Splunk Enterprise

iplocation command usage

rayar
Contributor

we are using iplocation command 

i see that the GeoLite2-City.mmdb file is since 2019 

[splunk@ilissplsh01 bin]$ ll /opt/splunk/share/GeoLite2-City.mmdb
-r--r--r-- 1 splunk splunk 60695934 Dec 18 2019 /opt/splunk/share/GeoLite2-City.mmdb
[splunk@ilissplsh01 bin]$

 

I have downloaded the file from https://www.maxmind.com/en/accounts/532070/geoip/downloads

 

also I see that there is Geolocation Lookup for Splunk APP (https://splunkbase.splunk.com/app/4102/#/overview) to allow iplocation 

 

what is the recommended way to work with the command  ?  

thanks 

Labels (1)
0 Karma
1 Solution

rayar
Contributor

I have installed the Auto Update MaxMind Database on the SH (https://splunkbase.splunk.com/app/5482/#/details)

the GeoLite2-City.mmdb file will be copied to deployment server and deployed to all indexers 

also I will create limits.conf on both SH and indexers with the below 

splunk@ilisspldepl01 local]$ cat limits.conf
[iplocation]
db_path = /opt/splunk/etc/slave-apps/AM_maxmind_indexers/local/GeoLite2-City.mmdb
[splunk@ilisspldepl01 local]$

is it the right way or I better overwrite the /opt/splunk/share/GeoLite2-City.mmdb on the indexers and the SH ? 
 

View solution in original post

0 Karma

rayar
Contributor

thanks a lot 

we have a distributed env and we are using deployment server 

can't I distribute the file using it  ?

0 Karma

96nick
Communicator

You can distribute the app with the deployer (the SH kind, not the deployment server that connects with your forwarders) if you have a search head cluster. If you only have 1 search head then you wouldn't have a deployer. 

You'll have to set up a cron on the SHs manually (or by using a system management tool if you have one to set the cron) to pull down the database, something like:

 

# Gets the database from maxmind at 7am every Wednesday

0 7 * * * 3 /opt/splunk/.../<your app>/bin/getdatabase.sh 

 

Maxmind updates the database on Tuesday, so I would pull the database down on Wednesday since it's unknown exactly when on Tuesday they push an update. 

Since you have indexers you'll have to replace those mmdb files as well. The same concept can be applied to the indexers (some script + cron).

0 Karma

96nick
Communicator

If you're talking about just updating the file, you're on the right track. Do you have a distributed environment or a single instance?

 

Single Instance:

You can download the 'Auto Update Maxmind Database' app on Splunkbase. It creates a Splunk command that downloads the newest DB for you after you put in your license key. Works well enough if you have a single instance.

 

Distributed Environment:

 If you have indexers, search heads, etc. you will have to replace the mmdb file on your indexers as well. This is because iplocation is a distributable streaming command. The app I listed above won't do that, and it also doesn't easily support using a paid database from Maxmind if you choose to upgrade. In my environment I created an app that has a bash script, the database, and limits.conf. The bash script wgets the database (scheduled via cron), and limits.conf changes the location of the database to my app.  You can view more information on that process here in a Splunk Blog post.

 

Hope that helped!

0 Karma

rayar
Contributor

I have installed the Auto Update MaxMind Database on the SH (https://splunkbase.splunk.com/app/5482/#/details)

the GeoLite2-City.mmdb file will be copied to deployment server and deployed to all indexers 

also I will create limits.conf on both SH and indexers with the below 

splunk@ilisspldepl01 local]$ cat limits.conf
[iplocation]
db_path = /opt/splunk/etc/slave-apps/AM_maxmind_indexers/local/GeoLite2-City.mmdb
[splunk@ilisspldepl01 local]$

is it the right way or I better overwrite the /opt/splunk/share/GeoLite2-City.mmdb on the indexers and the SH ? 
 

0 Karma

96nick
Communicator

Yeah, just a couple things:

 

  • The limits.conf will have to be different between the SHs and the Indexers since the indexers will have the app with limits.conf in ../etc/slave-apps while the search head will have it in .../etc/apps (assuming you dont have a search head cluster)
  • Also make sure you remove/rename the limits.conf file in /opt/splunk/etc/system/local if present.
  • You can also include a script in your app you deploy to auto-update the DB on your indexers. You may have to set up a cron to run it though. 

Hope that helped!

0 Karma

rayar
Contributor

The limits.conf are different on indexers and SH 

we don't have /opt/splunk/etc/system/local/limits.conf 

 

the updated file will be copied with cron to the deployment server 

 

thanks a lot , will test it during the week 

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...