Enabling Geolocation Pre-rule processing on Wazuh 4.12 (again)

7 views
Skip to first unread message

Fear cube_A

unread,
1:55 AM (6 hours ago) 1:55 AM
to Wazuh | Mailing List
I know, I'm not the first to ask such question but yeah, my attempt to recompile Wazuh and have the GeoIP pre-processing (before alert and rule assignment) met with a dead end. 

As mentioned in this Reddit thread and some other places, it told me to recompile wazuh. Cool, and then what am I supposed to do after it which is the best to have GeoIP enabled?

Copying the compiled rule wont do anything (unless I copied the wrong stuff) and I'll be greeted with the usual invalid syntax error. The thing in question is "wazuh-analysisd".

Trying to reinstall Wazuh will be greeted with API issue after I finished installing it due to credential mismatch. And I have no idea where do I obtain the new credential for the API. 

If anyone successfully implemented GeoIP pre-processing, please enlighten me.

Ifeanyi Onyia Odike

unread,
5:17 AM (2 hours ago) 5:17 AM
to Wazuh | Mailing List
Hi 

Reinstall Wazuh from sources and perform the following to include GeoLite2 database:
  1. Install libgeoip-dev library. command: apt install libgeoip-dev
  2. Build Wazuh version with USE_GEOIP flag. command: make TARGET=server USE_GEOIP=yes
  3. Install Wazuh server version,  command: ./install.sh
  4. Download the GeoLite2 free databases, it's necessary create an account. choose the City version in CSV format, zipped. link .
  5. Download geolite2legacy.py to convert from .CSV to .DAT file (supported by Wazuh).
  6. Convert the GeoLite2-City-CSV to DB file. command: ./geolite2legacy.py -i GeoLite2-City-CSV_20220603.zip -f geoname2fips.csv -o GeoIP.dat
  7. Copy the converted GeoIP.dat DB inside the Wazuh directory. command: cp GeoIP.dat /var/ossec/etc
Following steps are configuration settings:
- Enable USE_GEOIP in ossec.conf file:

    <global>     
            <geoipdb>/var/ossec/etc/GeoIP.dat</geoipdb>     
    </global>    

    <alerts>     
            <use_geoip>yes</use_geoip>    
    </alerts>

- Enable USE_GEOIP in internal_options.conf file:
     analysisd.geoip_jsonout=1    
     maild.geoip=1

Restart Wazuh server and it should run without any ERROR message. At this point every generated alert that include srcip or dstip field will look for the srcgeoip or dstgeoip information in GeoIP.dat database.

Let me know how it goes!
Reply all
Reply to author
Forward
0 new messages