No hosts list or country distribution showing

[dginther]

used the deploy script with ansible, had to tinker a bit because of my own issues, but I am not getting any results in the traffic distribution or the hosts list. Can you advise why that might be? Thanks!

[packetb-old]

Hi, to make sure I understand, you generally get data in Kibana but the Hosts panel is empty? A common issue is that we only display arrows between known hosts (hosts running the agent). Please check whether the values for both src_server.raw and dst_server.raw are filled.

Another thing you could try is to add another "force" panel in which you use the src_ip.raw and dst_ip.raw fields. This should always display values. Here is an example configuration:

See also issue #56.

[dginther]

That's correct. I figured out that I need the GoIP library installed to get src_country, though I haven't figured out where to actually get that library and there doesn't seem to be any info in the docs on that, other than a mention that it's necessary. Any more information available on that?

[packetb-old]

Ah, good point. On RPM based distros, do:

yum install GeoIP

and on debian based repos:

apt-get install geoip-database

Please make sure you have the latest version of the agent (0.3.2), because prior versions were not able to follow links when reading the geoip DB files. We'll update the documentation, thanks for pointing out the issue.

[dginther]

Looks like geoip-database is installed on both my packetbeat server as well as my one client. Is there any troubleshooting I might perform to make sure it's working as it's supposed to?

[packetb-old]

Please check that:

1. /usr/share/GeoIP/GeoIP.dat exists where the agent is running
2. Running the agent in foreground like this: packetbeat -e -v -c /etc/packetbeat/packetbeat.conf doesn't print any GeoIP related errors.
3. That src_country / dst_country have values.

[dginther]

that file exists where the agent is running.
The agent running in the foreground does not generate any errors related to geoip.
src_country/dst_country do not have values

[packetb-old]

Hmm, that's strange. If you copy one of the IP addresses from src_ip or dst_ip into here: https://www.maxmind.com/en/geoip_demo do you get values?

[dginther]

Ah. The solution presents itself. I am using an AWS load balancer. The src_ip is a 10.x.x.x address and therefore never gets looked up. Any way to make the map use the x-forwarded-for?

[packetb-old]

Not at the moment, unfortunately, because x-forwarded-for doesn't get it's own field. We'll either add it to the list of exported headers or, better, make the list of exported headers configurable.

[gabrielrcouto]

Hello,

I'm having a similar problem. All my transactions has the location "0.000000, 0.000000". I installed the GeoIP library and checked Packetbeat running in debug mode, everything appears to be fine. Any tricks?

Thank you very much,
Gabriel

[mingfang]

This is still broken in the latest beta2 for me.
Anyone working on fixing this?

[tsg]

@mingfang (or @gabrielrcouto), what OS are you running and what GeoIP package did you installed. From what we know, this is working correctly for most people.

[mingfang]

I'm running my agent inside Docker https://github.com/mingfang/docker-packetbeat-agent
My Dockerfile https://github.com/mingfang/docker-packetbeat-agent/blob/master/Dockerfile
is base on ubuntu 14.04 and I'm installing geoip-database.

I'm getting client_ip but no client_location.

[andrewkroh]

I looked at @mingfang's docker container. It installs the geoip-database package which contains the GeoLite Country database that will only return country names and not latitude/longitude values. The libbeat publisher requires that latitude and longitude be non-zero before it will insert the client_location field.

If you install the GeoLite City database then you should get latitude and longitude values and therefore have client_location.

Try this in your container and you should start getting back locations.

curl http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz -o /usr/share/GeoIP/GeoIP.dat.gz
gunzip /usr/share/GeoIP/GeoIP.dat.gz

We should update the project documentation to inform users they should use the GeoLite City database. The defaults in geolite.go should also be changed to point to GeoLiteCity.dat rather than GeoIP.data.

[mingfang]

Yes, it works!
I wasted an entire day trying to figure this out.
I updated my Dockerfile with this fix.
Thank you very much Andrew.

[tsg]

Thanks @andrewkroh and @mingfang! I'll add this to the docs.

[gabrielrcouto]

Thank you very much @andrewkroh, I followed your instructions and now the location resolution is working on my Ubuntu Server installation.