To update the GeoLite2 database in your ArcSight Manager environment, follow these steps:
1. Register on the MaxMind Portal
- Visit the MaxMind Portal and log into your account.
- If you don’t have an account, register for one.
2. Download the GeoLite2 Database
- Once logged in, navigate to the Account Portal.
- In the sidebar menu, select “Download Files”. This will take you to the page where GeoLite2 databases are available:
-
<https://www.maxmind.com/en/accounts/<account_ID>/geoip/downloads> - Locate the GeoLite2 City section.
- Click the “Download GZIP” link to start the download.
3. Extract the GeoLite2 Database
- After downloading, locate the file named:
-
GeoLite2-City_<YYYYMMdd>.tar.gz. - Extract the archive.
- Inside the extracted folder, find the file named GeoLite2-City.mmdb.
4. Replace the Existing Database in ArcSight
- Stop the ArcSight Manager service:
- /etc/init.d/arcsight_services stop manager
- Navigate to the ArcSight Manager configuration directory:
- cd $ARCSIGHT_HOME/config/server
- Replace
$ARCSIGHT_HOMEwith the path to your ArcSight installation directory. - Rename the existing database file
ipdataV6.mmdbfor backup purposes: - mv ipdataV6.mmdb ipdataV6.old_mmdb
- Move the extracted GeoLite2-City.mmdb file to this directory and rename it to ipdataV6.mmdb:
mv /path/to/GeoLite2-City.mmdb ipdataV6.mmdb
5. Restart the ArcSight Manager
- Start the Manager service again:
/etc/init.d/arcsight_servicesstart manager- Verify that the service starts correctly and confirm that the updated database is being used.
Notes:
- Ensure you have appropriate permissions to perform these actions.
- Always back up your existing configuration files before making changes.
- If you encounter any issues, consult the ArcSight documentation or support.
By following these steps, the GeoLite2 database will be successfully updated in your ArcSight Manager system.
