000035892 - Requesting updates to the Geo IP data found within RSA NetWitness Logs & Network

Document created by RSA Customer Support Employee on Jan 5, 2018Last modified by RSA Customer Support Employee on Apr 10, 2019
Version 5Show Document
  • View in full screen mode

Article Content

Article Number000035892
Applies ToRSA Product Set: Security Analytics, NetWitness Logs & Network
RSA Product/Service Type: Packet Decoder, Log Decoder
RSA Version/Condition: All versions
IssueWhen performing Investigations, running charts, reports or alerts based on the geo-location of a specific IP address, a specific IP address or range of IP addresses is not mapping to the correct world geographic location.
ResolutionFollow the steps below to resolve the issue.
  1. Verify the accuracy of the IP information accuracy on the MaxMind website here: https://www.maxmind.com/en/geoip-demo
  2. If the IP information is not accurate, then raise a request with MaxMind Support to make a correction.
  3. If you have a MaxMind subscription, then download or get the latest updates from MaxMind.  Otherwise, if you do not have a subscription, then you will have to wait for the next RSA NetWitness Logs & Network release, which will include the latest MaxMind database updates.
  4. If you are not updating RSA NetWitness but would like to update the GeoIP files, get the rsa-nw-decodercontent-11.2.x.x-<latest version build>.rpm from the latest RSA NetWitness Logs & Network update package. Use a utility such as WinSCP to copy the rpm package to a temp working directory in your decoder host.
  5. Extract the files from the RPM by the command below:

  • cd to the temp working directory where you copied the RPM
  • Run the following command to create directories and extract files on your working directory, similar to the list of files below:

# rpm2cpio ./rsa-nw-decodercontent-11.2.x.x-<latest version build>.rpm|cpio -idmv

  • ./etc/netwitness
  • ./etc/netwitness/ng
  • ./etc/netwitness/ng/GeoCity.dat
  • ./etc/netwitness/ng/GeoCountry.dat
  • ./etc/netwitness/ng/GeoDomain.dat
  • ./etc/netwitness/ng/GeoInfo.txt
  • ./etc/netwitness/ng/GeoOrg.dat
  • ./etc/netwitness/ng/feeds
  • ./etc/netwitness/ng/feeds/feed-definitions.xsd
  • ./etc/netwitness/ng/geoip2
  • ./etc/netwitness/ng/geoip2/GeoIP2-City.mmdb
  • ./etc/netwitness/ng/geoip2/GeoIP2-Domain.mmdb
  • ./etc/netwitness/ng/geoip2/GeoIP2-ISP.mmdb
  • ./etc/netwitness/ng/parsers
  • ./etc/netwitness/ng/parsers/parsers.xsd
  • ./etc/netwitness/ng/parsers/types.xsd


If you are subscribed to MaxMind for database updates or if you have extracted the latest GeoIP files, then the steps below explain how to apply these updates.

  1. Connect to the Decoder appliance via SSH.
  2. Stop the nwdecoder service.

    # stop nwdecoder
    # systemctl stop nwdecoder  (for v11.x)

  3. Make a backup of the following files:
    • /etc/netwitness/ng/GeoCity.dat
    • /etc/netwitness/ng/GeoCountry.dat
    • /etc/netwitness/ng/GeoDomain.dat
    • /etc/netwitness/ng/GeoInfo.txt
    • /etc/netwitness/ng/GeoOrg.dat
  4. If your Decoder is currently running RSA NetWitness version 11.2 and is using the GeoIP2 parser, backup the below files:
    • /etc/netwitness/ng/geoip2/GeoIP2-City.mmdb
    • /etc/netwitness/ng/geoip2/GeoIP2-Domain.mmdb
    • /etc/netwitness/ng/geoip2/GeoIP2-ISP.mmdb
  5. Replace the files in step 3 or 4 (being the /etc/netwitness/ng/Geo* files or /etc/netwitness/ng/geoip2/Geo* files) with the corresponding files from MaxMind or the new extracted data files, making sure the names match up correctly.
  6. Start the nwdecoder service again.

    # start nwdecoder
    # systemctl start nwdecoder  (for v11.x)

NotesRSA Customer Support does not provide updated MaxMind database files. Updated files come with each version of the RSA NetWitness Suite. However, these files are only updated to the point in time at which that version of the RSA NetWitness Suite was compiled. If more recent versions of the MaxMind database are required, then it is highly suggested that the customer go to MaxMind and subscribe.