How To: MaxMind via GeoIP with pfELK

MaxMind

0a. Add MaxMind Repository (Ubuntu Only)

sudo add-apt-repository ppa:maxmind/ppa

0b. Install MaxMind (Ubuntu Only)

sudo apt install geoipupdate

1a. Download MaxMind (Debian Only)

Alternate versions available here: https://github.com/maxmind/geoipupdate/releases

wget https://github.com/maxmind/geoipupdate/releases/download/v4.9.0/geoipupdate_4.9.0_linux_amd64.deb

1b. Install MaxMind (Debian Only)

apt install ./geoipupdate_4.9.0_linux_amd64.deb

2. Configure MaxMind

• Create a MaxMind Account @ https://www.maxmind.com/en/geolite2/signup
• Login to your MaxMind Account; navigate to "My License Key" under "Services" and Generate new license key

sudo nano /etc/GeoIP.conf

• Modify lines 7 & 8 as follows (without < >):

AccountID <Input Your Account ID>
LicenseKey <Input Your LicenseKey>

• Modify line 13 as follows:

EditionIDs GeoLite2-City GeoLite2-Country GeoLite2-ASN

3. Download Maxmind Databases

sudo geoipupdate

4. Add cron (automatically updates Maxmind everyweek on Sunday at 1700hrs)

sudo nano /etc/cron.weekly/geoipupdate

• Add the following and save/exit

00 17 * * 0 geoipupdate

pfELK with MaxMind

1. Amend

/etc/pfelk/conf.d/30-geoip.conf

• Remove all instances of #MMR#
  • sed -i 's/#MMR#//' /etc/pfelk/conf.d/30-geoip.conf or edit manually

2. Restart Logstash

• systemctl restart logstash.service