Couldn't refresh adapter <abuse-ch-ransomware-domains>

Hello all,

I notice this entry spamming in Graylog’s server.log:

2018-05-02T17:43:04.696-04:00 ERROR [LookupDataAdapter] Couldn't refresh data adapter <abuse-ch-ransomware-domains/5ade22e42bf9e61bf8226f84/@4e5fb3b4> connect timed out
        at Method) ~[?:1.8.0_91]
        at ~[?:1.8.0_91]
        at ~[?:1.8.0_91]
        at ~[?:1.8.0_91]
        at ~[?:1.8.0_91]
        at ~[?:1.8.0_91]
        at okhttp3.internal.platform.Platform.connectSocket( ~[graylog.jar:?]
        at okhttp3.internal.connection.RealConnection.connectSocket( ~[graylog.jar:?]
        at okhttp3.internal.connection.RealConnection.connect( ~[graylog.jar:?]
        at okhttp3.internal.connection.StreamAllocation.findConnection( ~[graylog.jar:?]
        at okhttp3.internal.connection.StreamAllocation.findHealthyConnection( ~[graylog.jar:?]
        at okhttp3.internal.connection.StreamAllocation.newStream( ~[graylog.jar:?]
        at okhttp3.internal.connection.ConnectInterceptor.intercept( ~[graylog.jar:?]
        at okhttp3.internal.http.RealInterceptorChain.proceed( ~[graylog.jar:?]
        at okhttp3.internal.http.RealInterceptorChain.proceed( ~[graylog.jar:?]
        at okhttp3.internal.cache.CacheInterceptor.intercept( ~[graylog.jar:?]
        at okhttp3.internal.http.RealInterceptorChain.proceed( ~[graylog.jar:?]
        at okhttp3.internal.http.RealInterceptorChain.proceed( ~[graylog.jar:?]
        at okhttp3.internal.http.BridgeInterceptor.intercept( ~[graylog.jar:?]
        at okhttp3.internal.http.RealInterceptorChain.proceed( ~[graylog.jar:?]
        at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept( ~[graylog.jar:?]
        at okhttp3.internal.http.RealInterceptorChain.proceed( ~[graylog.jar:?]
        at okhttp3.internal.http.RealInterceptorChain.proceed( ~[graylog.jar:?]
        at okhttp3.RealCall.getResponseWithInterceptorChain( ~[graylog.jar:?]
        at okhttp3.RealCall.execute( ~[graylog.jar:?]
        at org.graylog2.lookup.adapters.dsvhttp.HTTPFileRetriever.fetchFileIfNotModified( ~[graylog.jar:?]
        at org.graylog.plugins.threatintel.adapters.abusech.AbuseChRansomAdapter.loadData( ~[?:?]
        at org.graylog.plugins.threatintel.adapters.abusech.AbuseChRansomAdapter.doRefresh( ~[?:?]
        at org.graylog2.plugin.lookup.LookupDataAdapter.refresh( ~[graylog.jar:?]
        at org.graylog2.lookup.LookupDataAdapterRefreshService.lambda$schedule$0( ~[graylog.jar:?]
        at java.util.concurrent.Executors$ [?:1.8.0_91]
        at java.util.concurrent.FutureTask.runAndReset( [?:1.8.0_91]
        at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$301( [?:1.8.0_91]
        at java.util.concurrent.ScheduledThreadPoolExecutor$ [?:1.8.0_91]
        at java.util.concurrent.ThreadPoolExecutor.runWorker( [?:1.8.0_91]
        at java.util.concurrent.ThreadPoolExecutor$ [?:1.8.0_91]
        at [?:1.8.0_91]

I have seen this similar post on the forums:

But I suspect my situation might be slightly different: We just recently upgraded from Graylog v2.1 to v2.4 and have never used the lookup tables. My graylog_depreceation.log is 0 bytes (this log was mentioned in the other post).

I am very new to Graylog, can anyone provide a bit more information on how I would troubleshoot this?

Can you curl/wget on the list manually? If so, it seems you have a good path to the list. If not, maybe a firewall or something is blocking the way. URLs:

    DOMAINS("", true),
    URLS("", true),
    IPS("", false);

Also, the docs state that to use Tor

You'll need at least Java 8 (u101) to make this work. The exit node information is hosted on a Tor website that uses Let's Encrypt for SSL and only Java 8 (u101 or newer) supports it.

as @billmurrin already wrote - your Graylog is not able to get the updates from the outsite world.

That is not really a problem - as long as you do not want to use the thread intel plugin. Those lookup tables are created because of the present plugin.

Your option is:

  • ignore the message
  • delete the plugin and the lookup tables
  • open graylog to be able to request the information

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.