-
Version2.4.150 Installation MethodSecurity Onion ISO image Descriptionconfiguration Installation TypeDistributed Locationon-prem with Internet access Hardware SpecsExceeds minimum requirements CPU8 RAM24g Storage for /163gb Storage for /nsm326gb Network Traffic Collectionspan port Network Traffic Speeds1Gbps to 10Gbps StatusYes, all services on all nodes are running OK Salt StatusNo, there are no failures LogsNo, there are no additional clues DetailSo, I've got a nice little lab setup for my home/home office network and am receiving data and alerts as appropriate. All seems to be working as designed, however, I noticed there is no GeoIP enrichment data. I've searched support and noted that Elasticsearch 8 doesn't include it automatically, however, doc recommendation was done and still no joy. There is a tag in the event "_geoip_expired_database" I've looked into this but as this is a SO implementation of Elasticsearch, I'm trying to steer clear of too many specific changes outside of SO methods (I learned my lesson in 2.3 !!) There is no data showing in any of the GeoIP Dashboards, so I'm thinking it's not there and/or not getting updated. I did a quick search of dns records which show NIL when searched on goeip.elastic.co and storage.googleapis.com have not be seen as a DNS request, so I'm wondering where to go next to troubleshoot this.... I have a MgrSearch Node and a Sensor node with 3 segements and 3 or 4 endpoints (nothing fancy) Fortinet Firewall and Switch, so really simple setup.... Thoughts? Ideas? I'm not an expert w/elasticsearch so anything would be welcome.... Guidelines
|
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 4 replies
-
|
https://docs.securityonion.net/en/2.4/elasticsearch.html#geoip Check to see if you have the geoip databases shard with |
Beta Was this translation helpful? Give feedback.
-
|
So, command result is: .geoip_databases 0 p STARTED 6 5.1mb 5.1mb 10.26.70.200 soc-mgr |
Beta Was this translation helpful? Give feedback.
-
|
ran command as false, then true, now no results from so-elasticsearch-shards-list | grep geoip I should have left well enough alone.... ;-( |
Beta Was this translation helpful? Give feedback.
-
|
Ok, they're back...sort of....so-elasticsearch-shards-list for geoip returns: .geoip_databases 0 p STARTED 18 20.1mb 20.1mb 10.26.70.200 soc-mgr so let's see if that "reset" things.... |
Beta Was this translation helpful? Give feedback.
-
|
As a follow up (sorry for the delay) it appears that setting it to FALSE then TRUE again resolved the problem...almost as if the DB was there, but not there. Thanks for this. |
Beta Was this translation helpful? Give feedback.
https://docs.securityonion.net/en/2.4/elasticsearch.html#geoip
Check to see if you have the geoip databases shard with
sudo so-elasticsearch-shards-list | grep geoip, if not run the command in the docs and check the log for the creation of the db. If not, run the command withfalseinstead oftrue, then rerun the command withtrue.