Splunk Enterprise Security
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Spontaneous "Health Check" error messages reported on ES Search Head regardng "maxmind_geoip_asn_ipv6" failed download?

woodcock
Esteemed Legend
‎04-27-2019 07:03 PM

We are getting the following errors on our Enterprise Security Search Head and are wondering why and how to fix them:

Health Check: Intelligence download of "maxmind_geoip_asn_ipv6" has failed on host "ES_Search_Head_Host" at: Sat Apr 27 20:45:45 2019 "threat list download failed after multiple retries"  Learn more.
4/27/2019, 9:00:31 PM
Health Check: Intelligence download of "maxmind_geoip_asn_ipv4" has failed on host "ES_Search_Head_Host" at: Sat Apr 27 20:45:45 2019 "threat list download failed after multiple retries"  Learn more.
4/27/2019, 9:00:31 PM

If I have to, I will dig into it and figure it out and followup here, but I am hoping that somebody has already figured it out.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

MuS
Legend
‎07-30-2019 07:32 PM

Just installed ES 5.3.0 and the old URL is still used, but it is disabled. Here is the new URL https://geolite.maxmind.com/download/geoip/database/GeoLite2-ASN-CSV.zip to download the file.

cheers, MuS

View solution in original post

Reply
Solved! Jump to solution
Solution

MuS
Legend
‎07-30-2019 07:32 PM

Just installed ES 5.3.0 and the old URL is still used, but it is disabled. Here is the new URL https://geolite.maxmind.com/download/geoip/database/GeoLite2-ASN-CSV.zip to download the file.

cheers, MuS

Reply
Solved! Jump to solution

alexeyglukhov
Path Finder
‎11-05-2020 03:32 PM

Just wanted to provide an update in case someone faced the issue.

Latest URL looks like this:

https://download.maxmind.com/app/geoip_download?edition_id=GeoLite2-ASN-CSV&license_key=YOUR_LICENSE_KEY_HERE&suffix=zip

License key you can generate in your profile when you register on maxmind website.

0 Karma
Reply
Solved! Jump to solution

MuS
Legend
‎08-28-2019 06:09 PM

The download works fine using http or https, to me it looks the post processing of the files fails in ES. For now I just use a work around and download the file by cronjob, put the csv into the lookup folder and use the lookup:// URL in ES.

cheers, MuS

0 Karma
Reply
Solved! Jump to solution

spectrum2035
Explorer
‎08-28-2019 01:03 AM

@MuS - whether it is downloading with the new link? I am still getting the same error

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎04-28-2019 03:13 PM

Go to Enterprise Security -> Configure -> Data Enrichment -> Intelligence Downloads and search for maxmind. You will see 2 entries and these have the following URLs:

https://download.maxmind.com/download/geoip/database/asnum/GeoIPASNum2.zip
https://download.maxmind.com/download/geoip/database/asnum/GeoIPASNum2v6.zip

As expected, these URLs are no longer valid. I found this link with more details:
https://support.maxmind.com/geolite-legacy-discontinuation-notice/

I am on ES v5.1.0 which is not the latest and I assume that the later versions have already accommodated this discontinuation. For now, until I upgrade, I have just disabled these 2 feeds, since we are not using them anyway.

Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎08-28-2019 06:21 PM

@ppablo_splunk You should unaccept my answer and accept the one from @MuS.

Reply
Solved! Jump to solution

ppablo
Retired
‎08-29-2019 06:46 AM

Thanks @woodcock !

Reply
Get Updates on the Splunk Community!

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL  The Splunk AI Assistant for SPL ...

Buttercup Games: Further Dashboarding Techniques (Part 5)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Customers Increasingly Choose Splunk for Observability

For the second year in a row, Splunk was recognized as a Leader in the 2024 Gartner® Magic Quadrant™ for ...
Top