GeoIP Data Adapter

The GeoIP data adapter supports reading MaxMind and IPinfo Geodatabases. Graylog lets you extract and visualize geolocation information from IP addresses in your logs.

Prerequisites

Before proceeding, ensure that the following prerequisites are met:

Hint: MaxMind recommends using a cronjob to automate GeoIP Update.

Configure the Data Adapter

You can create a data adapter during the lookup table creation workflow, or they can be created separately on the Data Adapters tab. The following configuration options are available for this data adapter:

Title

A short and unique title for this data adapter.

Description

Data adapter description.

Name

The name used to refer to this data adapter. This should be something unique and recognizable within your Graylog environment.

Custom Error TTL

Specifies the time to live (TTL) for custom error messages if any occur during the API interaction. Enter a value in seconds, such as 3600 for 1 hour, depending on your logging and troubleshooting needs.

File path

The path to the MaxMind database file. This file must exist on all Graylog server nodes. This file should also be updated on a regular basis using the GeoIpUpdate tool.

Database Type

Supports multiple options:

  • ASN Database (most common, available for free with signup).

  • City Database (most common, available for free with signup).

  • Country Database.

  • IPinfo location database (similar to MaxMind City Database, but from IPinfo).

  • IPinfo ASN database (similar to MaxMind ASN Database, but from IPinfo).

Refresh file

If enabled, the database file is checked for modifications and refreshed when changed on disk.

Example GeoIP Pipeline Rule

This rule enriches messages by performing a GeoIP lookup on the query_response_ip field. It adds location-based details, such as coordinates, country code, country name, and city name using data from a geoip-city lookup table.

Copy 
rule "PARSE query_response_ip GEO"
when
  has_field("query_response_ip")
then
  let geo = lookup("geoip-city", to_string($message.query_response_ip));
  
  set_field("query_response_geolocation", geo["coordinates"]);
  set_field("query_response_geo_country_code", geo["country"].iso_code);
  set_field("query_response_geo_country_name", geo["country"].names.en);
  set_field("query_response_geo_city_name", geo["city"].names.en);
end

Further Reading

Explore the following additional resources and recommended readings to expand your knowledge on related topics: