15.3.2. Using the GeoIP2 parser

Declaration: 

parser parser_name {
    geoip2(
        <macro-containing-the-IP-address-to-lookup>
        prefix()
        database("<path-to-geoip2-database-file>")
    );
};

In the following example, syslog-ng OSE retrieves the GeoIP2 data of the IP address contained in the ${HOST} field of the incoming message (assuming that in this case the ${HOST} field contains an IP address), and includes the data (prefixed with the geoip2 string) in the output JSON message.

@version: 3.11
@module geoip2

options {
    keep_hostname(yes);
};

source s_file {
    file("/tmp/input");
};

parser p_geoip2 { geoip2( "${HOST}", prefix( "geoip2." ) database( "/usr/share/GeoIP2/GeoLiteCity.dat" ) ); };

destination d_file {
    file( "/tmp/output" flags(syslog-protocol) template("$(format-json --scope core --key geoip2*)\n") );
};


log {
    source(s_file);
    parser(p_geoip2);
    destination(d_file);
};

For example, for the <38>2017-05-24T13:09:46 192.168.1.1 prg00000[1234]: test message message the output will look like:

<38>1 2017-05-24T13:09:46+02:00 192.168.1.1 prg00000 1234 - [meta sequenceId="3"] {"geoip2":{"subdivisions":{"0":{"names":{"en":"Budapest"},"iso_code":"BU","geoname_id":"3054638"}},"registered_country":{"names":{"en":"Hungary"},"iso_code":"HU","geoname_id":"719819"},"postal":{"code":"1063"},"location":{"time_zone":"Europe/Budapest","longitude":"19.070200","latitude":"47.510200","accuracy_radius":"5"},"country":{"names":{"en":"Hungary"},"iso_code":"HU","geoname_id":"719819"},"continent":{"names":{"en":"Europe"},"geoname_id":"6255148","code":"EU"},"city":{"names":{"en":"Budapest"},"geoname_id":"3054643"}},"PROGRAM":"prg00000","PRIORITY":"info","PID":"1234","MESSAGE":"test message","HOST":"192.168.1.1","FACILITY":"auth","DATE":"May 24 13:09:46"}