search
Ctrlk

Maxmind GeoIP2 and GeoLite2

hashtag
Overview

NetObserv Flow can attempt to determine attributes associated with the autonomous system and geo-location to which a public IP address belongs.

hashtag
Obtaining the Databases

To use the Maxmind databases for GeoIP and ASN enrichment you will need to download the databases. Due to changes in privacy law in California, Maxmind no longer makes its GeoLite2 databases available for download without registering on their websitearrow-up-right. Once you have registered and downloaded the database, you can make them available to NetObserv Flow for enrichment of public IP addresses.

Signup at: https://www.maxmind.com/en/geolite2/signuparrow-up-right

hashtag
Configurations

hashtag
EF_PROCESSOR_ENRICH_IPADDR_MAXMIND_ASN_ENABLE

NetObserv Flow will attempt to determine attributes associated with the autonomous system to which a public IP address belongs. This setting determines whether this feature is enabled.

  • Valid Values

    • true, false

  • Default

    • false

hashtag
EF_PROCESSOR_ENRICH_IPADDR_MAXMIND_ASN_PATH

If enrichment with autonomous system attributes is enabled using lookups in a Maxmind database (EF_PROCESSOR_ENRICH_IPADDR_MAXMIND_ASN_ENABLE is true), this setting specifies the path to the Maxmind database.

  • Default

    • /etc/elastiflow/maxmind/GeoLite2-ASN.mmdb

hashtag
EF_PROCESSOR_ENRICH_IPADDR_MAXMIND_GEOIP_ENABLE

NetObserv Flow will attempt to determine GeoIP attributes associated with a public IP address. This setting determines whether this feature is enabled.

  • Valid Values

    • true, false

  • Default

    • false

hashtag
EF_PROCESSOR_ENRICH_IPADDR_MAXMIND_GEOIP_PATH

If enrichment with GeoIP attributes is enabled using lookups in a Maxmind database (EF_PROCESSOR_ENRICH_IPADDR_MAXMIND_GEOIP_ENABLE is true), this setting specifies the path to the Maxmind database.

  • Default

    • /etc/elastiflow/maxmind/GeoLite2-City.mmdb

hashtag
EF_PROCESSOR_ENRICH_IPADDR_MAXMIND_GEOIP_VALUES

If enrichment with GeoIP attributes is enabled using lookups in a Maxmind database (EF_PROCESSOR_ENRICH_IPADDR_MAXMIND_GEOIP_ENABLE is true), this setting specifies the GeoIP attributes from the Maxmind database to be included in the resulting record.

  • Valid Values

    • city, continent, continent_code, country, country_code, location, timezone

  • Default

    • city,country,country_code,location,timezone

hashtag
EF_PROCESSOR_ENRICH_IPADDR_MAXMIND_GEOIP_LANG

If enrichment with GeoIP attributes is enabled using lookups in a Maxmind database (EF_PROCESSOR_ENRICH_IPADDR_MAXMIND_GEOIP_ENABLE is true), this setting specifies the language which should be used for any language-specific values.

  • Valid Values

    • de - German

    • en - English

    • es - Spanish

    • fr - French

    • ja - Japanese

    • pt-BR - Brazilian Portuguese

    • ru - Russian

    • zh-CN - Simplified Chinese

  • Default

    • en

hashtag
EF_PROCESSOR_ENRICH_IPADDR_MAXMIND_GEOIP_INCLEXCL_PATH

For more control of when enrichment is applied, IP addresses can be included or excluded from GeoIP enrichment by Autonomous System or CIDR. This setting specifies the path to this file.

For more details on the format of this file and the behavior of the include/exclude functionality, refer to: Scoping Enrichment with Include/Exclude

  • Default

    • ''

  • Recommended

    • /etc/elastiflow/maxmind/incl_excl.yml

hashtag
EF_PROCESSOR_ENRICH_IPADDR_MAXMIND_GEOIP_INCLEXCL_REFRESH_RATE

The file specified in EF_PROCESSOR_ENRICH_IPADDR_MAXMIND_GEOIP_INCLEXCL_PATH can be loaded automatically to refresh values without restarting the collector. This value specifies the refresh interval, in minutes, that the file will be reloaded. The value of 0 disables refreshing of the values.

  • Default

    • 15

PreviousElastiFlow NetIntelNextDNS Enrichment

Last updated

Was this helpful?