Before you post: Your responses to these questions will help the community help you. Please complete this template if you’re asking a support question. Don’t forget to select tags to help index your topic!
1. Describe your incident:
I know that abuse-ch-ransomware no longer works but I so far have been unable to figure out how to stop this error from filling up my logs. If someone could help, I would appreciate that very much.
2021-12-09 09:05:40,063 WARN : org.graylog2.lookup.LookupTableService - Lookup table does not exist
2. Describe your environment:
OS Information: Mac OS X 12.0.1
Package Version:
Graylog V 4.1.8 with graylog-plgin-threatintel-4.1.8.jar installed in plugins
Elasticsearch 7.10.1
mongoldb-community 4.2
Service logs, configurations, and environment variables:
Nothing out of the ordinary. I’m importing logs from three sources. Everything is working as it should except for this error. I do have the following Content Packs Installed “Tor Exit Node List”, “Spamhas DROP”, “Whois” related to Threat Intel Plugin.
3. What steps have you already taken to try and solve the problem?
Deleted abuse-ch-ransomware data adapter. Current data adapters are “Whois”, “Tor Exit Node”, Spamhaus DROP", “Open Thread Exchange (OTX) - IP”, “Open Thread Exchange (OTX) - domain”, “DNS reverse lookup”. Nothing in “Lookup Tables about abuse-ch (of course)”. Checked “System/Configurations” and only two Plugins are enabled, “Tor exit nodes”, “Spamhaus”. All that can be enabled. Have an “Internet Threat Pipeline” with two stages. First stage is “Global/combined threat feed lookup” which references “threat_intel_lookup_ip” but it doesn’t say if it uses abuse_ch_ransomware. The second stage is “Inflate Threat Intel Results”. It references “whois_lookup_ip”, “otx_lookup_ip”, “spamhaus_lookup_ip”. There was a reference to “abusech_ransom_lookup_ip” there but I commented it out with //. Somehow it is still getting called and I’m getting the missing table error.
I expect that maybe I have something over configured in my Intel Threat Pipeline rules but don’t know what it is that is trying to use abuse-ch-ransomware.
4. How can the community help?
If someone could tell me how to properly setup the graylog-pugin-threatintel-4.1.8.jar plugin to get rid of this error, that would be most helpful. I’ve searched and cannot find that specific answer.
Thanks gsmith for your help. I understand the error and I assume that the lookup table is not suppose to exist since it is my understanding that abuse-ch-ransomeware-ip no longer works. What I don’t know is what is causing it to be called. I’ve checked the lookup tables, caches, and data adapters and none refer to abuse-ch…
The Internet Threat Pipeline has two stages. I’ve determined that if I comment out Stage 1 and allow Stage 0 to run, that causes the message to occur. Stage 0 rule is:
rule “Global/combined threat feed lookup”
when
has_field(“SRC”)
then
let src_addr_intel = threat_intel_lookup_ip(to_string($message.SRC),“SRC”);
set_fields(src_addr_intel);
end
So the routine threat_intel_lookup_ip must be calling the abuse_ch_ransomware_ip routine which I thought was discontinued, see Ransomware.abuse.ch discontinued
I’ll take a look at your other links, maybe has been a change to the “Global/combined threat feed lookup” rule that I need to implement.
In the meantime, my solution has been to set up a pipeline rule to drop those messages.
One other comment. I may have created the problem myself but deleting anything relating to abuse_ch including the table, data adapter, etc not realizing that threat_intel_lookup_ip was still calling it and is still the proper call according to the instructions on GitHub. Interesting though that in System->Configuration0>Plugin Configuration for that plugin “abuse_ch…” is no longer listed. Maybe I should have just left well enough alone . Dropping that message in the pipeline works too
Oops , I was just looking through my docs on troubleshooting. It look like we had that problem also. From the looks of our documentation , we removed the content pack and executed a reinstall (yum reinstall graylog-server) which fixed it for us.
I’m assuming you have this resolved? if so could you make this post as resolved for future search. This may helps others in the community.
Thanks
Thanks gsmith. I don’t want to remove the threatintel plugin because I like to log that. So yes, just dropping that message so that it doesn’t get logged works for me. Thanks again for taking the time to respond.
. Dropping that message in the pipeline works too 
, I was just looking through my docs on troubleshooting. It look like we had that problem also. From the looks of our documentation , we removed the content pack and executed a reinstall