The geoip fields are empty after Upgrade 2.3.200 [20230113] #9609

sleepingbel · 2023-01-21T09:57:59Z

sleepingbel
Jan 21, 2023

Hello all,

initial install 2.3.140 Hotfix [20220812], upgraded whit every new version until version Upgrade 2.3.200 [20230113]

Virtual machine on ESXI 6.7
Standalone install, zeek network logs
8 vCPU
24 vRAM
1.5 TB diskspace

After the upgrade to 2.3.200 all the geoip fields are empty.

I have whitelisted the following domains on my external firewall:
- geoip.elastic.co (GeoIP updates for Elasticsearch)
- storage.googleapis.com (GeoIP updates for Elasticsearch)
I have performed what is in the documentation Elasticsearch GeoIP
I rebooted SO

How can I check if the geoip enrichment data is present in SO?
How can I check if the geoip data is updated?

Regards
Bart

Answered by InfosecGoon

Is there anything helpful in the Elasticsearch logs, if you grep for 'GeoLite' in /opt/so/log/elasticsearch/*log?

InfosecGoon · 2023-01-24T20:17:34Z

Is there anything helpful in the Elasticsearch logs, if you grep for 'GeoLite' in /opt/so/log/elasticsearch/*log?

1 reply

The problem hase solved itself. I did not find any errors regarding geolite in the logs.
Stil thanks for the help.