Deployment Architecture

MaxMind Database Update does not affect searches results

lenorxav
Explorer

Hello,

I'm having an issue with maxming GeoLite database update.

Even I'm updating the database on Splunk the Country found for some IPs still be incorrect when using iplocation command.

What I did on Splunk:
Checked IPs showing Country mismatch are updated in the new version of the DB
Update GeoLite database on all search heads, indexers and deployment server
Restarted all Splunk infrastructure

Splunk version : Entreprise 6.3.2

Can you please help me figure why Splunk seems still using old database datas even it doesn't exists anymore?

Thanks in advance for your help.

0 Karma

Aatom
Explorer

@lenorxav 

Did you find a resolution to this issue? I am having a similar problem where I updated the mmdb but it is not reflecting on the SH. Thanks!

0 Karma

lenorxav
Explorer

Hi Aatom,

Yes, I finally figured out MaxMind changed their method regarding DB accesses.

In order to get the database up to date, you now need to have an account on maxmind.

Here's the page describing the new policies:

https://dev.maxmind.com/geoip/geoip2/geolite2/

Once you have signed up, you need to generate a license key as described in this page: https://dev.maxmind.com/geoip/geoip-direct-downloads/

 

As I'm on an outdated version of splunk, I chose to not integrate it through a splunk custom command even it would be more convenient to raise an alert in case of download failure.

Personaly, I use the following script scheduled on my deployment server crontab in order to refresh datas:

 #!/bin/bash

 cd /opt/splunk/share
 cp GeoLite2-City.mmdb GeoLite2-City.mmdb.old
 wget -O GeoLite2-City.tar.gz "https://download.maxmind.com/app/geoip_download?edition_id=GeoLite2-City&license_key=MYLICENSEKEY&suffix=tar.gz" || { echo 'Could not download MaxMind GeoIP DB, exiting.' ; exit 1; }
 tar --strip-components=1  -zxf GeoLite2-City.tar.gz
 chmod 644 GeoLite2-City.mmdb

Since I've updated the script to use License Key (just replace "MYLICENSEKEY" by your own in the script) everything is working smoothly again and my customer is happier to have threat source locations on their dashboards 😉

 

I hope this answer is hepling you to get correct the issue you are facing as it seems pretty similar to the one I faced.

Best regards.

Xavier.

lenorxav
Explorer

Hi Starcher,

I've replaced the DB, there's no specific modification on the conf to point to another location.

I'm using the default $SPLUNK_HOME/share/ location for DB.

What I'm doing in update process:
- Rename previous version of the database to GeoLite2-City.mmdb.old
- Download new version and change the file rights to 644

Since it didn't work as usual, I performed a rolling-restart of search head cluster and a restrt of indexers.

So far, it still be inconclusive, the old datas are persistent.

Thanks a lot for your help.

0 Karma

starcher
Influencer

Update on all search heads AND indexers involved which you mentioned.
So did you replace the DB or put it in another location and use conf to point at it?
http://www.georgestarcher.com/splunk-updating-the-geoip-database/

0 Karma
Get Updates on the Splunk Community!

Splunk is Nurturing Tomorrow’s Cybersecurity Leaders Today

Meet Carol Wright. She leads the Splunk Academic Alliance program at Splunk. The Splunk Academic Alliance ...

Part 2: A Guide to Maximizing Splunk IT Service Intelligence

Welcome to the second segment of our guide. In Part 1, we covered the essentials of getting started with ITSI ...

Part 1: A Guide to Maximizing Splunk IT Service Intelligence

As modern IT environments continue to grow in complexity and speed, the ability to efficiently manage and ...