog.jar:?]
> 2016-04-01_07:21:22.18651   at 
> org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:35)
>  [graylog.jar:?]
> 2016-04-01_07:21:22.18660   at 
> com.lmax.disruptor.WorkProcessor.run(WorkProcessor.java:139) [graylog.jar:?]
> 2016-04-01_07:21:22.18663   at 
> com.codahale.metrics.InstrumentedThreadFactory$InstrumentedRunnable.run(InstrumentedThreadFactory.java:66)
>  [graylog.jar:?]
> 2016-04-01_07:21:22.18665   at java.lang.Thread.run(Thread.java:745) 
> [?:1.8.0_74]
> 
> Regards
> Micha
> 
> 
> -- 
> You received this message because you are subscribed to the Google Groups 
> "Graylog Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to graylog2+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/graylog2/908b3309-0a13-4fff-8c77-664af336d4a0%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/D3C08C25-0D78-4C47-8533-4790B4CCD2C9%40graylog.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Geo-Location Processor only resolves msg source address ?

2016-04-01 Thread michael . eich

Hi,

Maybe I missed something somewhere, but it looks to me like Geo-Location 
Processor only tries to resolve the sender address of the message, and not 
any fields like stated in the description 

 "scans all fields of every message for IPv4 addresses" 


On a graylog-beta-2.0.0-beta.1-1.ova I just enabled the Plugin under 
configuration and added the DB file from Maxmind.

Graylog Settings:

Geo-Location Processor

If enabled, the GeoIP processor plugin scans all fields of every message for 
IPv4 addresses and puts the location information into a field named 
fieldname_geolocation where "fieldname" is the name of the field in which 
an IP address has been found.

Enabled: yes
Database type:  City database
Database path: /etc/graylog/GeoLite2-City.mmdb

root@graylog-beta:~# ll /etc/graylog/GeoLite2-City.mmdb
-rw-rw-r-- 1 root root 36745923 Mar 29 08:05 /etc/graylog/GeoLite2-City.mmdb


when i send a sample msg line into Graylog:
root@graylog-beta:~# echo '8.8.8.8 - test message' |  ncat -w1 -u 127.0.0.1 
51





With  Subystem Indexer Logging set to Debug i get this:
2016-04-01_07:21:22.17052 2016-04-01 07:21:22,159 DEBUG: org.graylog.plugins
.map.geoip.GeoIpResolverEngine - Could not get location from IP 127.0.0.1
2016-04-01_07:21:22.17079 com.maxmind.geoip2.exception.
AddressNotFoundException: The address 127.0.0.1 is not in the database.
2016-04-01_07:21:22.17149   at com.maxmind.geoip2.DatabaseReader.get(
DatabaseReader.java:161) ~[graylog-plugin-map-widget-1.0.0-beta.1.jar:?]
2016-04-01_07:21:22.17230   at com.maxmind.geoip2.DatabaseReader.city(
DatabaseReader.java:217) ~[graylog-plugin-map-widget-1.0.0-beta.1.jar:?]
2016-04-01_07:21:22.17284   at org.graylog.plugins.map.geoip.
GeoIpResolverEngine.extractGeoLocationInformation(GeoIpResolverEngine.java:
100) [graylog-plugin-map-widget-1.0.0-beta.1.jar:?]
2016-04-01_07:21:22.17429   at org.graylog.plugins.map.geoip.
GeoIpResolverEngine.filter(GeoIpResolverEngine.java:74) [graylog-plugin-map-
widget-1.0.0-beta.1.jar:?]
2016-04-01_07:21:22.17572   at org.graylog.plugins.map.geoip.processor.
GeoIpProcessor.process(GeoIpProcessor.java:79) [graylog-plugin-map-widget-
1.0.0-beta.1.jar:?]
2016-04-01_07:21:22.17587   at org.graylog2.buffers.processors.
ServerProcessBufferProcessor.handleMessage(ServerProcessBufferProcessor.java
:56) [graylog.jar:?]
2016-04-01_07:21:22.17656   at org.graylog2.shared.buffers.processors.
ProcessBufferProcessor.dispatchMessage(ProcessBufferProcessor.java:82) [
graylog.jar:?]
2016-04-01_07:21:22.18244   at org.graylog2.shared.buffers.processors.
ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:61) [graylog.jar
:?]
2016-04-01_07:21:22.18651   at org.graylog2.shared.buffers.processors.
ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:35) [graylog.jar
:?]
2016-04-01_07:21:22.18660   at com.lmax.disruptor.WorkProcessor.run(
WorkProcessor.java:139) [graylog.jar:?]
2016-04-01_07:21:22.18663   at com.codahale.metrics.
InstrumentedThreadFactory$InstrumentedRunnable.run(InstrumentedThreadFactory
.java:66) [graylog.jar:?]
2016-04-01_07:21:22.18665   at java.lang.Thread.run(Thread.java:745) [?:
1.8.0_74]

Regards
Micha

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/908b3309-0a13-4fff-8c77-664af336d4a0%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] Geo-Location Processor only resolves msg source address ?

Re: [graylog2] Geo-Location Processor only resolves msg source address ?

Re: [graylog2] Geo-Location Processor only resolves msg source address ?

Re: [graylog2] Geo-Location Processor only resolves msg source address ?

Re: [graylog2] Geo-Location Processor only resolves msg source address ?

[graylog2] Geo-Location Processor only resolves msg source address ?

6 matches

Site Navigation

Mail list logo

Footer information