As geoIp gets updated with the version update which comes in month(s) and maxmind update their database once in a three week. So there is lack of updated database in SA due to which sometimes we gets two source/destination countries for a single IP and GeoIp update is also not available at live. Please suggest some method that we can automate this process, as right now we are manually updating GeoIP DB once in a month on Ldecoder/Decoder.
Currently the only way to update the GeoIP database so that it is as current as possible is to go to MaxMind and subscribe to their service. By subscribing you can pull the latest GeoIP database and apply it to your decoders. Once you have the files you will need to upload them manually to /etc/netwitness/ng as you have already mentioned.
To do it in an automated fashion you would need to write a script of some sort that may be able to pull the database from MaxMind, via an API which you would need to check with MaxMind to see if they have one. Then have your script upload that file via SCP to all your decoders.
At this time there is no way built into the Netwitness product to do this for you and as you have mentioned the GeoIP database is not in Live. Any updates from RSA only happen when you upgrade your Netwitness software. Anything else requires the customer to purchase and manually update the GeoIP database from MaxMind's site.
If you want assistance from RSA you can talk to your Sales person about Professional Service hours and they may be able to write an automation script for this but it would be an "As Is" script. This means if such a script was written for you by Professional Services it would not be considered "officially supported". If it stopped working the customer would be responsible for fixing it.
I know the above doesn't provide a way to automate the process but I hope this information will help anyone who has a similar question.
We just purchased the GeoIP license from MaxMind. Here is an easy script to distribute the files across all decoders:
geoips=$(salt '*' --out=json --static cmd.run 'ls /etc/netwitness/ng/geoip2/GeoIP2-City.mmdb' 2>/dev/null | jq 'with_entries(select(.value == "/etc/netwitness/ng/geoip2/GeoIP2-City.mmdb")) | keys')
list=$(echo $geoips | sed -e 's/" "/,/g' -e 's/"//g')
salt-cp -L $list --chunked -t 300 *.mmdb /etc/netwitness/ng/geoip2/
salt -L $list --out=json --static cmd.run 'systemctl restart nwdecoder'
Of course when you are using log decoders, you will need to restart nwlogdecoder.
Is a restart of nwdecoder via systemctl really required to load the new GeoIP databases? Or would a reload of the parsers via the API also be sufficient?
I was able to verify today that a reload of the parsers is enough to load the new GeoIP databases:
Jun 12 11:52:13 hybrid NwDecoder: [GeoIP2] [info] Successfully opened GeoIP2-City.mmdb with build date 2020-Jun-08 16:20:06
Jun 12 11:52:13 hybrid NwDecoder: [GeoIP2] [info] Successfully opened GeoIP2-Domain.mmdb with build date 2020-Jun-09 14:13:40
Jun 12 11:52:13 hybrid NwDecoder: [GeoIP2] [info] Successfully opened GeoIP2-ISP.mmdb with build date 2020-Jun-08 14:49:54
NwConsole can perform the reload from the local command line, no password required:
NwConsole -k -c "tlogin server=localhost port=56004 username=admin group=Administrators cert=/etc/pki/nw/node/node-cert.pem key=/etc/pki/nw/node/node-key.pem" -c "send /decoder/parsers reload"
Or using salt from the NetWitness server (see above):
salt -L $list cmd.run 'NwConsole -k -c "tlogin server=localhost port=56004 username=admin group=Administrators cert=/etc/pki/nw/node/node-cert.pem key=/etc/pki/nw/node/node-key.pem" -c "send /decoder/parsers reload"'