Continous failure user logs every second

rtheddu · July 5, 2018, 8:22am

Hi Team,

in our Production environment we are receiving the below mentioned log every second and it is piling up the data to almost one GB of logs a day. kindly find the error log message and advise how to stop this logs.

2018-05-31 00:00:13,228 ERROR: org.graylog2.restclient.models.UserService - Unauthorized to load user CCR_GT
org.graylog2.restclient.lib.APIException: API call failed GET http://@10.46.176.190:12900/users/CCR_GT returned 401 Unauthorized body:
        at org.graylog2.restclient.lib.ApiClientImpl$ApiRequestBuilder.execute(ApiClientImpl.java:481) ~[org.graylog2.graylog2-rest-client-1.0.1.jar:na]
        at org.graylog2.restclient.models.UserService.retrieveUserWithSessionId(UserService.java:160) ~[org.graylog2.graylog2-rest-client-1.0.1.jar:na]
        at lib.security.RedirectAuthenticator.authenticateSessionUser(RedirectAuthenticator.java:122) [graylog-web-interface.graylog-web-interface-1.0.1.jar:1.0.1]
        at lib.security.RedirectAuthenticator.getUsername(RedirectAuthenticator.java:54) [graylog-web-interface.graylog-web-interface-1.0.1.jar:1.0.1]
        at play.mvc.Security$AuthenticatedAction.call(Security.java:37) [com.typesafe.play.play_2.10-2.3.6.jar:2.3.6]
        at play.core.j.JavaAction$$anonfun$11.apply(JavaAction.scala:82) [com.typesafe.play.play_2.10-2.3.6.jar:2.3.6]
        at play.core.j.JavaAction$$anonfun$11.apply(JavaAction.scala:82) [com.typesafe.play.play_2.10-2.3.6.jar:2.3.6]
        at scala.concurrent.impl.Future$PromiseCompletingRunnable.liftedTree1$1(Future.scala:24) [org.scala-lang.scala-library-2.10.4.jar:na]
        at scala.concurrent.impl.Future$PromiseCompletingRunnable.run(Future.scala:24) [org.scala-lang.scala-library-2.10.4.jar:na]
        at play.core.j.HttpExecutionContext$$anon$2.run(HttpExecutionContext.scala:40) [com.typesafe.play.play_2.10-2.3.6.jar:2.3.6]
        at play.api.libs.iteratee.Execution$trampoline$.execute(Execution.scala:46) [com.typesafe.play.play-iteratees_2.10-2.3.6.jar:2.3.6]
        at play.core.j.HttpExecutionContext.execute(HttpExecutionContext.scala:32) [com.typesafe.play.play_2.10-2.3.6.jar:2.3.6]
        at scala.concurrent.impl.Future$.apply(Future.scala:31) [org.scala-lang.scala-library-2.10.4.jar:na]
        at scala.concurrent.Future$.apply(Future.scala:485) [org.scala-lang.scala-library-2.10.4.jar:na]
        at play.core.j.JavaAction$class.apply(JavaAction.scala:82) [com.typesafe.play.play_2.10-2.3.6.jar:2.3.6]
        at play.core.Router$HandlerInvokerFactory$JavaActionInvokerFactory$$anon$15$$anon$1.apply(Router.scala:252) [com.typesafe.play.play_2.10-2.3.6.jar:2.3.6]
        at play.api.mvc.Action$$anonfun$apply$1$$anonfun$apply$4$$anonfun$apply$5.apply(Action.scala:130) [com.typesafe.play.play_2.10-2.3.6.jar:2.3.6]
        at play.api.mvc.Action$$anonfun$apply$1$$anonfun$apply$4$$anonfun$apply$5.apply(Action.scala:130) [com.typesafe.play.play_2.10-2.3.6.jar:2.3.6]
        at play.utils.Threads$.withContextClassLoader(Threads.scala:21) [com.typesafe.play.play_2.10-2.3.6.jar:2.3.6]
        at play.api.mvc.Action$$anonfun$apply$1$$anonfun$apply$4.apply(Action.scala:129) [com.typesafe.play.play_2.10-2.3.6.jar:2.3.6]
        at play.api.mvc.Action$$anonfun$apply$1$$anonfun$apply$4.apply(Action.scala:128) [com.typesafe.play.play_2.10-2.3.6.jar:2.3.6]
        at scala.Option.map(Option.scala:145) [org.scala-lang.scala-library-2.10.4.jar:na]
        at play.api.mvc.Action$$anonfun$apply$1.apply(Action.scala:128) [com.typesafe.play.play_2.10-2.3.6.jar:2.3.6]
        at play.api.mvc.Action$$anonfun$apply$1.apply(Action.scala:121) [com.typesafe.play.play_2.10-2.3.6.jar:2.3.6]
        at play.api.libs.iteratee.Iteratee$$anonfun$mapM$1.apply(Iteratee.scala:483) [com.typesafe.play.play-iteratees_2.10-2.3.6.jar:2.3.6]
        at play.api.libs.iteratee.Iteratee$$anonfun$mapM$1.apply(Iteratee.scala:483) [com.typesafe.play.play-iteratees_2.10-2.3.6.jar:2.3.6]
        at play.api.libs.iteratee.Iteratee$$anonfun$flatMapM$1.apply(Iteratee.scala:519) [com.typesafe.play.play-iteratees_2.10-2.3.6.jar:2.3.6]
        at play.api.libs.iteratee.Iteratee$$anonfun$flatMapM$1.apply(Iteratee.scala:519) [com.typesafe.play.play-iteratees_2.10-2.3.6.jar:2.3.6]
        at play.api.libs.iteratee.Iteratee$$anonfun$flatMap$1$$anonfun$apply$14.apply(Iteratee.scala:496) [com.typesafe.play.play-iteratees_2.10-2.3.6.jar:2.3.6]
        at play.api.libs.iteratee.Iteratee$$anonfun$flatMap$1$$anonfun$apply$14.apply(Iteratee.scala:496) [com.typesafe.play.play-iteratees_2.10-2.3.6.jar:2.3.6]
        at scala.concurrent.impl.Future$PromiseCompletingRunnable.liftedTree1$1(Future.scala:24) [org.scala-lang.scala-library-2.10.4.jar:na]
        at scala.concurrent.impl.Future$PromiseCompletingRunnable.run(Future.scala:24) [org.scala-lang.scala-library-2.10.4.jar:na]
        at akka.dispatch.TaskInvocation.run(AbstractDispatcher.scala:41) [com.typesafe.akka.akka-actor_2.10-2.3.4.jar:na]
        at akka.dispatch.ForkJoinExecutorConfigurator$AkkaForkJoinTask.exec(AbstractDispatcher.scala:393) [com.typesafe.akka.akka-actor_2.10-2.3.4.jar:na]
        at scala.concurrent.forkjoin.ForkJoinTask.doExec(ForkJoinTask.java:260) [org.scala-lang.scala-library-2.10.4.jar:na]
        at scala.concurrent.forkjoin.ForkJoinPool$WorkQueue.runTask(ForkJoinPool.java:1339) [org.scala-lang.scala-library-2.10.4.jar:na]
        at scala.concurrent.forkjoin.ForkJoinPool.runWorker(ForkJoinPool.java:1979) [org.scala-lang.scala-library-2.10.4.jar:na]
        at scala.concurrent.forkjoin.ForkJoinWorkerThread.run(ForkJoinWorkerThread.java:107) [org.scala-lang.scala-library-2.10.4.jar:na]

Regards,
Rajesh

jochen · July 5, 2018, 8:56am

rtheddu:

2018-05-31 00:00:13,228 ERROR: org.graylog2.restclient.models.UserService - Unauthorized to load user CCR_GT
org.graylog2.restclient.lib.APIException: API call failed GET http://@10.46.176.190:12900/users/CCR_GT returned 401 Unauthorized body:

The unauthorized HTTP client trying to access the details of the user “CCR_GT” has to stop.

Also, it looks like you’re using a very old version of Graylog (and the Graylog web interface). I’d strongly recommend upgrading to a newer version (e. g. Graylog 2.4.5).

rtheddu · July 5, 2018, 10:48am

Hi Jochen,

Thank you for the swift response. Is there a way to stop Unauthorized client to access the user details.

Regards,

jochen · July 5, 2018, 10:55am

Yes. Stop the clients.

Other than that, they’ll only receive an “Unauthorized” response and won’t see the actual user details.

jochen · July 5, 2018, 11:07am

You could of course also try to find out the IP address of these clients and create a firewall rule to block them from communicating with the machine running Graylog.

rtheddu · July 5, 2018, 11:59am

Hi Jochen,

In the log I am not able to find the IP of the client. Is there any other place where we can check the details.

http://@10.46.176.190:12900/users/CCR_GT is the Gray log server.

Regards,

jochen · July 5, 2018, 12:22pm

You could use Wireshark to find out which client is trying to access the mentioned HTTP resource.

system · July 19, 2018, 12:22pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.