IBM Support

QRadar: How to manually update the geographic database from a file (GeoLite2-City.mmdb)

How To


Summary

GeoLite2 data is required to resolve geographic locations for IP addresses in QRadar. This article provides a step-by-step guide to manually update GeoLite2 database in QRadar from the command line. This update type is intended for environments where Internet access is blocked or there is an air gap between the QRadar Console and external networks.

Environment

QRadar V7.3.1 and later.

Steps

Before you begin
This procedure requires an admin user to have a MaxMind account and update System Settings to use the MaxMind user ID and license. To configure a MaxMind account for geographic data updates, go to MaxMind Register.

Procedure
  1. In any web browser, navigate to the GeoIP2 and GeoIP Legacy Databases.
  2. Scroll down to the GeoLite2 City section and download the latest GeoLite2-City.mmdb file:
    image-20220512144909-1
  3. Use SSH to log in to the QRadar Console as the root user.
  4. Copy the GeoLite2-City_<date>.tar.gz file to the QRadar Console. The file can be placed under the /storetmp/ directory.
  5. Unpack the archive containing the latest database: 
    tar -xvzf GeoLite2-City*.tar.gz
  6. Back up the current GeoLite2-City database: 
    mkdir -p /store/IBM_Support/Geodata 
cp -pv /opt/qradar/conf/GeoLite2-City.mmdb /store/IBM_Support/Geodata
  7. Copy the latest file to the staging folder (Type "y" and enter to overwrite the file): 
    cp -pv /storetmp/GeoLite2-City*/GeoLite2-City.mmdb /store/configservices/staging/globalconfig/
  8. Confirm the permissions in the staging folder: 
    ls -l /store/configservices/staging/globalconfig/GeoLite2-City.mmdb
-rw-rw-r-- 1 nobody nobody
    Example: 
    [root@qradar ~]# ls -l /store/configservices/staging/globalconfig/GeoLite2-City.mmdb
-rw-rw-r-- 1 nobody nobody 67714772 Apr 19 12:42 /store/configservices/staging/globalconfig/GeoLite2-City.mmdb
  9. Log in to the QRadar Console as an administrator.
  10. Click the Admin tab.
  11. Click Deploy Changes.
    Deploy Changes
  12. Wait for the configuration to deploy.
  13. Compare the MD5 sum of mmdb file in /storetmp to the file in /opt/qradar/conf. The md5sum must match: 
    md5sum /storetmp/GeoLite2-City*/GeoLite2-City.mmdb /opt/qradar/conf/GeoLite2-City.mmdb
    Example: 
    [root@console ~]# md5sum /storetmp/GeoLite2-City*/GeoLite2-City.mmdb /opt/qradar/conf/GeoLite2-City.mmdb
c2786d635823f3195ae689457fadc914  /storetmp/GeoLite2-City_20220412/GeoLite2-City.mmdb
c2786d635823f3195ae689457fadc914  /opt/qradar/conf/GeoLite2-City.mmdb
Results
The geographic database is updated. If the hashes don't match or any other error is encountered, contact QRadar Support for assistance.

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwsyAAA","label":"Admin Tasks"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.3.1;and future releases"}]

Document Information

Modified date:
20 May 2022

UID

ibm16573149

Page Feedback