rsyslog

The rocket-fast system for log processing

TwitterFacebookGoogle

MaxMind/GeoIP DB lookup (mmdblookup)

Module Name: mmdblookup
Author: chenryn
Available: 8.24+

Purpose

MaxMindDB is the new file format for storing information about IP addresses in a highly optimized, flexible database format. GeoIP2 Databases are available in the MaxMind DB format.

Plugin author claimed a MaxMindDB vs GeoIP speed around 4 to 6 times.

How to build the module

To compile Rsyslog with mmdblookup you’ll need to:

  • install libmaxminddb-devel package
  • set –enable-mmdblookup on configure

Configuration Parameter

Note

Parameter names are case-insensitive.

Module Parameters

container

type default mandatory obsolete legacy directive
word !iplocation no none

New in version 8.28.0.

Specifies the container to be used to store the fields ammended by mmdblookup.

Input Parameters

key

type default mandatory obsolete legacy directive
word none yes none

Name of field containing IP address.

mmdbfile

type default mandatory obsolete legacy directive
word none yes none

Location of Maxmind DB file.

fields

type default mandatory obsolete legacy directive
array none yes none

Fields that will be appended to processed message. The fields will always be appended in the container used by mmdblookup (which may be overriden by the “container” parameter on module load).

By default, the maxmindb field name is used for variables. This can be overriden by specifying a custom name between colons at the beginnig of the field name. As usual, bang signs denote path levels. So for example, if you want to extract “!city!names!en” but rename it to “cityname”, you can use “:cityname:!city!names!en” as field name.

Examples

Minimum configuration

This example showes the minimum configuration.

# load module
module( load="mmdblookup" )

action( type="mmdblookup" mmdbfile="/etc/rsyslog.d/GeoLite2-City.mmdb"
             fields=["!continent!code","!location"] key="!clientip" )

Custom container and field name

The following example uses a custom container and custom field name

# load module
module( load="mmdblookup" container="!geo_ip")

action( type="mmdblookup" mmdbfile="/etc/rsyslog.d/GeoLite2-City.mmdb"
             fields=[":continent:!continent!code", ":loc:!location"]
             key="!clientip")

See also

Help with configuring/using Rsyslog:

  • Mailing list - best route for general questions
  • GitHub: rsyslog source project - detailed questions, reporting issues that are believed to be bugs with Rsyslog
  • Stack Exchange (View, Ask) - experimental support from rsyslog community

See also

Contributing to Rsyslog:

© 2008-2017, Rainer Gerhards and Others. This site uses the “better” theme for Sphinx.