Beacon hunt in home network (possibly from Graylog?)

I am a novice at logging. I have installed Graylog on my home network as a self learning exercise. I am collecting logs from Unify (including network some details of internal and external network traffic), Linux logs, and logs from Windows PC.

Because Linux/Graylog collector is a quiet box, I have been looking at its traffic (as logged by Unify) in detail. I have set up a filter for traffic that I can account for (which is slowly growing).

This log entry is routinely appearing that I am having trouble understanding.

NetworkSecurityGatewayPro4 kernel: [WAN_OUT-2002-A]IN=eth0.21 OUT=eth2 SRC= DST= LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=26215 DF PROTO=TCP SPT=42824 DPT=443 WINDOW=2079 RES=0x00 ACK RST URGP=0

IP address resolves to

There are two entries in the log (present at 23 minutes and 27 minutes past the hour), and seems to beacon consistently at hourly intervals.

Running netstat shows that the PID associated with this traffic is 1493/java.

Running sudo isof -p 1493 suggests that the user of the process is Graylog (and gives lines and lines of output).

A PCAP from Wireshark shows 223kb encrypted payload downloaded for each poll of

I am at a loss as to what to do next. I would like to understand if it is Graylog (or some other process) that is beaconing to


he @buot

not sure about your Graylog version - but that looks like the thread intel plugin ( ) that is refreshing the list of tor exit nodes ips. This is a build in lookup table that might be active by default or because you have enabled that.

Could this be?

Ahh … thank you. That does appear to be what is triggering the beaconing. Thanks for the pointer.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.