Request for Full Steps to Configure GeoIP Visualization in Wazuh 4.13

44 views
Skip to first unread message

Jaswantha Ragesh

unread,
Sep 25, 2025, 7:46:53 AM (3 days ago) Sep 25
to Wazuh | Mailing List

Hello Wazuh Community,

I am currently working with Wazuh version 4.13 and would like to set up GeoIP-based map visualization in the Wazuh Dashboard (OpenSearch Dashboards). I understand that this requires configuring GeoIP databases and enabling certain settings, but I would appreciate if someone could kindly provide the full, detailed steps required to:

  • Properly install and configure the GeoIP database (e.g., GeoLite2-City.mmdb)

  • Configure Wazuh manager to enable GeoIP lookup and include GeoIP data in alerts

  • Verify that GeoIP data is correctly added to alerts

  • Configure or access the map visualization in the Wazuh/OpenSearch Dashboard

  • Any additional tips or common pitfalls to avoid during this setup

Thanks in advance for your help!

Chukwudalu Chisimdi Okonkwo

unread,
Sep 25, 2025, 9:21:44 AM (3 days ago) Sep 25
to Wazuh | Mailing List
Hello Jaswantha,

By default, the Wazuh Manager already makes use of the GeoIP process to correlate the alerts triggered by the Wazuh Manager. This database can be found on the directory/usr/share/wazuh-indexer/modules/ingest-geoip/ in an mmdb format.

However, there is a need to update the existing MaxMind GeoCounty, ASN  and City database to reflect accurate representation of the country and city and it takes about 80mb to download the database updates as shown below;

- GeoLite2-City.mmdb ≃ 60.5 MB
- GeoLite2-ASN.mmdb ≃ 10.2 MB
- GeoLite2-Country.mmdb ≃ 9.4 MB

Total→ ≈ 80 MB

Below are the steps to achieve this.

1. Copy the update script  update_maxmind.sh (attached within) to your Wazuh Indexer on your preferred directory, eg /usr/bin/update_maxmind.sh
2. Update the script with your own MaxMind account ID and License Key. If you do not have one, then create an account here

Obtain the account ID and license key and update it in the script, it looks like this
Configuration
###############
ACCOUNT_ID="..."   # Your MaxMind Account ID
LICENSE_KEY="..."  # Your MaxMind License Key

3. Make the script executable (chmod +x /usr/bin/update_maxmind.sh) and then
4. Execute it: bash /usr/bin/update_maxmind.sh

This will update the database for the GeoCounty and GeoCity that Wazuh uses in correlation.

5. You can make this script execute periodically by say every 3 am

crontab -e
#Add the following line to run the update at 3:00 AM daily

0 3 * * * /usr//bin/update_maxmind.sh >> /var/log/update_maxmind.log 2>&1

Now because this runs by default, the geoip processor will enrich alerts to be indexed for querying on the wazuh dashboard
update_maxmind (1).sh

Jaswantha Ragesh

unread,
Sep 26, 2025, 7:40:58 AM (2 days ago) Sep 26
to Wazuh | Mailing List

Hello Chukwudalu,

Thank you for the detailed steps. I will try this on our Wazuh Indexer and follow up once it’s done.

Thanks again for your guidance!

Reply all
Reply to author
Forward
0 new messages