To update the GeoLite2 database in your ArcSight Manager environment, follow these steps:
1. Register on the MaxMind Portal
- Visit the MaxMind Portal and log into your account.
- If you don’t have an account, register for one.
2. Download the GeoLite2 Database
- Once logged in, navigate to the Account Portal.
- In the sidebar menu, select “Download Files”. This will take you to the page where GeoLite2 databases are available:
-
<
https://www.maxmind.com/en/accounts/
<account_ID>/geoip/downloads>
- Locate the GeoLite2 City section.
- Click the “Download GZIP” link to start the download.
3. Extract the GeoLite2 Database
- After downloading, locate the file named:
-
GeoLite2-City_<YYYYMMdd>.tar.gz
. - Extract the archive.
- Inside the extracted folder, find the file named GeoLite2-City.mmdb.
4. Replace the Existing Database in ArcSight
- Stop the ArcSight Manager service:
- /etc/init.d/arcsight_services stop manager
- Navigate to the ArcSight Manager configuration directory:
- cd $ARCSIGHT_HOME/config/server
- Replace
$ARCSIGHT_HOME
with the path to your ArcSight installation directory. - Rename the existing database file
ipdataV6.mmdb
for backup purposes: - mv ipdataV6.mmdb ipdataV6.old_mmdb
- Move the extracted GeoLite2-City.mmdb file to this directory and rename it to ipdataV6.mmdb:
mv /path/to/GeoLite2-City.mmdb ipdataV6.mmdb
5. Restart the ArcSight Manager
- Start the Manager service again:
/etc/init.d/arcsight_services
start manager- Verify that the service starts correctly and confirm that the updated database is being used.
Notes:
- Ensure you have appropriate permissions to perform these actions.
- Always back up your existing configuration files before making changes.
- If you encounter any issues, consult the ArcSight documentation or support.
By following these steps, the GeoLite2 database will be successfully updated in your ArcSight Manager system.
The post How to Update GeoLite2 Database in ArcSight Manager appeared first on SOC Prime.