Get Location and Map from Log file

Hi there,

i have a dashboard which uses the log from ufw plot the failed logins. in these lines there is an ip adress, which i could “convert” to a geo location using: http://ip-api.com/json/24.48.0.1?fields=lat,lon
is it possible to use this api to get locations to be displayed on a map?
can i run a bash script on each log line or so?

Thanks a lot!!

which api are you referring here to.

Hi, i got a littlebit further. i have now a log line like this:

so each line looks like this:

{“status”:“denied”, “ip”:“209.97.130.38”, “latitude”:51.5368, “longitude”:-0.6718}

the promtail config for that looks like this:

  - job_name: authlogGeo
    static_configs:
      - targets:
          - localhost
        labels:
          job: authlogGeo
          __path__: /var/log/authGeo.log
    pipeline_stages:
      - json:
          expressions:
            status: status
            ip: ip
            latitude: latitude
            longitude: longitude
      - labels:
          status: status
          ip: ip
          latitude: latitude
          longitude: longitude


now - how can i make grafana recognize latitude / longitude to be a numeric lable?

Thanks a lot!

there might a couple of ways.

  1. pattern parser, read below
    | pattern "<pattern-expression>"
    New in Loki 2.3: LogQL pattern parser makes it easier to extract data from unstructured logs | Grafana Labs

  2. line format

| json
| line_format "{{ .lon}} | {{ .lat}} | {{ .foo}} | {{ .bar}}"

read the docs, keep playing with it and post back once you have tried and are stuck

Hi, thanks for your reply. i am asking here, because i did not make it further than i described, also with the help of the documentation.

i did actually try to use the line_format, but always fail like this:

it feels like there is just no way to get the json keys as labels into the latitude/longitude fields.

Hope you have any other idea or keyword to google.

please post a sample log file.

Hi, this is how the log file looks:

{"status":"denied", "ip":"140.246.107.170", "latitude":36.6533, "longitude":117.146}
{"status":"denied", "ip":"140.246.107.170", "latitude":36.6533, "longitude":117.146}
{"status":"denied", "ip":"140.246.107.170", "latitude":36.6533, "longitude":117.146}
{"status":"denied", "ip":"193.32.162.132", "latitude":52.3676, "longitude":4.90414}
{"status":"denied", "ip":"5.180.253.220", "latitude":50.1093, "longitude":8.7321}
{"status":"denied", "ip":"193.32.162.132", "latitude":52.3676, "longitude":4.90414}
{"status":"denied", "ip":"194.0.234.38", "latitude":51.5072, "longitude":-0.127586}
{"status":"denied", "ip":"193.32.162.132", "latitude":52.3676, "longitude":4.90414}
{"status":"denied", "ip":"193.32.162.132", "latitude":52.3676, "longitude":4.90414}
{"status":"denied", "ip":"92.255.85.189", "latitude":55.7558, "longitude":37.6173}
{"status":"denied", "ip":"92.255.85.188", "latitude":55.7558, "longitude":37.6173}
{"status":"denied", "ip":"194.0.234.37", "latitude":51.5072, "longitude":-0.127586}
{"status":"denied", "ip":"92.255.57.132", "latitude":55.7558, "longitude":37.6173}
{"status":"denied", "ip":"194.0.234.38", "latitude":51.5072, "longitude":-0.127586}
{"status":"denied", "ip":"92.255.85.188", "latitude":55.7558, "longitude":37.6173}

its ok that the ips are public… they were trying to break into my system anyways :wink:

1 Like
{filename="/var/log/authGeo.log"} | json longitude="longitude", latitude="latitude"

or

{filename="/var/log/authGeo.log"} | json | unpack

Extract route