MaxMind Configuration

LogScale includes GeoLite2 databases from MaxMind to enable ASN and IP location lookups via the asn() and ipLocation() function, respectively.

Due to the way these databases are licensed, they expire after 30 days and thus must be updated regularly. If the IP location database or IP ASN database expires, then any calls to ipLocation() or asn() will cause a warning in the query and not add any location or ASN data to the event.

By default, the database is automatically updated via an update service hosted by LogScale if the cluster is running with a valid LogScale license.

If instead you wish to manage this yourself, you can supply your own MaxMind databases by setting AUTO_UPDATE_MAXMIND to false and placing the databases in the LogScale data directory. The databases should be named the following:

  • IpLocationDb.mmdb, for the IP location database.

  • IpAsnDb.mmdb, for the IP ASN database.

LogScale will check these files periodically and reload them if they are updated.

Note

Updates to the MaxMind database are checked every 5 minutes.

It is also possible for LogScale to automatically download directly from MaxMind if you have a MaxMind license. To do so, the following must be set:

Below is an example of how these variables might be set:

ini
AUTO_UPDATE_MAXMIND=true
MAXMIND_ACCOUNT_ID=your-account-id
MAXMIND_LICENSE_KEY=your-license-key
MAXMIND_IP_LOCATION_EDITION_ID=GeoLite2-City
MAXMIND_BASE_URL=http://my-maxmind-proxy.local

Important

If LogScale is unable to update these files after 30 days, the ipLocation() and asn() will not operate, a warning will be generated in the query, no location information will be added to the query.