9 Replies Latest reply on Aug 31, 2016 3:08 PM by arnieos

    Incorrect geolocation data

    eknaak

      Please forgive me if this is a silly question or a case of RTFM. I'm new to the ESM.

       

      I'm trying to set up a view that shows the geolocation of source IPs that are attempting SSH connections to the external facing interface of a McAfee Enterprise Firewall. The log from the firewall clearly shows "src_geo=CN" or "src_geo=RU" for the vast majority of the packets that match my filter however the ESM lists them as all "Washington, United States". This is the same for both source and desitnation which leads me to believe that the ESM doesn't use the geolocation data from the firewall logs and is also not doing the resolution itself.

       

      One.jpg

       

      two.jpg

       

      I've followed KB74247 to configure geolocation in the logs for my receiver.

       

      So, my questions are: How does the ESM resolve geolocation? What have I done incorrectly in my (noob) attempt to get geolocation data that is clearly present in the log data to show in an ESM view?

       

      Thank you!