IBM Support

QRadar: Configuring a MaxMind account for geographic data updates (APAR IJ21884)

Troubleshooting


Problem

GeoLite2 data is required to resolve geographic locations from IP addresses in QRadar. As of 30 December 2019, a MaxMind account must be configured by the administrator in QRadar System Settings. The default userid and license key values can no longer be used to receive geographic data updates.

Symptom

Administrators who use the default userid and license value receive a '401 Unauthorized' error in QRadar when geographic data attempts to update. When this issue occurs, the geodata_update.sh utility displays the following error message:
 
[Example-console-lab#/]/opt/qradar/bin/geodata_update.sh
Result: 401 Unauthorized at /opt/qradar/bin/geoipupdate-pureperl.pl line 222, <$fh> line 37

Cause

The default geographic account included in QRadar requires a unique userid and license key to allow updates after 30 December 2019. Administrators must create a MaxMind account and update Admin > System Settings > Geographic Settings to continue to receive geographic location lookup data for IP addresses.

Environment

QRadar V7.3.1 and later.

Resolving The Problem

This procedure requires an Admin user to create a MaxMind account and update System Settings to ensure that geographic location data updates can complete successfully.
 
  1. Create a free MaxMind account: https://www.maxmind.com/en/geolite2/signup.
  2. After your account is created, an email is provided by MaxMind.
    image-20200115121457-3
  3. Create a password for your account. 
  4. After you assign an account password, use the credentials you created to sign in.
  5. Click My License Key.
    image-20200115122003-4
  6. Click Generate new license key.
    image-20200115122217-7
  7. Configure the following values:
    • In the License key description, type: QRadar License Key.
    • In the field, 'Will this key be used for GeoIP Update', select Yes.
    • Select Generate a license key and config file for geoipupdate versions older than 3.1.1.
      image-20200115123022-8
  8. Click Confirm.
  9. Record the Account/User ID and License Key information.
    Important: If you exit the license key screen without recording the information, you must generate a new license key from Step 4.
    image-20200115123436-10
  10. Log in to QRadar as an administrator.
  11. Click the Admin tab.
  12. Click the System Settings icon.
  13. Navigate to Geographic Settings.
  14. Update the User ID and License Key values from Step 5.
    image-20200115124402-11
  15. Click Save.
  16. From the Admin tab, click Deploy Changes.
    image-20200115124545-12

    Results
    After the deploy completes, geographic data settings are updated for the QRadar deployment. Administrators can confirm their MaxMind geographic settings from the command line of the QRadar Console.

How to verify your geographic data license changes

Administrators can verify geographic data (geodata) updates from the QRadar command-line interface. After you update your System Settings to use your MaxMind User ID and License, you can attempt to run an update and verify whether any errors occur. To complete this procedure, you must have root access to QRadar.

 
  1. Use SSH to log in to your QRadar Console as the root user.
  2. To update geographic data, type: /opt/qradar/bin/geodata_update.sh

    Results
  • If successful, the administrator is returned to the command prompt with no errors displayed on screen.
  • If unsuccessful, a 401 Unauthorized error is displayed. If you experience an error, confirm the credentials in the QRadar System Settings from Step 10, then click Save and Deploy Changes. Repeat the verification procedure or generate a new license key from the MaxMind website. If you continue to experience problems or believe the Deploy Changes does not complete successfully, open a case with QRadar Support.
    image-20200115162241-1

Document Location

Worldwide

[{"Business Unit":{"code":"BU008","label":"Security"},"Product":{"code":"SSBQAC","label":"IBM QRadar SIEM"},"Component":"Administration and Configuration","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions","Edition":""}]

Document Information

Modified date:
31 March 2020

UID

ibm11172842