Hi Aatom, Yes, I finally figured out MaxMind changed their method regarding DB accesses. In order to get the database up to date, you now need to have an account on maxmind. Here's the page describing the new policies: https://dev.maxmind.com/geoip/geoip2/geolite2/ Once you have signed up, you need to generate a license key as described in this page: https://dev.maxmind.com/geoip/geoip-direct-downloads/ As I'm on an outdated version of splunk, I chose to not integrate it through a splunk custom command even it would be more convenient to raise an alert in case of download failure. Personaly, I use the following script scheduled on my deployment server crontab in order to refresh datas: #!/bin/bash
cd /opt/splunk/share
cp GeoLite2-City.mmdb GeoLite2-City.mmdb.old
wget -O GeoLite2-City.tar.gz "https://download.maxmind.com/app/geoip_download?edition_id=GeoLite2-City&license_key=MYLICENSEKEY&suffix=tar.gz" || { echo 'Could not download MaxMind GeoIP DB, exiting.' ; exit 1; }
tar --strip-components=1 -zxf GeoLite2-City.tar.gz
chmod 644 GeoLite2-City.mmdb Since I've updated the script to use License Key (just replace "MYLICENSEKEY" by your own in the script) everything is working smoothly again and my customer is happier to have threat source locations on their dashboards 😉 I hope this answer is hepling you to get correct the issue you are facing as it seems pretty similar to the one I faced. Best regards. Xavier.
... View more