Member-only story
Enable GEO Location Processor on Graylog with Maxmind docker shared volume
In my last article I was able to setup extraction rules to improve log analysis in Graylog for Pfsense firewall logs. I demonstrated a few charts that graphed things like source IP and destination port. These graphs can provide some valuable information at an aggregate and are easy to build. Though this information is helpful and in many cases actionable, I wanted to leverage some of the data enrichment capabilities of Graylog. I wanted to better understand how things like GEO Location could be used to see where packets were terminating or originating.
If you search for articles on how to setup GEO Location there seems to be no shortage.
- https://www.graylog.org/post/how-to-set-up-graylog-geoip-configuration/
- https://www.graylog.org/post/implementing-geolocation-with-graylog-pipelines/
- https://blog.reconinfosec.com/geolocation-in-graylog
It seems as though the Geo Location processor in GrayLog became a lot simpler to setup recently. This can be seen by reviewing the latest documentation. In the Enforce Graylog Schema Option section of the documentation it reads:
If Schema enforcement is disabled: all IP fields that are not reserved IP addresses will be processed and have the following fields…
