On GoogleMaps/Settings, I have disabled the geoip command.
When running modsecurity/dashboard I do not have anymore mistake, only geoip not found.

Thx

I have re installed everything, same problem ...
What am I supposed to do now ?
Do I have to open a ticket somewhere ??

Thx for your help.

Yup, that error message supports my guess that geoip is looking for a field called clientip but can't find one.

Dear both,

Please have a look to this snapshot:

https://drive.google.com/file/d/0BxTKjXaz-ROBdVdPNTN1TjNrNm8/edit?usp=sharing (dl the document to see it)

It seems to be a problem with interaction between modsecurity and Googlemaps ....
As I said, I don't know what those two apps are doing .... The source="www-access_log" give me nothing ...

Thx

Can you provide a sample of the log:

source="www-access_log"

As Martin stated, you would need a field called clientip. If you don't have one simple use REX or the other UI methods to extract this field at search time. Then your geoip command will work.

Hum, please don't shoot me ....
But I am a bit lost ..... Where this "clientip" field should be ?
As I said, modsecurity is transparent for me, I do not know what is he doing ....
Is it a pb with the config of my splunkforwarder (inputs)?

Thx for your help.

There you go then, geoip is failing as documented in the error message. If it's supposed to translate a field called clientip into a geolocation but that field does not exist - what is it supposed to do?

I do not see any field called "clientip" ....

I have found other error messages:

ago 03-24-2014 16:54:23.679 +0200 ERROR TailingProcessor - Ignoring path="/var/log/apache2/modsec_audit.log" due to: Bug: tried to check/configure STData processing but have no pending metadata.

....

That URL gives me a 403.

I'm asking about whether your source events have a field called clientip because not having that field produces the same KeyError from geoip.

I have this error when I am trying to use the apps "modsecurity".
I don't know what the apps "modsecurity" is doing exactly.
When I click on Dashboard, I have 423 events and on the top of the splunk web page, I have all this errors messages in red.

please have a look:
https://drive.google.com/file/d/0BxTKjXaz-ROBdVdPNTN1TjNrNm8/edit?usp=sharing

Thx

You're asking the geoip command to guess location data based on the field clientip. I'm wondering if the events you're giving to geoip, ie the results from your search source="www-access_log", actually have a field by that name.

Sorry but can you be a bit more precise ?
What event are you referring to ?

Thx

Do your events have a field called clientip?