000035892 - Requesting updates to the Geo IP data found within RSA NetWitness Logs & Packets

Document created by RSA Customer Support Employee on Jan 5, 2018Last modified by RSA Customer Support Employee on Jan 5, 2018
Version 2Show Document
  • Comment0
  • View in full screen mode

Article Content

Article Number000035892
Applies ToRSA Product Set: Security Analytics, NetWitness Logs & Packets
RSA Product/Service Type: Packet Decoder, Log Decoder
RSA Version/Condition: All versions
IssueWhen performing Investigations, running charts, reports or alerts based on the geo-location of a specific IP address the user notices that a specific IP address or range of IP addresses is not mapping to the correct world geographic location.
ResolutionFollow the steps below to resolve the issue.
  1. Verify the accuracy of the IP information accuracy on the MaxMind website here: https://www.maxmind.com/en/geoip-demo
  2. If the IP information is not accurate then raise a request with MaxMind Support to make a correction.
  3. If you have a MaxMind subscription then download or get latest updates from MaxMind.  Otherwise, if you do not have a subscription, then wait for the next RSA NetWitness Logs & Packets release which will include the latest MaxMind database updates.
 
If you are subscribed to MaxMind for database updates then the steps below explain how to apply these updates.
  1. Connect to the Decoder appliance via SSH.
  2. Stop the nwdecoder service.

    stop nwdecoder

  3. Make a backup of the following files:
    • /etc/netwitness/ng/GeoCity.dat
    • /etc/netwitness/ng/GeoCountry.dat
    • /etc/netwitness/ng/GeoDomain.dat
    • /etc/netwitness/ng/GeoInfo.txt
    • /etc/netwitness/ng/GeoOrg.dat
  4. Replace the files in step 3 (being the /etc/netwitness/ng/Geo* files) with the corresponding files from MaxMind, making sure the names match up correctly.
  5. Start the nwdecoder service again.

    start nwdecoder

NotesRSA Customer Support does not provide updated MaxMind database files. Updated files come with each version of the RSA NetWitness Suite.  However, these files are only updated to the point in time at which that version of the RSA NetWitness Suite was compiled. If more recent versions of the MaxMind database are required then it is highly suggested that the customer go to MaxMind and subscribe.

Attachments

    Outcomes