Hi.
I noticed that some alerts do not show either Destination geolocation or Source geolocation information. Sometimes misses country information and sometimes misses city information even both at the same time.
Is this normal behaviour?
What version are you running with what config and what GeoIP DB?
Most obvious scenario would be, that the GeoIP DB misses that information.
I am using the latest Suricata version with GeoLite2 Country database
How does the config look like?
Can you provide examples and did you compare the IPs with the DB itself?
This is normal, specifically on private ip ranges.