# Maxmind GeoIP2 and GeoLite2

## Overview

NetObserv Flow can attempt to determine attributes associated with the autonomous system and geo-location to which a public IP address belongs.

## Obtaining the Databases

To use the Maxmind databases for GeoIP and ASN enrichment you will need to download the databases. Due to changes in privacy law in California, Maxmind no longer makes its GeoLite2 databases available for download without [registering on their website](https://dev.maxmind.com/geoip/geoip2/geolite2/). Once you have registered and downloaded the database, you can make them available to NetObserv Flow for enrichment of public IP addresses.

Signup at: <https://www.maxmind.com/en/geolite2/signup>

## Configurations

### EF\_PROCESSOR\_ENRICH\_IPADDR\_MAXMIND\_ASN\_ENABLE

NetObserv Flow will attempt to determine attributes associated with the autonomous system to which a public IP address belongs. This setting determines whether this feature is enabled.

* Valid Values
  * `true`, `false`
* Default
  * `false`

### EF\_PROCESSOR\_ENRICH\_IPADDR\_MAXMIND\_ASN\_PATH

If enrichment with autonomous system attributes is enabled using lookups in a Maxmind database (`EF_PROCESSOR_ENRICH_IPADDR_MAXMIND_ASN_ENABLE` is `true`), this setting specifies the path to the Maxmind database.

* Default
  * `/etc/elastiflow/maxmind/GeoLite2-ASN.mmdb`

### EF\_PROCESSOR\_ENRICH\_IPADDR\_MAXMIND\_GEOIP\_ENABLE

NetObserv Flow will attempt to determine GeoIP attributes associated with a public IP address. This setting determines whether this feature is enabled.

* Valid Values
  * `true`, `false`
* Default
  * `false`

### EF\_PROCESSOR\_ENRICH\_IPADDR\_MAXMIND\_GEOIP\_PATH

If enrichment with GeoIP attributes is enabled using lookups in a Maxmind database (`EF_PROCESSOR_ENRICH_IPADDR_MAXMIND_GEOIP_ENABLE` is `true`), this setting specifies the path to the Maxmind database.

* Default
  * `/etc/elastiflow/maxmind/GeoLite2-City.mmdb`

### EF\_PROCESSOR\_ENRICH\_IPADDR\_MAXMIND\_GEOIP\_VALUES

If enrichment with GeoIP attributes is enabled using lookups in a Maxmind database (`EF_PROCESSOR_ENRICH_IPADDR_MAXMIND_GEOIP_ENABLE` is `true`), this setting specifies the GeoIP attributes from the Maxmind database to be included in the resulting record.

* Valid Values
  * `city`, `continent`, `continent_code`, `country`, `country_code`, `location`, `timezone`
* Default
  * `city,country,country_code,location,timezone`

### EF\_PROCESSOR\_ENRICH\_IPADDR\_MAXMIND\_GEOIP\_LANG

If enrichment with GeoIP attributes is enabled using lookups in a Maxmind database (`EF_PROCESSOR_ENRICH_IPADDR_MAXMIND_GEOIP_ENABLE` is `true`), this setting specifies the language which should be used for any language-specific values.

* Valid Values
  * `de` - German
  * `en` - English
  * `es` - Spanish
  * `fr` - French
  * `ja` - Japanese
  * `pt-BR` - Brazilian Portuguese
  * `ru` - Russian
  * `zh-CN` - Simplified Chinese
* Default
  * `en`

### EF\_PROCESSOR\_ENRICH\_IPADDR\_MAXMIND\_GEOIP\_INCLEXCL\_PATH

For more control of when enrichment is applied, IP addresses can be included or excluded from GeoIP enrichment by Autonomous System or CIDR. This setting specifies the path to this file.

For more details on the format of this file and the behavior of the include/exclude functionality, refer to: [Scoping Enrichment with Include/Exclude](/flowcoll/configuration/enrichment-options/ip-address-enrichment/enrich_ip_udm.md#scoping-enrichment-with-include-exclude)

* Default
  * `''`
* Recommended
  * `/etc/elastiflow/maxmind/incl_excl.yml`

### EF\_PROCESSOR\_ENRICH\_IPADDR\_MAXMIND\_GEOIP\_INCLEXCL\_REFRESH\_RATE

The file specified in `EF_PROCESSOR_ENRICH_IPADDR_MAXMIND_GEOIP_INCLEXCL_PATH` can be loaded automatically to refresh values without restarting the collector. This value specifies the refresh interval, in minutes, that the file will be reloaded. The value of `0` disables refreshing of the values.

* Default
  * `15`


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.elastiflow.com/flowcoll/configuration/enrichment-options/ip-address-enrichment/enrich_ip_maxmind.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.