Geotagging Missing in Alerts

[trail DMARC]

Hi Connections,

Please need your support to rectify the geotagging issue on alert which was available on initial integration.
I already checked the pipeline.json file, the default fields are already present in it for geo-location purposes.

Please note, I am using wazuh 4.3 version and server is connected to internet as well.

Best Regards,

[Christian Borla]

Hi!
I hope you are doing fine!
Follow next steps to include integrate geoip when alert is generating.

Steps to include GeoLite2 database to Wazuh version:

1. Install libgeoip-dev library. command: apt install libgeoip-dev
2. Build Wazuh version with USE_GEOIP flag. command: make TARGET=server USE_GEOIP=yes, follow installation from sources documentation.
3. Download the GeoLite2 free databases, it's necessary create an account. choose the City version in CSV format, zipped. link .
4. Download geolite2legacy.py to convert from .CSV to .DAT file (supported by Wazuh).
5. Convert the GeoLite2-City-CSV to DB file. command: ./geolite2legacy.py -i GeoLite2-City-CSV_20220603.zip -f geoname2fips.csv -o GeoIP.dat 
6. Copy the converted GeoIP.dat DB inside the Wazuh directory. command: cp GeoIP.dat /var/ossec/etc

Following steps are configurarion settings.Enable USE_GEOIP in ossec.conf file:

    <global>    
      <geoipdb>/var/ossec/etc/GeoIP.dat</geoipdb>    
   </global>    
 
  <alerts>    
   <use_geoip>yes</use_geoip>    
  </alerts>

Enable USE_GEOIP in internal_options.conf file:

   
   analysisd.geoip_jsonout=1    
   maild.geoip=1

Restart Wazuh server and it should run without any ERROR message. At this point the functionality is enable, every generated alert that include srcip or dstip field will
look for the srcgeoip or dstgeoip information in GeoIP.dat database

I hope it helps!
Regards.