Geoip O365

65 views
Skip to first unread message

Jose Pimentel

unread,
Jul 12, 2022, 10:52:11 AM7/12/22
to Wazuh mailing list
Hi, 

I have a problem. I configure <geoipdb>/etc/GeoLiteCity.dat</geoipdb> in ossec.conf but a can see nothing in location map. Could you help me?. i have a ami in aws.

Thanks

Facundo Mayon

unread,
Jul 12, 2022, 12:33:07 PM7/12/22
to Wazuh mailing list
Hello Jose, nice to meet you, and thanks for using Wazuh.
I recommend you take a look at our documentation of AWS https://documentation.wazuh.com/current/amazon/index.html.

I hope this could be useful.
Regards 
Facundo


Juan Carlos Tello

unread,
Jul 13, 2022, 7:14:31 AM7/13/22
to Facundo Mayon, Wazuh mailing list
Hello Jose,

The <geoipdb> option is only used if the Wazuh manager is compiled from sources using the USE_GEOIP Makefile option.
By default Wazuh does geoIP enrichment in the indexer using the geoip pipeline which is configured in the file /usr/share/filebeat/module/wazuh/alerts/ingest/pipeline.json (source available here) .

On that file the fields that will receive geoip enrichment are specified, in the case of O365 that is data.office365.ClientIP and for AWS it is data.aws.sourceIPAddress (it's unclear in your question which one you are not seeing enriched). Bear in mind that only public IPs can be enriched as local network addresses do not provide any location information.

Additionally, if you installed before May 27th you may have an older version of the filebeat module as mentioned here: https://github.com/wazuh/wazuh-packages/issues/1563 so you may need to update your module and setup the pipeline again:

curl -Lo /usr/share/filebeat/module/wazuh/alerts/ingest/pipeline.json https://raw.githubusercontent.com/wazuh/wazuh/v4.3.5/extensions/filebeat/7.x/wazuh-module/alerts/ingest/pipeline.json
filebeat setup --pipelines --modules wazuh
If you let us know if you have any more questions.
Best Regards,
Juan C. Tello

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/7413601e-689a-43f9-87b6-42c0014b3600n%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages