Using the GeoIP2 parser
Declaration:
parser parser_name {
geoip2(
<macro-containing-the-IP-address-to-lookup>
prefix()
database("<path-to-geoip2-database-file>")
);
};
In the following example, AxoSyslog retrieves the GeoIP2 data of the IP address contained in the ${HOST} field of the incoming message (assuming that in this case the ${HOST} field contains an IP address), and includes the data (prefixed with the geoip2 string) in the output JSON message.
@version: 3.11
options {
keep-hostname(yes);
};
source s_file {
file("/tmp/input");
};
parser p_geoip2 {
geoip2(
"${HOST}",
prefix( "geoip2." )
database( "/usr/share/GeoIP2/GeoLiteCity.dat" )
);
};
destination d_file {
file(
"/tmp/output"
flags(syslog-protocol)
template("$(format-json --scope core --key geoip2*)\n")
);
};
log {
source(s_file);
parser(p_geoip2);
destination(d_file);
};
For example, for the <38>2017-05-24T13:09:46 192.168.1.1 prg00000[1234]: test message message the output will look like:
<38>1 2017-05-24T13:09:46+02:00 192.168.1.1 prg00000 1234 - [meta sequenceId="3"] {"geoip2":{"subdivisions":{"0":{"names":{"en":"Budapest"},"iso_code":"BU","geoname_id":"3054638"}},"registered_country":{"names":{"en":"Hungary"},"iso_code":"HU","geoname_id":"719819"},"postal":{"code":"1063"},"location":{"time_zone":"Europe/Budapest","longitude":"19.070200","latitude":"47.510200","accuracy_radius":"5"},"country":{"names":{"en":"Hungary"},"iso_code":"HU","geoname_id":"719819"},"continent":{"names":{"en":"Europe"},"geoname_id":"6255148","code":"EU"},"city":{"names":{"en":"Budapest"},"geoname_id":"3054643"}},"PROGRAM":"prg00000","PRIORITY":"info","PID":"1234","MESSAGE":"test message","HOST":"192.168.1.1","FACILITY":"auth","DATE":"May 24 13:09:46"}
Last modified December 18, 2024: Merge pull request #90 from axoflow/minor-fixes-241218 (68cd7df)