Hi All,
As geoIp gets updated with the version update which comes in month(s) and maxmind update their database once in a three week. So there is lack of updated database in SA due to which sometimes we gets two source/destination countries for a single IP and GeoIp update is also not available at live. Please suggest some method that we can automate this process, as right now we are manually updating GeoIP DB once in a month on Ldecoder/Decoder.
Mohd,
Currently the only way to update the GeoIP database so that it is as current as possible is to go to MaxMind and subscribe to their service. By subscribing you can pull the latest GeoIP database and apply it to your decoders. Once you have the files you will need to upload them manually to /etc/netwitness/ng as you have already mentioned.
To do it in an automated fashion you would need to write a script of some sort that may be able to pull the database from MaxMind, via an API which you would need to check with MaxMind to see if they have one. Then have your script upload that file via SCP to all your decoders.
At this time there is no way built into the Netwitness product to do this for you and as you have mentioned the GeoIP database is not in Live. Any updates from RSA only happen when you upgrade your Netwitness software. Anything else requires the customer to purchase and manually update the GeoIP database from MaxMind's site.
If you want assistance from RSA you can talk to your Sales person about Professional Service hours and they may be able to write an automation script for this but it would be an "As Is" script. This means if such a script was written for you by Professional Services it would not be considered "officially supported". If it stopped working the customer would be responsible for fixing it.
I know the above doesn't provide a way to automate the process but I hope this information will help anyone who has a similar question.