.png?width=180&height=32&name=NW%20Logo%20(2).png){kind=small}
How-to Update the geoIP Databases on RSA NetWitness decoders
Issue
RSA provides geoIP databases on all packet and log decoders. The geoIP data is used to enrich meta during the parsing phase of logs and packets. RSA does not provide regular updates to the geoIP databases. Customers can however obtain updated data from MaxMind ( www.maxmind.com ). It will require a paid account with MaxMind to obtain geoIP updates.The RSA supported format provided by MaxMind is DAT, and is referred to as Legacy.
Tasks
First download the updated dats from MaxMind:GEO-106: GeoIP Legacy Country - Binary GZIP
GEO-111: GeoIP Legacy Organization - Binary GZIP
GEO-133: GeoIP Legacy City with DMA/Area Codes - Binary GZIP
GEO-173: GeoIP Legacy Domain Name - Binary GZIP
Use a utility such as WinSCP to copy the following dat's to the decoder:
GeoCity.dat
GeoCountry.dat
GeoDomain.dat
GeoInfo.txt
GeoOrg.dat
Once the new dat's have been copied the decoder service will have to be restarted.
Product Details
RSA Product Set: Security AnalyticsRSA Product/Service Type: SA Core Appliance
RSA Version/Condition: 10.4, 10.5, 10.6
Platform: CentOS
O/S Version: 6
Product Name: Security Analytics Log Decoder and Packet Decoder
Summary
This guide provides information about updating the geoIP databases on NetWitness packet and log decoders.
Approval Reviewer Queue
RSA NetWitness Suite Approval Queue