Update GeoIP map database

915 views
Skip to first unread message

Johnny

unread,
Aug 1, 2024, 11:56:10 PM8/1/24
to Wazuh | Mailing List
hello,
 I would like to update the GEOIP map database. 
 I am on version 4.7.3 with a multi-node docker installation with Opensearch. 
Thank you for your help

Himanshu Sharma

unread,
Aug 2, 2024, 3:56:17 AM8/2/24
to Wazuh | Mailing List
Hi Team,

This Elasticsearch / Opensearch processor works based on a static database; therefore, Wazuh can only detect the GeoLocation information available in that database. 
You can follow the below steps to update geolocation database manually. 
  1. Create an free account with Maxmind using the following documentation  Create an Account   or use the following link GeoLite2 Sign Up  | MaxMind.
  2. Download and install the GeoIP Update using the following links:
    Releases · maxmind/geoipupdate 
    GitHub - maxmind/geoipupdate: GeoIP update client code
  3. It will create the geoipupdate file.
  4. Then you need to update the GeoIP.conf file or you can download it from the account portal. Updating GeoIP and GeoLite Databases  
  5. After that, you can run geoipupdate file using geoipupdate -v  command ato download the updated database. It will download the files to /usr/share/GeoIP location.
    image-20230630-050409.png

  6. Now you can replace the files to /usr/share/wazuh-indexer/modules/ingest-geoip folder and update the user from root to wazuh-indexer using the following command.
    cp -r /usr/share/GeoIP/* /usr/share/wazuh-indexer/modules/ingest-geoip
    chown -R wazuh-indexer:wazuh-indexer /usr/share/wazuh-indexer/modules/ingest-geoip/Geo*
  7. Now you need to restart your wazuh components to apply the changes.
You can set up the cronjob to update this database automatically at /usr/share/GeoIP location at a given time. Updating GeoIP and GeoLite Databases  
Note: You can also directly download the database from the account and replace files at wazuh-indexer to update the database. You can follow Updating GeoIP and GeoLite Databases document for that.

image-20230630-050730.png

Hope this information helps you. Please feel free to reach out to us for any information/issues.

Danish Ibrar

unread,
Dec 10, 2024, 2:50:36 AM12/10/24
to Wazuh | Mailing List
Is it possible to change the GeoIP source other than Maxmind?
Reply all
Reply to author
Forward
0 new messages