New Install GeoIP not working

[Steve O'Brien]

Hey Folks,

I have a new install (4.7.3) and I am not getting GeoIP data in my alerts.  I have installed and configured GeoIP using :

View version: geoipupdate -V
Upgrade version (if less than 4.x): Download package (rpm/deb) and install it.
Create a free account
Update the /etc/GeoIP.conf file with the info obtained in the previous step
AccountID YOUR_ACCOUNT_ID_HERE
LicenseKey YOUR_LICENSE_KEY_HERE EditionIDs YOUR_EDITION_IDS_HERE Update db with geoipupdate -v Restart wazuh-manager Recommendation: leave it configured in crontab

I have confirmed that geoip downloads are working properly.

Am I missing something?

[Sebastian Dario Bustos]

Hi Steve,

Thank you for using Wazuh!!!

By default Wazuh enriches certain fields (like srcip for example) with GeoIP information that can be used, for example for dashboads creation.
If your desired field is not being enriched, you can proceed to add it to the filebeat's pipeline processors so it will be enriched, to do so you can do the following:

• Edit the file ` /usr/share/filebeat/module/wazuh/alerts/ingest/pipeline.json`
• To add a new GeoIP processor you may copy one of the existent processors to the end and modify the field name (in this example data.srcip for the one you want enriched).
  For example, you should see config blocks like this:
  { "geoip": { "field": "data.srcip", "target_field": "GeoLocation", "properties": ["city_name", "country_name", "region_name", "location"], "ignore_missing": true, "ignore_failure": true } },
• Stop filebeat service with the command: systemctl stop filebeat
• Load the pipeline with the command: filebeat setup --pipelines
• Start filebeat service with the command: systemctl start filebeat

Please let me know the field name you want enriched, basically if you don't see it on the above file, it is currently not being enriched and you will have to do the above procedure.
Regards.

[Steve O'Brien]

Thanks Sebastian,

I do have logs being parsed from our Palo Alto and there are two different fields one for the PaloAlto System (data.source_address) and on for the PaloAlto GlobalProtect (data.public_ip) instead of data.srcip.  Can I add two more 'stanzas' to the pipeline like this;

{ "geoip": { "field": "data.srcip", "target_field": "GeoLocation", "properties": ["city_name", "country_name", "region_name", "location"], "ignore_missing": true, "ignore_failure": true } },

{ "geoip": { "field": "data.source_address", "target_field": "GeoLocation", "properties": ["city_name", "country_name", "region_name", "location"], "ignore_missing": true, "ignore_failure": true } },
{ "geoip": { "field": "data.public_ip, "target_field": "GeoLocation", "properties": ["city_name", "country_name", "region_name", "location"], "ignore_missing": true, "ignore_failure": true } },

[Steve O'Brien]

So that did work, I am now getting GeoIP info in my alerts, however the info from GeoIP is wrong:

data.source_address

176.120.65.95

GeoLocation.city_name
Moscow

GeoLocation.country_name
Russia

GeoLocation.location
{
  "lon": 37.6172,
  "lat": 55.7527
}

GeoLocation.region_name
Moscow

176.120.65.95 Vienna, Vienna, Austria (AT), Europe 176.120.65.0/24 1010 48.2049, 16.3662 (20 km)

[Sebastian Dario Bustos]

Hi Steve,

The database on which Indexer is based is the Opensearch's GeoIP database on which Indexer is based on, to update this, you can do the following:

• You will need to download the updated version of the databases to use with Wazuh Indexer to enrich your alerts, you can do so by registering on the following link with a free account: https://www.maxmind.com/en/geolite2/signup?lang=en
• Once you are registered, you will be able to download the database.
• Stop the Wazuh Indexer service with the command: `systemctl stop wazuh-indexer`
• Rename or move to another location the .mmdb files from this path: /usr/share/wazuh-indexer/modules/ingest-geoip/
• Change the ownership and permissions of the file as follows:
  ` chown wazuh-indexer:wazuh-indexer /usr/share/wazuh-indexer/modules/ingest-geoip/GeoLite2-*`
  ` chmod 640 /usr/share/wazuh-indexer/modules/ingest-geoip/GeoLite2-*`
• Start the Wazuh Indexer service again with the command: `systemctl start wazuh-indexer`

This should update your Indexer's GeoIP database information to a more accurate one, let me know if this helps.

Regards

[Steve O'Brien]

Thank you!

I see the issue, GeoIP databases are downloaded automatically to /var/lib/GeoIP but wazuh-indexer is using databases in /usr/share/wazuh-indexer/modules/ingest-geoip/

Do by copying the mmdb files from /var/lib/GeoIP/ to /usr/share/wazuh-indexer/modules/ingest-geoip/ (the copy process took care of ownership and permissions) and restarting wazuh-indexer I should see more accurate GeoIP data?

--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/zZ0Bs7VIZE0/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/f8ce9fef-36f5-47f5-b444-5ff33b7e895bn%40googlegroups.com.

[Sebastian Dario Bustos]

Hi Steve,

If the databases are compatible, then yes, you should see more accurate data after updating the mmdb files, make sure you make a backup before moving the files so, in case of any errors you can restore the originals at least to have your geo location working until you download the MaxMind DBs.

Please remember to bring down the service before you move the mmdb files and then start again.

Let me know.

Regards.