When performing Investigations, running charts, reports or alerts based on the geo-location of a specific IP address, a specific IP address or range of IP addresses is not mapping to the correct world geographic location.
If you have a MaxMind subscription, then download or get the latest updates from MaxMind. Otherwise, if you do not have a subscription, then you will have to wait for the next RSA NetWitness Logs & Network release, which will include the latest MaxMind database updates.
If you are not updating RSA NetWitness but would like to update the GeoIP files, get the rsa-nw-decodercontent-11.2.x.x-<latest version build>.rpmfrom the latestRSA NetWitness Logs & Network update package. Use a utility such as WinSCP to copy the rpm package to a temp working directory in your decoder host.
Extract the files from the RPM by the command below:
cd to the temp working directory where you copied the RPM
Run the following command to create directories and extract files on your working directory, similar to the list of files below:
# rpm2cpio ./rsa-nw-decodercontent-11.2.x.x-<latest version build>.rpm|cpio -idmv
If you are subscribed to MaxMind for database updates or if you have extracted the latest GeoIP files, then the steps below explain how to apply these updates.
If your Decoder is currently running RSA NetWitness version 11.2 and is using the GeoIP2 parser, backup the below files:
Replace the files in step 3 or 4 (being the /etc/netwitness/ng/Geo* files or /etc/netwitness/ng/geoip2/Geo* files) with the corresponding files from MaxMind or the new extracted data files, making sure the names match up correctly.
RSA Customer Support does not provide updated MaxMind database files. Updated files come with each version of the RSA NetWitness Suite. However, these files are only updated to the point in time at which that version of the RSA NetWitness Suite was compiled. If more recent versions of the MaxMind database are required, then it is highly suggested that the customer go to MaxMind and subscribe.