wazuh-indexer 4.4.0 Ingest-Geoip Issue
541 views
Skip to first unread message
William Thomas
Apr 7, 2023, 3:51:14 PM4/7/23
to Wazuh mailing list
While running Wazuh 4.3.10 I wanted to extend the baseline MaxMind GeoIP database with company specific information. I built my own custom GeoIP DB with mmdb format, deployed it into the /etc/wazuh-indexer/ingest-geoip/filename.mmdb. Updated the ingest pipeline configuration (in /usr/share/filebeat/module/wazuh/alerts/ingest/pipeline.json ) to add processors such as:
{
"geoip": {
"field": "data.srcip",
"target_field": "GeoLocation",
"properties": ["city_name", "country_name", "region_name", "location"],
"database_file": "filename.mmdb",
"first_only": false,
"ignore_missing": true,
"ignore_failure": true,
"description": "data.srcip dbfile intlocal"
}
},
"geoip": {
"field": "data.srcip",
"target_field": "GeoLocation",
"properties": ["city_name", "country_name", "region_name", "location"],
"database_file": "filename.mmdb",
"first_only": false,
"ignore_missing": true,
"ignore_failure": true,
"description": "data.srcip dbfile intlocal"
}
},
This approached worked with Wazuh 3 and ELK, it worked with Wazuh 4.3.10, but when upgrading to Wazuh 4.4.0 it seems to have stopped working and I cannot figure out why.
Marcos Javier Bonacci
Apr 10, 2023, 9:48:45 AM4/10/23
to Wazuh mailing list
Hello William
Thank you for using Wazuh
Let me check with the team and get back to you as soon as possible with comments on your question.
Best regards,
Javier
Thank you for using Wazuh
Let me check with the team and get back to you as soon as possible with comments on your question.
Best regards,
Javier
Marcos Javier Bonacci
Apr 14, 2023, 3:30:46 PM4/14/23
to Wazuh mailing list
William, sorry for the delay, but we are performing tests on environments with the description you mention.
In order to have more data, could you send me logs with the errors to have more details to identify the problem? As well as the GeoIP DB with mmdb format (Hiding the sensitive data) to test it in our environments.
For my part, I am still testing with environments in version 4.4.
Regards,
Javier
In order to have more data, could you send me logs with the errors to have more details to identify the problem? As well as the GeoIP DB with mmdb format (Hiding the sensitive data) to test it in our environments.
For my part, I am still testing with environments in version 4.4.
Regards,
Javier
William Thomas
Apr 18, 2023, 1:05:13 PM4/18/23
to Wazuh mailing list
Unfortunately, there are no error messages that relate to this (that I could find). I really know it worked prior to the Wazuh-Indexer upgrade and stopped working after the upgrade. I did re-install my pipeline and verified that Wazuh-Indexer sees the pipeline update.
The wazuh.mmdb is file is created by the build-wazuh.pl.txt script. It is then placed in /etc/wazuh-indexer/ingest-geoip with appropriate permissions (0600 owned by wazuh-indexer, though I did loosen the permissions to see if that worked) on all of the wazuh-indexer nodes.
You then adjust your ingest pipeline on the Wazuh Servers that run filebeat.
Edit /usr/share/filebeat/module/wazuh/alerts/ingest/pipeline.json
Prepend each geoip entry with one that adds the database_file statements, example of the data.srcip entry:
{
"geoip": {
"field": "data.srcip",
"target_field": "GeoLocation",
"properties": ["city_name", "country_name", "region_name", "location"],
"geoip": {
"field": "data.srcip",
"target_field": "GeoLocation",
"properties": ["city_name", "country_name", "region_name", "location"],
"database_file": "wazuh.mmdb",
"first_only": true,
"ignore_missing": true,
"ignore_failure": true,
"description": "data.srcip dbfile wazuh"
}
},
"first_only": true,
"ignore_missing": true,
"ignore_failure": true,
"description": "data.srcip dbfile wazuh"
}
},
{
"geoip": {
"field": "data.srcip",
"target_field": "GeoLocation",
"properties": ["city_name", "country_name", "region_name", "location"],
"ignore_missing": true,
"ignore_failure": true
}
},
"ignore_failure": true
}
},
Finally, reload the ingest pipeline with
sudo filebeat setup -pipelines -modules=wazuh
How this worked before the wazuh-indexer upgrade is if the IP was found in the custom DB (wazuh.mmdb) that populated the Geoip entity within Wazuh-Indexer (opensearch), if not found it used the default GeoIP DB (default MaxMind), if not found in either DB there is no GeoIP location information added to the alert.
--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/pzr2r07G__U/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/27366ffc-a2f4-4be1-9b73-ed483f6599e1n%40googlegroups.com.
Marcos Javier Bonacci
Apr 28, 2023, 5:34:28 PM4/28/23
to Wazuh mailing list
William, after reviewing it with dev and testing, GeoIP was configured in wazuh 4.4. You need to update GeoLite and create an account to have AccountID, LicenseKey, EditionIDs.
Here are the steps to perform the update:
Best regards,
Javier
Here are the steps to perform the update:
- View version: geoipupdate -V
- Upgrade version (if less than 4.x): Download package (rpm/deb) and install it.
- Create a free account
- Update the /etc/GeoIP.conf file with the info obtained in the previous step
- AccountID YOUR_ACCOUNT_ID_HERE
- LicenseKey YOUR_LICENSE_KEY_HERE
- EditionIDs YOUR_EDITION_IDS_HERE
- Update db with geoipupdate -v
- Restart wazuh-manager
- Recommendation: leave it configured in crontab
Best regards,
Javier
Reply all
Reply to author
Forward
0 new messages