Enable automatic GeoIP update in elastic

[xde012]

hello,
I'm trying to update my geoip database in elastic and I can't get it, I see very little information regarding the subject of Salt and Elastic.
We have enabled access to the following URLs: geoip.elastic.co and storage.googleapis.com

Within Security Onion I have several but I don't see clearly which file I should modify or add the "true" parameter to enable the automatic download.

I have the following assumptions, can someone tell me where it is exactly?

/opt/so/saltstack/local/pillar/global.sls

/opt/so/saltstack/local/pillar/elasticsearch/ (I don't have any files here)

/opt/so/saltstack/local/salt/elasticsearch/ (Here I have files and folders but everything related to key users and user roles)

The only place I have found the configuration is in /opt/so/conf/elasticsearch/elasticsearch.yml

But by changing the setting to "true" and restarting elastic this setting is cleared, so I understand it is required to be done via Saltstack.

Security Onion: 2.3.181
Elastic: 8.4.3

Thank you.

[argwfm]

Had success here adding everything below config: to /opt/so/saltstack/local/pillar/global.sls

elasticsearch:
  true_cluster: False
  replicas: 0
  discovery_nodes: 1
  hot_warm_enabled: False
  cluster_routing_allocation_disk.threshold_enabled: true
  cluster_routing_allocation_disk_watermark_low: '95%'
  cluster_routing_allocation_disk_watermark_high: '98%'
  cluster_routing_allocation_disk_watermark_flood_stage: '98%'
  config:
    ingest:
      geoip:
        downloader:
          enabled: true

[dougburks]

Since you're still on Security Onion 2.3.181 and it's from October 2022, I'd first recommend upgrading to the latest version of 2.3:
https://blog.securityonion.net/2023/05/security-onion-23250-now-available.html

You should then be able to follow the GeoIP section of the Elasticsearch page in our docs:
https://docs.securityonion.net/en/2.3/elasticsearch.html#geoip

[xde012]

Thank you very much, the configuration was changed with the answer of "argwfm"

Now I am checking that GEOIP is updated, I have waited more than 7 days but for example 30 days ago this IP was detected as France and it really is Spain in virustotal, shodan, etc. --> 92.172.78.227

Is there any more step to be done? Elastic was also restarted after the configuration change

Thank you.

[argwfm]

Check to see if updates are occurring via an Elastic/Kibana search event.module.keyword:elasticsearch AND geoip over the last 7days. If everything is working you'll see successfully downloaded geoip database [GeoLite2-Country.mmdb] for each/every search node.

Updates aren't retroactive, so it's NOT going to go back and update old GeoIP data; only going forward.
You can check accuracy of GeoIP tagging manually at: https://www.maxmind.com/en/geoip-demo

[xde012]

I've been trying to find the way for several days but... Where exactly should I carry out this search?
is Discover? but in what view of data or index? sorry for my ignorance, I'm relatively new to elastic

Thank you

[dougburks]

@xde012 If you're still on Security Onion 2.3.181, then I'd first recommend upgrading to the latest version (as I mentioned in my reply above). If you then can't find the log that argwfm is referring to by searching in SOC or Kibana, you can also search in the filesystem at /opt/so/log/elasticsearch/:
https://docs.securityonion.net/en/2.3/elasticsearch.html#diagnostic-logging

[xde012]

ok, thanks for everything. Fixed