MaxMind Configuration

LogScale includes GeoLite2 databases from MaxMind to enable ASN and IP location lookups via the asn() and ipLocation() function, respectively.

Due to the way these databases are licensed, they expire after 30 days and thus must be updated regularly. If the IP location database or IP ASN database expires, then any calls to ipLocation() or asn() will cause a warning in the query and not add any location or ASN data to the event.

By default, the database is automatically updated via an update service hosted by LogScale if the cluster is running with a valid LogScale license.

If instead you wish to manage this yourself, you can supply your own MaxMind databases by setting AUTO_UPDATE_MAXMIND to false and placing the databases in the LogScale data directory. The databases should be named the following:

IpLocationDb.mmdb, for the IP location database.
IpAsnDb.mmdb, for the IP ASN database.

LogScale will check these files periodically and reload them if they are updated.

Note

Updates to the MaxMind database are checked every 5 minutes.

It is also possible for LogScale to automatically download directly from MaxMind if you have a MaxMind license. To do so, the following must be set:

AUTO_UPDATE_MAXMIND, to true (default).
MAXMIND_ACCOUNT_ID, to the ID of your MaxMind account.
MAXMIND_LICENSE_KEY, to the license key for your MaxMind account.
MAXMIND_IP_LOCATION_EDITION_ID (optional), if you wish to use an alternative MaxMind database for IP location information.
MAXMIND_BASE_URL (optional), if you wish to use another base path to download from.

Below is an example of how these variables might be set:

ini

AUTO_UPDATE_MAXMIND=true
MAXMIND_ACCOUNT_ID=your-account-id
MAXMIND_LICENSE_KEY=your-license-key
MAXMIND_IP_LOCATION_EDITION_ID=GeoLite2-City
MAXMIND_BASE_URL=http://my-maxmind-proxy.local

Important

If LogScale is unable to update these files after 30 days, the ipLocation() and asn() will not operate, a warning will be generated in the query, no location information will be added to the query.

Configuration when behind a Proxy

To configure access and updates for MaxMind when the cluster is behind firewall and requires a proxy, you can set the HTTP_PROXY_HOST and HTTP_PROXY_PORT variables to set the proxy information. For example:

ini

HTTP_PROXY_HOST=proxy.example.net
HTTP_PROXY_PORT=3128
AUTO_UPDATE_MAXMIND=true
MAXMIND_ACCOUNT_ID=account-id
MAXMIND_LICENSE_KEY=license-key
MAXMIND_IP_LOCATION_EDITION_ID=GeoLite2-City
MAXMIND_BASE_URL=https://download.maxmind.com

Self-Hosted Overview

Installing LogScale

Instance Administration

Organization Essentials

Configuring Security

Authentication & Identity Providers

Users & permissions

Cluster Management

Configuration Settings

Ingesting Data

LogScale Configuration Parameters

LogScale URLs & Endpoints

Limits & Standards

Data Analysis Overview

LogScale User Interface

Repositories & Views

Parsing Data

Searching Data

Writing Queries

Query Language Syntax

Query Joins and Lookups

Query Functions

Dashboards & Widgets

Automation

Template Language

Keyboard Shortcuts