Enabling geoloction on internal IP addresses

Hi everyone,

we are trying to enable geolocation for internal IP addresses, the company has a large number of local offices accross the whole country and they are all seen as private addresses.

What we have done is:

  • make sure all events have the source IP address correctly mapped
  • imported all office locations with latitude and longitude per region
  • imported all nework zones and connected it to the proper location
  • assigned connectors and zones to the default network

It still does not work, the zone is always the default one for private addressing (i.e. RFC1918: 10.0.0.0-10.255.255.255) and it just doesn't populate the geolocation info properly. Do I also need to manually import and assign all assets to the zones? Do I need to delete the standard zones?

I also have the issue that I do not know how to troubleshoot this, where can I see some logs to understand the process behind it and fix this?

Any tip would be welcome.

  • Use Arcsight ESM ?

    ESM Console -> Navigator -> Assets

    1. -> Locations : Create New Group & New Location -> Edit this New Location latitude 、longitude、City、Country .....

    2. -> Zones :choose -> /All Zones/Arcsight System/Private Address Space Zones/RFC1918:X.X.X.X and Edit it  -> Location ->choose New Location 

    And Apply 


  • I'm assuming you probably didn't read my post entirely, I specified that we have indeed created manually the locations and the zones, selecting manually in each zone the proper location. This however is not working either because the default zone configuration is overiding the custom one or because there is a bug hence the two questions at the bottom of my original post.

    So my question was intended to find for someone who maybe had our same problem and if they managed to solve it, not to have the per-manual instructions... for that we can refer to the documentation.

    As I was saying another problem that this situation has created is that all assets are now assigned to the default zone, this means that we will need to clean it all up once the zone issue is resolved.

  • Are your events coming through ESM with deviceZoneName/sourceZoneName/destinationZoneName populated? 
    Have you assigned the CustomerURI in all connector destinations to ESM?

  • Hi,

    unfortunately no, all of these fields are not populated which is the main reason for this post. I have in the meantime tried deleting the default local zone for the 10.0.0.0 class but it is still not populating with the proper network/zone/location info. I have made sure that the connectors are selected in the zone configuration

    The customer URI is not configured in the connector, I haven't seen any reference to it in the different howtos manuals and documentation. How does that condition the network configuration?

    My doubt is that I need to wipe all the current assets that have already been discovered so that the ESM rediscovers those assets with the new information. Could that be the case? How could I test if this is going to work, could I launch an automatic rezoning of an asset to make sure it does work?

    More than fixing the issue I am also interested in trying to understand how to troubleshoot these situations. Are there any logs that I might tail so that I can understand where the issue lies?