[graylog2] Re: Enabling geolocation

2016-10-23 Thread markham extra 

Okay,

1) read this :

http://docs.graylog.org/en/2.1/pages/geolocation.html

2) make sure  the message processor configuration option dialog have this 
order :
 - 1) Pipeline.
 - 2) Message filterchain...
  -3) Geolocation...


3) check your gelocation database (graylog is compatible with 
geolocation'smaxmind city)



4) make sure you have a field with just an ipv4 adress without mask (field 
*ipfield* who contains : *8.8.8.8 *for example)

5) wait..several minute... a *ipfield_geolocation* will be automatically 
create contains geolocation latitude and longitude.

6) tick on it and select worldmap widget and voila !
















On Friday, October 21, 2016 at 1:09:31 AM UTC+2, d3pr3cat3d wrote:
>
> Hello, I am trying to get geolocation working. 
>
> # cat /etc/redhat-release
> CentOS Linux release 7.2.1511 (Core)
>
> # yum -y install geoip
>
> # geoipupdate
> MD5 Digest of installed database is 4cc97d426fbd0af868ae339aa9093061
> /usr/share/GeoIP/GeoLiteCountry.dat is up to date, no updates required
> GeoIP Database up to date
> MD5 Digest of installed database is ac8d4ff284c73fd1120fb7980f8811b4
> /usr/share/GeoIP/GeoLiteCity.dat is up to date, no updates required
> GeoIP Database up to date
>
> # geoiplookup -f /usr/share/GeoIP/GeoLiteCity.dat google.com
> GeoIP City Edition, Rev 1: US, CA, California, Mountain View, 94043, 
> 37.419201, -122.057404, 807, 650
>
> I have configured /usr/share/GeoIP/GeoLiteCity.dat as the database path 
> and GeoIP Resolver as the last message processor to run. Is it correct that 
> if I append “_geolocation” to a grok pattern that is an IP this should 
> start working?
>
> Grok pattern for extractor
>
> %{CISCOFW302013_302014_302015_302016}
>
> Grok pattern
>
> CISCOFW302013_302014_302015_302016 %{CISCO_ACTION:action}(?: 
> %{CISCO_DIRECTION:direction})? %{WORD:protocol} connection 
> %{INT:connection_id} for %{DATA:src_interface}:%{IP:src_ip}/%{INT:src_port}( 
> \(%{IP:src_mapped_ip_geolocation}/%{INT:src_mapped_port}\))?(\(%{DATA:src_fwuser}\))?
>  to %{DATA:dst_interface}:%{IP:dst_ip}/%{INT:dst_port}( 
> \(%{IP:dst_mapped_ip_geolocation}/%{INT:dst_mapped_port}\))?(\(%{DATA:dst_fwuser}\))?(
>  duration %{TIME:duration} bytes %{INT:bytes})?(?: %{CISCO_REASON:reason})?( 
> \(%{DATA:user}\))?
>
> Test message:
>
> ASA %ASA-6-302013: Built outbound TCP connection 304484017 for 
> outside:8.8.8.8/443 (8.8.8.8/443) to inside:10.102.109.83/54496 
> (8.8.4.4/54496)
>
> When I click world map for “src_mapped_ip_geolocation” I get the pop up 
> error that says:
>
> Could not load map information Map widget is only available for fields 
> containing geo data.
>
> Thanks
> ​
>
geolocation 

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/12d06723-d9ad-44e7-930d-a01dfa3a53e3%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Enabling geolocation

2016-10-22 Thread Jochen Schalanda 
Hi,

On Friday, 21 October 2016 18:16:19 UTC+2, d3pr3cat3d wrote:
>
> Or are you saying that I should have a field named “ip_geolocation”? I 
> dont have one.
>

Yes, the map widget obviously only works with geo coordinates in the format 
"$lat, $long" which the GeoIP resolver will create from fields containing 
IP address literals (and *only* IP address literals).

On Friday, 21 October 2016 18:19:25 UTC+2, d3pr3cat3d wrote:
>
> Found this in the logs
>
> 2016-10-17T14:09:17.003-07:00 ERROR [MapDataResource] Map data query failed: 
> Invalid geo data term for field "asa_dst_ip": 8.8.8.8 (required: , 
> - example: 1.23,3.11)
>
> Make sure that the GeoIP plugin has been setup correctly and that the 
GeoIP resolver extracts the geo coordinates into the correct fields (e. g. 
"asa_dst_ip_geolocation" in your case). See 
http://docs.graylog.org/en/2.1/pages/geolocation.html for details.

Cheers,
Jochen

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/7a50a735-cdf6-419e-8ee1-81f4a89a167c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Enabling geolocation

2016-10-21 Thread d3pr3cat3d 


Thanks for the reply. But even if I remove “_geolocation” it still does not 
work. 

for example:

%{IP:src_mapped_ip}

Or are you saying that I should have a field named “ip_geolocation”? I dont 
have one.

I also have another tag named “asa_src_ip” and the same pop error is given. 
I am making sure that I see internet IP addresses only.

Is there a debug option? If so how do I enable it?

Also verified that the graylog user can read the geolite file

# ls -l /usr/share/GeoIP/GeoLiteCity.dat
-rw-r--r--. 1 root root 17765572 Oct 15 16:02 /usr/share/GeoIP/GeoLiteCity.dat

​

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/e5d4084e-5729-4cff-9a49-cee38dd016cd%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[graylog2] Re: Enabling geolocation

2016-10-21 Thread d3pr3cat3d 


Thanks for the reply. But even if I remove “_geolocation” it still does not 
work. 

for example:

%{IP:src_mapped_ip}

Or are you saying that I should have a field named “ip_geolocation”? I dont 
have one.

I also have another tag named “asa_src_ip” and the same pop error is given. 
I am making sure that I see internet IP addresses only.

Is there a debug option? If so how do I enable it?

Also verified that the graylog user can read the geolite file

# ls -l /usr/share/GeoIP/GeoLiteCity.dat
-rw-r--r--. 1 root root 17765572 Oct 15 16:02 /usr/share/GeoIP/GeoLiteCity.dat
`

On Thursday, October 20, 2016 at 4:09:31 PM UTC-7, d3pr3cat3d wrote:

Hello, I am trying to get geolocation working. 
>
> # cat /etc/redhat-release
> CentOS Linux release 7.2.1511 (Core)
>
> # yum -y install geoip
>
> # geoipupdate
> MD5 Digest of installed database is 4cc97d426fbd0af868ae339aa9093061
> /usr/share/GeoIP/GeoLiteCountry.dat is up to date, no updates required
> GeoIP Database up to date
> MD5 Digest of installed database is ac8d4ff284c73fd1120fb7980f8811b4
> /usr/share/GeoIP/GeoLiteCity.dat is up to date, no updates required
> GeoIP Database up to date
>
> # geoiplookup -f /usr/share/GeoIP/GeoLiteCity.dat google.com
> GeoIP City Edition, Rev 1: US, CA, California, Mountain View, 94043, 
> 37.419201, -122.057404, 807, 650
>
> I have configured /usr/share/GeoIP/GeoLiteCity.dat as the database path 
> and GeoIP Resolver as the last message processor to run. Is it correct that 
> if I append “_geolocation” to a grok pattern that is an IP this should 
> start working?
>
> Grok pattern for extractor
>
> %{CISCOFW302013_302014_302015_302016}
>
> Grok pattern
>
> CISCOFW302013_302014_302015_302016 %{CISCO_ACTION:action}(?: 
> %{CISCO_DIRECTION:direction})? %{WORD:protocol} connection 
> %{INT:connection_id} for %{DATA:src_interface}:%{IP:src_ip}/%{INT:src_port}( 
> \(%{IP:src_mapped_ip_geolocation}/%{INT:src_mapped_port}\))?(\(%{DATA:src_fwuser}\))?
>  to %{DATA:dst_interface}:%{IP:dst_ip}/%{INT:dst_port}( 
> \(%{IP:dst_mapped_ip_geolocation}/%{INT:dst_mapped_port}\))?(\(%{DATA:dst_fwuser}\))?(
>  duration %{TIME:duration} bytes %{INT:bytes})?(?: %{CISCO_REASON:reason})?( 
> \(%{DATA:user}\))?
>
> Test message:
>
> ASA %ASA-6-302013: Built outbound TCP connection 304484017 for 
> outside:8.8.8.8/443 (8.8.8.8/443) to inside:10.102.109.83/54496 
> (8.8.4.4/54496)
>
> When I click world map for “src_mapped_ip_geolocation” I get the pop up 
> error that says:
>
> Could not load map information Map widget is only available for fields 
> containing geo data.
>
> Thanks
> ​
>
On Thursday, October 20, 2016 at 4:09:31 PM UTC-7, d3pr3cat3d wrote:

Hello, I am trying to get geolocation working. 
>
> # cat /etc/redhat-release
> CentOS Linux release 7.2.1511 (Core)
>
> # yum -y install geoip
>
> # geoipupdate
> MD5 Digest of installed database is 4cc97d426fbd0af868ae339aa9093061
> /usr/share/GeoIP/GeoLiteCountry.dat is up to date, no updates required
> GeoIP Database up to date
> MD5 Digest of installed database is ac8d4ff284c73fd1120fb7980f8811b4
> /usr/share/GeoIP/GeoLiteCity.dat is up to date, no updates required
> GeoIP Database up to date
>
> # geoiplookup -f /usr/share/GeoIP/GeoLiteCity.dat google.com
> GeoIP City Edition, Rev 1: US, CA, California, Mountain View, 94043, 
> 37.419201, -122.057404, 807, 650
>
> I have configured /usr/share/GeoIP/GeoLiteCity.dat as the database path 
> and GeoIP Resolver as the last message processor to run. Is it correct that 
> if I append “_geolocation” to a grok pattern that is an IP this should 
> start working?
>
> Grok pattern for extractor
>
> %{CISCOFW302013_302014_302015_302016}
>
> Grok pattern
>
> CISCOFW302013_302014_302015_302016 %{CISCO_ACTION:action}(?: 
> %{CISCO_DIRECTION:direction})? %{WORD:protocol} connection 
> %{INT:connection_id} for %{DATA:src_interface}:%{IP:src_ip}/%{INT:src_port}( 
> \(%{IP:src_mapped_ip_geolocation}/%{INT:src_mapped_port}\))?(\(%{DATA:src_fwuser}\))?
>  to %{DATA:dst_interface}:%{IP:dst_ip}/%{INT:dst_port}( 
> \(%{IP:dst_mapped_ip_geolocation}/%{INT:dst_mapped_port}\))?(\(%{DATA:dst_fwuser}\))?(
>  duration %{TIME:duration} bytes %{INT:bytes})?(?: %{CISCO_REASON:reason})?( 
> \(%{DATA:user}\))?
>
> Test message:
>
> ASA %ASA-6-302013: Built outbound TCP connection 304484017 for 
> outside:8.8.8.8/443 (8.8.8.8/443) to inside:10.102.109.83/54496 
> (8.8.4.4/54496)
>
> When I click world map for “src_mapped_ip_geolocation” I get the pop up 
> error that says:
>
> Could not load map information Map widget is only available for fields 
> containing geo data.
>
> Thanks
> ​
>
On Thursday, October 20, 2016 at 4:09:31 PM UTC-7, d3pr3cat3d wrote:

Hello, I am trying to get geolocation working. 
>
> # cat /etc/redhat-release
> CentOS Linux release 7.2.1511 (Core)
>
> # yum -y install geoip
>
> # geoipupdate
> MD5 Digest of installed database is 4cc97d426fbd0af868ae339aa9093061
> /usr/share/GeoIP/GeoLiteCountry.dat is up to date, no updates required
> GeoIP Database up

[graylog2] Re: Enabling geolocation

2016-10-20 Thread Aykisn 
The GeoIP resolver automatically creates the ip_geolocation field on all 
the fields that are ip addresses. You don't need to do it manually.

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/0a317029-b6fa-444c-a226-94a227ff0b6a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.