Splunk and Geo Location

It is important to ensure the MaxMind database behind Splunk’s iplocation command is as up to date as possible. Long ago I made a skeleton app to download the database in place and take advantage of a Splunk configuration option to point at it. 

MaxMind changed how you can download the free databases in 2019. It is detailed in their Blog Post. I have updated the TA located in my GitRepo to hold and use a downloaded updated database. 

Here are the things you need to do when using this TA to use an updated DB in your environment.

1.  You also cannot auto download without a paid license key. Regardless of how you obtain the mmdb file you need to update it on ALL search heads and indexers to ensure the iplocation has updated information as you can obtain.

2. You will need to follow their instructions for setting up an account and download it to a central location. If you mass download it from a large number of servers you could get blocked for appearing to be a DDoS against Maxmind.

3. Use your organization’s configuration automation tools to distribute it to ALL the Search Heads and Indexers and place the file into TA-geoip/bin/GeoLite2-City.mmdb

4. If you deploy this configuration container app and do not place the mmdb in bin Splunk will simply default to the installation’s default copy. This will most likey be very out of data geo information.

It is important you are updating the database especially if you are using things like Country or Improbable Travel criteria for generating Splunk Enterprise Security Notable Events.