Office GeoIP

[Brenno Garcia]

Hello,

How can I create office login rules based on GeoLocation?

I already have my Wazuh compiled with USE_GEOIP=YES, but the srcgeoip field doesnt work on Office logs?

On my Linux website log, the srcgeoip field works correctly

"srcgeoip": "US", "full_log": "34.55.95.50 - - [06/Apr/2026:14:18:51 -0300] \"GET //wp2/wp-includes/wlwmanifest.xml HTTP/1.1\" 404 196 \"-\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36\"", "timestamp": "2026-04-06T17:18:51.426+0000" }, "fields": { "timestamp": [ "2026-04-06T17:18:51.426Z"

[Hernán Osvaldo Santiago Valenzuela]

Hi Brenno,

The reason why srcgeoip works for your Linux website logs but not for Office logs is related to how Wazuh performs GeoIP enrichment.

GeoIP is only applied when Wazuh detects and maps a valid source IP field (typically srcip). In your web server logs, Wazuh correctly extracts the client IP (e.g., 34.55.95.50) into the srcip field, which then allows the GeoIP module to populate srcgeoip.

However, Microsoft Office / Microsoft 365 audit logs are different:

1. They usually come in JSON format.
2. The client IP is typically stored in fields like ClientIP, ClientIPAddress, or inside nested JSON structures.
3. These fields are not automatically mapped to srcip by default Wazuh decoders.
4. Since srcip is not populated, GeoIP enrichment is not triggered.
5. Therefore, srcgeoip is never generated.

So even though Wazuh is compiled with USE_GEOIP=YES, GeoIP only works when:

• There is a valid srcip field
• The IP is public (not private/internal)
• The decoder maps the IP properly

How to fix it:

Option 1 – Create a custom decoder
Create or modify a decoder for Office logs to map the correct field to srcip.

Example (conceptual):

<decoder name="office365-custom">
<parent>json</parent>
<regex>"ClientIP":"([^"]+)"</regex>
<order>srcip</order>
</decoder>

Or if using JSON key mapping:

<decoder name="office365-json">
<parent>json</parent>
<json>ClientIP</json>
<order>srcip</order>
</decoder>

After mapping ClientIP → srcip, GeoIP enrichment will automatically populate srcgeoip.

Option 2 – Use an ingest pipeline (if using Wazuh indexer / OpenSearch)
You can also create an ingest pipeline that copies:

ClientIP → srcip

before indexing.

Then GeoIP will work as expected.

Important checks:

• Confirm that the Office logs actually contain a public IP.
• Make sure the field is not inside a nested object (like properties.ClientIP).
• Restart Wazuh manager after modifying decoders.
• Verify in alerts.json that srcip exists before checking srcgeoip

Summary:

GeoIP is working correctly in your environment. The issue is not with compilation or GeoIP itself, but with field mapping. Once the Office client IP is properly mapped to srcip, srcgeoip will be generated automatically.
Hernan.

[Hernán Osvaldo Santiago Valenzuela]

Hi Brenno

• Verify in alerts.json that srcip exists before checking srcgeoip.

Summary:

GeoIP is working correctly in your environment. The issue is not with compilation or GeoIP itself, but with field mapping. Once the Office client IP is properly mapped to srcip, srcgeoip will be generated automatically.

Hernan

On Thursday, April 23, 2026 at 3:16:23 PM UTC-3 Brenno Garcia wrote:

[Brenno Garcia]

Hello, still not working

This decoder doesnt work and all office logs alerted by rule 1002 unknown error

<decoder name="office365-custom">
<parent>json</parent>
<regex>"ClientIP":"([^"]+)"</regex>
<order>srcip</order>
</decoder>

This decoder gave to me syntax error uknown field json

<decoder name="office365-json">
<parent>json</parent>
<json>ClientIP</json>
<order>srcip</order>
</decoder>

In alerts.json, the srcgeoip field doesnt appear constantly, but the rules based and geoip for Linux, pfsense (syslog) works properly.