.png?width=180&height=32&name=NW%20Logo%20(2).png){kind=small}
Requesting updates to the Geo IP data found within RSA NetWitness Logs & Network
Issue
When performing Investigations, running charts, reports or alerts based on the geo-location of a specific IP address, a specific IP address or range of IP addresses is not mapping to the correct world geographic location.
Resolution
Follow the steps below to resolve the issue.- Verify the accuracy of the IP information accuracy on the MaxMind website here: https://www.maxmind.com/en/geoip-demo
- If the IP information is not accurate, then raise a request with MaxMind Support to make a correction.
- If you have a MaxMind subscription, then download or get the latest updates from MaxMind. Otherwise, if you do not have a subscription, then you will have to wait for the next RSA NetWitness Logs & Network release, which will include the latest MaxMind database updates.
- If you are not updating RSA NetWitness but would like to update the GeoIP files, get the rsa-nw-decodercontent-11.2.x.x-
.rpm from the latest RSA NetWitness Logs & Network update package. Use a utility such as WinSCP to copy the rpm package to a temp working directory in your decoder host. - Extract the files from the RPM by the command below:
- cd to the temp working directory where you copied the RPM
- Run the following command to create directories and extract files on your working directory, similar to the list of files below:
- ./etc/netwitness
- ./etc/netwitness/ng
- ./etc/netwitness/ng/GeoCity.dat
- ./etc/netwitness/ng/GeoCountry.dat
- ./etc/netwitness/ng/GeoDomain.dat
- ./etc/netwitness/ng/GeoInfo.txt
- ./etc/netwitness/ng/GeoOrg.dat
- ./etc/netwitness/ng/feeds
- ./etc/netwitness/ng/feeds/feed-definitions.xsd
- ./etc/netwitness/ng/geoip2
- ./etc/netwitness/ng/geoip2/GeoIP2-City.mmdb
- ./etc/netwitness/ng/geoip2/GeoIP2-Domain.mmdb
- ./etc/netwitness/ng/geoip2/GeoIP2-ISP.mmdb
- ./etc/netwitness/ng/parsers
- ./etc/netwitness/ng/parsers/parsers.xsd
- ./etc/netwitness/ng/parsers/types.xsd
- Connect to the Decoder appliance via SSH.
- Stop the nwdecoder service.
# stop nwdecoder
# systemctl stop nwdecoder (for v11.x)
- Make a backup of the following files:
- /etc/netwitness/ng/GeoCity.dat
- /etc/netwitness/ng/GeoCountry.dat
- /etc/netwitness/ng/GeoDomain.dat
- /etc/netwitness/ng/GeoInfo.txt
- /etc/netwitness/ng/GeoOrg.dat
- If your Decoder is currently running RSA NetWitness version 11.2 and is using the GeoIP2 parser, backup the below files:
- /etc/netwitness/ng/geoip2/GeoIP2-City.mmdb
- /etc/netwitness/ng/geoip2/GeoIP2-Domain.mmdb
- /etc/netwitness/ng/geoip2/GeoIP2-ISP.mmdb
- Replace the files in step 3 or 4 (being the /etc/netwitness/ng/Geo* files or /etc/netwitness/ng/geoip2/Geo* files) with the corresponding files from MaxMind or the new extracted data files, making sure the names match up correctly.
- Start the nwdecoder service again.
# start nwdecoder
# systemctl start nwdecoder (for v11.x)
Notes
RSA Customer Support does not provide updated MaxMind database files. Updated files come with each version of the RSA NetWitness Suite. However, these files are only updated to the point in time at which that version of the RSA NetWitness Suite was compiled. If more recent versions of the MaxMind database are required, then it is highly suggested that the customer go to MaxMind and subscribe.
Product Details
RSA Product Set: Security Analytics, NetWitness Logs & NetworkRSA Product/Service Type: Packet Decoder, Log Decoder
RSA Version/Condition: All versions
Summary
This article will help customers and technical support request updates to the MaxMind Geo IP data used by the RSA NetWitness Suite.
Approval Reviewer Queue
RSA NetWitness Suite Approval Queue