GEOIP Help

M Jones

unread,

Apr 28, 2026, 11:09:11 AM (5 days ago) Apr 28

to Wazuh | Mailing List

Hi,

We have some weird issues where GEOIP can be wrong and mainly happens for O365 logs. As an example if i take the IP- 136.228.244.229 then the dashboard will report the country_name is USA but actually its UK.

I have then manually queried the /usr/share/wazuh-indexer/modules/ingest-geoip/GeoLite2-Country.mmdb

and returns with

"country":
{
"geoname_id":
2635167 <uint32>
"iso_code":
"GB" <utf8_string>
"names":
{
"de":
"UK" <utf8_string>
"en":
"United Kingdom" <utf8_string>
"es":
"Reino Unido" <utf8_string>
"fr":
"Royaume-Uni" <utf8_string>
"ja":
"英国" <utf8_string>
"pt-BR":
"Reino Unido" <utf8_string>
"ru":
"Британия" <utf8_string>
"zh-CN":
"英国" <utf8_string>
}
}
"registered_country":
{
"geoname_id":
6252001 <uint32>
"iso_code":
"US" <utf8_string>
"names":
{
"de":
"USA" <utf8_string>
"en":
"United States" <utf8_string>
"es":
"Estados Unidos" <utf8_string>
"fr":
"États Unis" <utf8_string>
"ja":
"アメリカ" <utf8_string>
"pt-BR":
"EUA" <utf8_string>
"ru":
"США" <utf8_string>
"zh-CN":
"美国" <utf8_string>
}
}

Its getting it semi-correct but its taking the registered Country info not country info. Is there anyway this can be changed or updated?

Jorest Brice Tankoua Njassep

unread,

Apr 28, 2026, 5:10:05 PM (5 days ago) Apr 28

to Wazuh | Mailing List

Hi Jones,

Kindly navigate to Indexer management > Dev Tools ,

Run the query: GET _ingest/pipeline

and share its output

M Jones

unread,

Apr 29, 2026, 3:07:47 AM (4 days ago) Apr 29

to Wazuh | Mailing List

Hi Jorest,

Please see below -

{
"filebeat-7.10.2-wazuh-alerts-pipeline": {
"description": "Wazuh alerts pipeline",
"processors": [
{
"json": {
"field": "message",
"add_to_root": true
}
},
{
"set": {
"override": false,
"ignore_failure": true,
"ignore_empty_value": true,
"field": "data.aws.region",
"value": "{{data.aws.awsRegion}}"
}
},
{
"set": {
"override": false,
"ignore_failure": true,
"ignore_empty_value": true,
"field": "data.aws.accountId",
"value": "{{data.aws.aws_account_id}}"
}
},
{
"geoip": {
"field": "data.srcip",
"target_field": "GeoLocation",
"properties": [
"city_name",
"country_name",
"region_name",
"location"
],
"ignore_missing": true,
"ignore_failure": true
}
},
{
"geoip": {
"ignore_missing": true,
"ignore_failure": true,
"field": "data.win.eventdata.ipAddress",
"target_field": "GeoLocation",
"properties": [
"city_name",
"country_name",
"region_name",
"location"
]
}
},
{
"geoip": {
"field": "data.aws.sourceIPAddress",
"target_field": "GeoLocation",
"properties": [
"city_name",
"country_name",
"region_name",
"location"
],
"ignore_missing": true,
"ignore_failure": true
}
},
{
"geoip": {
"target_field": "GeoLocation",
"properties": [
"city_name",
"country_name",
"region_name",
"location"
],
"ignore_missing": true,
"ignore_failure": true,
"field": "data.aws.client_ip"
}
},
{
"geoip": {
"ignore_missing": true,
"ignore_failure": true,
"field": "data.aws.service.action.networkConnectionAction.remoteIpDetails.ipAddressV4",
"target_field": "GeoLocation",
"properties": [
"city_name",
"country_name",
"region_name",
"location"
]
}
},
{
"geoip": {
"target_field": "GeoLocation",
"properties": [
"city_name",
"country_name",
"region_name",
"location"
],
"ignore_missing": true,
"ignore_failure": true,
"field": "data.aws.httpRequest.clientIp"
}
},
{
"geoip": {
"field": "data.gcp.jsonPayload.sourceIP",
"target_field": "GeoLocation",
"properties": [
"city_name",
"country_name",
"region_name",
"location"
],
"ignore_missing": true,
"ignore_failure": true
}
},
{
"geoip": {
"properties": [
"city_name",
"country_name",
"region_name",
"location"
],
"ignore_missing": true,
"ignore_failure": true,
"field": "data.office365.ClientIP",
"target_field": "GeoLocation"
}
},
{
"date": {
"field": "timestamp",
"target_field": "@timestamp",
"formats": [
"ISO8601"
],
"ignore_failure": false
}
},
{
"date_index_name": {
"ignore_failure": false,
"field": "timestamp",
"date_rounding": "d",
"index_name_prefix": "{{fields.index_prefix}}",
"index_name_format": "yyyy.MM.dd"
}
},
{
"remove": {
"field": "message",
"ignore_missing": true,
"ignore_failure": true
}
},
{
"remove": {
"field": "ecs",
"ignore_missing": true,
"ignore_failure": true
}
},
{
"remove": {
"ignore_failure": true,
"field": "beat",
"ignore_missing": true
}
},
{
"remove": {
"field": "input_type",
"ignore_missing": true,
"ignore_failure": true
}
},
{
"remove": {
"ignore_failure": true,
"field": "tags",
"ignore_missing": true
}
},
{
"remove": {
"ignore_missing": true,
"ignore_failure": true,
"field": "count"
}
},
{
"remove": {
"ignore_missing": true,
"ignore_failure": true,
"field": "@version"
}
},
{
"remove": {
"ignore_missing": true,
"ignore_failure": true,
"field": "log"
}
},
{
"remove": {
"field": "offset",
"ignore_missing": true,
"ignore_failure": true
}
},
{
"remove": {
"ignore_missing": true,
"ignore_failure": true,
"field": "type"
}
},
{
"remove": {
"field": "host",
"ignore_missing": true,
"ignore_failure": true
}
},
{
"remove": {
"field": "fields",
"ignore_missing": true,
"ignore_failure": true
}
},
{
"remove": {
"field": "event",
"ignore_missing": true,
"ignore_failure": true
}
},
{
"remove": {
"field": "fileset",
"ignore_missing": true,
"ignore_failure": true
}
},
{
"remove": {
"ignore_failure": true,
"field": "service",
"ignore_missing": true
}
}
],
"on_failure": [
{
"drop": {}
}
]
}
}

Jorest Brice Tankoua Njassep

unread,

Apr 29, 2026, 11:03:06 AM (4 days ago) Apr 29

to Wazuh | Mailing List

Hi Jones,

Im testing a workaround and i will let you know once im done.
But basically i think switching to the GeoLite2 City Database instead will solve the issue.

Reply all

Reply to author

Forward