Nginx logs to Graylog, GeoIP tags

05 Oct 2021
#Graylog#Nginx

So finally it’s time for geo tagging the IP adresses. This is a must, because we need the awesome world map so we can watch where all the requests come from.

Maxmind Geolite2 free database

Before we can get any Geo tags on our messages we need a database that will map the IP adress to a world location. Due to licencing (I think it was) the geo mapping database can not be shipped with Graylog. So we need to download it for our self.

First we need to create an account over at Maxmind.com and then find our way through their website to create a licence key and download the GeoLite2-City.mmdb.

Docker-compose changes

Then we need to place the database at /etc/graylog/server/GeoLite2-City.mmdb inside the Graylog docker container.

I have saved my file in /srv/graylog/maxmind/ so I have to add this path to map into the container at /etc/graylog/server/ like this

version: '3'

services:
    ...
     
   graylog:
    ...
    volumes:
      ...
      - /srv/graylog/maxmind:/etc/graylog/server # GeoIP mapping DB

Graylog configuration

In the Graylog web GUI we may need to change some things. I know there are lots of guides out there, where they tell you to create a pipeline to geo-tag your messages. I have not created any pipeline to geo-tag my messages, all fields where there is an IP address is Geo tagged for me.

Make sure the Geo-location processor is enabled under System -> Configuration

When you are there verify the path where the Geo-ip database is.
Change the order of processing if needed, and make sure Geo-location is enabled
This is all I have done to get Geo-location working for my messages.

All fields where Graylog finds an (external?) IP will add an extra <fieldname>_geolocation, <fieldname>_country_code, <fieldname>_city_name.

Now finally, we can create a World map

Wait until you get some new messages with the new GeoIP fields. Then go to Search, click a message with external IP to expand the message.

Now click Show top values and a new search widget will be added.
click the down arrow in the top right corner and select Edit
change the Visualization for the chart, to World Map.
Then click Update Preview and it will show the World map with circles for each position it has found.
Now click Apply Changes to update the search widget.
Now this is really nice, but if you leave this page and then come back to Search. Our fancy new world map search filter widget is gone.

Add our search widget to a Dashboard

To add a search widget to a Dashboard you click the down arrow in the top right corner and select Copy to Dashboard and in the popup list you select your Dashboard. Now this widget is saved in your Dashboard, and it can be modified in your dashboard settings.

To change the title you just need to double click the title text.

Raddinox © 2024 - Powered by