GeoLitePrivate2-City.mmdb doesn't exist

[anubisg1]

to use the geoip enrichment, you need to files, specifically

          database => "/mnt/s3fs_geoip/GeoLite2-City.mmdb"
          database => "/mnt/s3fs_geoip/GeoLitePrivate2-City.mmdb"

unfortunately seems like GeoLitePrivate2-City.mmdb doesn't exist anywhere in the internet and maxmind only provides

• GeoLite2-ASN.mmdb
• GeoLite2-City.mmdb
• GeoLite2-Country.mmdb

i'd expect that either more information on where to find GeoLitePrivate2-City.mmdb is added to the documentation or the enrichment pipeline is updated to function without that file

[brian-grabau]

Correct you have to subscribe and get your own copy, I cannot redistribute
https://www.elastic.co/guide/en/logstash/current/plugins-filters-geoip.html

[anubisg1]

Hi,

maybe i wasn't clear.. when you subscribe and download the geoip databases, you can download only

• GeoLite2-ASN.mmdb
• GeoLite2-City.mmdb
• GeoLite2-Country.mmdb

the DB that the enrichment pipeline requires, specifically GeoLitePrivate2-City.mmdb is not provided by maxmind.

[KrishnanandSingh]

Yeah the files aren't present in the repo. It is also mentioned here that you need to add them yourself https://github.com/Cargill/OpenSIEM-Logstash-Parsing/tree/1.0/build_scripts#getting-started

The private geoip file is what we created for us with the internal network information we have to be used inside Cargill. Distributing that would be sensitive to Cargill and useless for others. You can use the maxmind writer to create a private geoip file yourself.