000035021 - How-to Update the geoIP Databases on RSA NetWitness decoders

Document created by RSA Customer Support Employee on Apr 12, 2017
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000035021
Applies ToRSA Product Set: Security Analytics
RSA Product/Service Type: SA Core Appliance
RSA Version/Condition: 10.4, 10.5, 10.6
Platform: CentOS
O/S Version: 6
Product Name: Security Analytics Log Decoder and Packet Decoder
 
IssueRSA provides geoIP databases on all packet and log decoders.  The geoIP data is used to enrich meta during the parsing phase of logs and packets.  RSA does not provide regular updates to the geoIP databases.  Customers can however obtain updated data from MaxMind ( www.maxmind.com ).  It will require a paid account with MaxMind to obtain geoIP updates.
The RSA supported format provided by MaxMind is DAT, and is referred to as Legacy.
 
TasksFirst download the updated dats from MaxMind:
GEO-106: GeoIP Legacy Country - Binary GZIP
GEO-111: GeoIP Legacy Organization - Binary GZIP
GEO-133: GeoIP Legacy City with DMA/Area Codes - Binary GZIP
GEO-173: GeoIP Legacy Domain Name - Binary GZIP
Use a utility such as WinSCP to copy the following dat's to the decoder:
GeoCity.dat
GeoCountry.dat
GeoDomain.dat
GeoInfo.txt
GeoOrg.dat
Once the new dat's have been copied the decoder service will have to be restarted.

Attachments

    Outcomes