Where should I update MaxMind database?

[Sylmarch]

Hello,

mapping between IP and geolocation data is mutable.

If I'm right, Filebeat and Wazuh indexer use MaxMind GeoLite2 databases.

I test an IP with different services and I get different countries:

- www.abuseipdb.com : USA
- www.iplocation.net : USA
- ipinfo.io : USA
- infobyip.com : United Kingdom

- with a freshed downloaded MaxMind GeoLite2 Country database : United Kingdom

- with Wazuh : Netherlands...

I'm using Wazuh v4.3.3 with Wazuh indexer and Filebeat v7.10.2.

I see in Filebeat that Geolocation data are determined from the IP thanks to the geoip processor.

I did not find any *.mmdb file on my Wazuh server but I find them on each Wazuh indexer:

• /usr/share/wazuh-indexer/modules/ingest-geoip/GeoLite2-Country.mmdb
• /usr/share/wazuh-indexer/modules/ingest-geoip/GeoLite2-City.mmdb
• /usr/share/wazuh-indexer/modules/ingest-geoip/GeoLite2-ASN.mmdb

I have multiple questions:

1. Where are determined the mapping between IP dans geolocation data? On Filebeat side or on the indexer side? (geoip processor is defined in pipelines that are defined in the Wazuh Filebeat module)
   
2. In case that the geoip database is on the Filebeat side, how can I update it?
3. In case that the geoip database is only on the Wazuh indexer side, should I restart the Wazuh indexer after updating those 3 *.mmdb files?
4. Does Wazuh provide a GeoIP update mecanism or should I have to implement mine?

Note: to update MaxMind database, you should have an account and accept their licence.

Thanks!

[Juan Carlos]

Hello Sylmarch,

You're very much on the right track. So to answer your questions:

Geolocation data is done on the indexer. Filebeat sets up the pipelines to be used by the events indexed, but the pipeline is in the Wazuh indexer.

Yes, updating those files on the Wazuh indexer will update the database used.

Wazuh indexer is based off the OpenSearch project, with each new release we will also update the upstream code which may include updates to files such as the MaxMind  database. Since we customize the indexer, if the DB is notably out of date in future releases, we can look into including an update mechanism as part of our packaging.

Let us know if you have any more questions.

Best Regards,

Juan C. Tello

[Sylmarch]

Hello Juan Carlos,

I think it could be a great idea to integrate the MaxMind databases update in the Wazuh indexer update process.

Note that GeoLite City/Country/ASN database are updated "Every Tuesday and Friday.". So it might be better if the Wazuh indexers can automatically update the mmdb files. Wazuh indexer nodes have to coordinate themself if we don't want to interrupt the indexation flow. Maybe the admin has to register to MaxMind to get a licence key to be able to update the GeoLite2 databases ; this licence key shall be set by the admin in the Wazuh indexer configuration.

Have a nice day.