Couldn't refresh data adapter

Graylog Central (peer support)
1

Hi all,
I found the following message in the gralog server log:

    2018-05-02T07:32:29.057+08:00 ERROR [LookupDataAdapter] Couldn't refresh data adapter <tor-exit-node/5a9523b823adbbeeba06b10d/@750e46a8>
    java.net.SocketTimeoutException: connect timed out
            at java.net.PlainSocketImpl.socketConnect(Native Method) ~[?:1.8.0_65]
            at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350) ~[?:1.8.0_65]
            at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206) ~[?:1.8.0_65]
            at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188) ~[?:1.8.0_65]
            at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392) ~[?:1.8.0_65]
            at java.net.Socket.connect(Socket.java:589) ~[?:1.8.0_65]
            at okhttp3.internal.platform.Platform.connectSocket(Platform.java:125) ~[graylog.jar:?]
            at okhttp3.internal.connection.RealConnection.connectSocket(RealConnection.java:238) ~[graylog.jar:?]
            at okhttp3.internal.connection.RealConnection.connect(RealConnection.java:158) ~[graylog.jar:?]
            at okhttp3.internal.connection.StreamAllocation.findConnection(StreamAllocation.java:256) ~[graylog.jar:?]
            at okhttp3.internal.connection.StreamAllocation.findHealthyConnection(StreamAllocation.java:134) ~[graylog.jar:?]
            at okhttp3.internal.connection.StreamAllocation.newStream(StreamAllocation.java:113) ~[graylog.jar:?]
            at okhttp3.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.java:42) ~[graylog.jar:?]
            at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:147) ~[graylog.jar:?]
            at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:121) ~[graylog.jar:?]
            at okhttp3.internal.cache.CacheInterceptor.intercept(CacheInterceptor.java:93) ~[graylog.jar:?]
            at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:147) ~[graylog.jar:?]
            at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:121) ~[graylog.jar:?]
            at okhttp3.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.java:93) ~[graylog.jar:?]
            at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:147) ~[graylog.jar:?]
            at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.java:125) ~[graylog.jar:?]
            at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:147) ~[graylog.jar:?]
            at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:121) ~[graylog.jar:?]
            at okhttp3.RealCall.getResponseWithInterceptorChain(RealCall.java:200) ~[graylog.jar:?]
            at okhttp3.RealCall.execute(RealCall.java:77) ~[graylog.jar:?]
            at org.graylog.plugins.threatintel.adapters.tor.TorExitNodeDataAdapter.doStart(TorExitNodeDataAdapter.java:83) ~[?:?]
            at org.graylog.plugins.threatintel.adapters.tor.TorExitNodeDataAdapter.doRefresh(TorExitNodeDataAdapter.java:104) ~[?:?]
            at org.graylog2.plugin.lookup.LookupDataAdapter.refresh(LookupDataAdapter.java:89) ~[graylog.jar:?]
            at org.graylog2.lookup.LookupDataAdapterRefreshService.lambda$schedule$0(LookupDataAdapterRefreshService.java:142) ~[graylog.jar:?]
            at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) [?:1.8.0_65]
            at java.util.concurrent.FutureTask.runAndReset(FutureTask.java:308) [?:1.8.0_65]
            at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$301(ScheduledThreadPoolExecutor.java:180) [?:1.8.0_65]
            at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:294) [?:1.8.0_65]
     at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [?:1.8.0_65]
            at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [?:1.8.0_65]
            at java.lang.Thread.run(Thread.java:745) [?:1.8.0_65]
    2018-05-02T08:00:05.779+08:00 INFO  [AbstractRotationStrategy] Deflector index <hap index set> (index set <hap_43>) should be rotated, Pointing deflector to new index now!

I clicked “System->Lookup Tables” and saw this:

image
image.png1257×545 56.1 KB

I have checked elasticsearch log, there is no error or warning messages. Only find some warn message in /var/log/elasticsearch/graylog_deprecation.log:

[2018-05-02T08:04:37,406][WARN ][o.e.d.i.m.TypeParsers    ] Expected a boolean [true/false] for property [index] but got [not_analyzed]
[2018-05-02T08:04:37,407][WARN ][o.e.d.i.m.TypeParsers    ] Expected a boolean [true/false] for property [index] but got [not_analyzed]
[2018-05-02T08:04:37,407][WARN ][o.e.d.i.m.TypeParsers    ] Expected a boolean [true/false] for property [index] but got [not_analyzed]
[2018-05-02T08:04:37,408][WARN ][o.e.d.i.m.TypeParsers    ] Expected a boolean [true/false] for property [index] but got [not_analyzed]
[2018-05-02T08:04:37,408][WARN ][o.e.d.i.m.TypeParsers    ] Expected a boolean [true/false] for property [index] but got [not_analyzed]
[2018-05-02T08:04:37,408][WARN ][o.e.d.i.m.TypeParsers    ] Expected a boolean [true/false] for property [index] but got [not_analyzed]
[2018-05-02T08:04:37,409][WARN ][o.e.d.i.m.TypeParsers    ] Expected a boolean [true/false] for property [index] but got [not_analyzed]
[2018-05-02T08:04:37,409][WARN ][o.e.d.i.m.TypeParsers    ] Expected a boolean [true/false] for property [index] but got [not_analyzed]

I don’t know what causes this situation.
I installed graylog cluster with three nodes.
Version:

  • graylog 2.4
  • elasticsearch 5.6.8
  • mongoDB 3.2.19

Please help me solve this problem.

2

both errors are not connected.

The Tor Data Adapter tries to connect to the outside world and it looks like this is not possible for your Graylog Servers.

The second ‘problem’ is that your Elasticsearch had saved some value as boolean but you are sending in the same field name with non boolean values.

3

Thank you!
Will the first error affect the use of the entire graylog cluster?

4

only the tor lookup function will not work.

5

Ok, Thank you!
I checked elasticsearch fields mapping and didn’t find conflict field.

{
  "graylog_0" : {
    "mappings" : {
      "message" : {
        "dynamic_templates" : [
          {
            "internal_fields" : {
              "match" : "gl2_*",
              "mapping" : {
                "type" : "keyword"
              }
            }
          },
          {
            "store_generic" : {
              "match" : "*",
              "mapping" : {
                "index" : "not_analyzed"
              }
            }
          }
        ],
        "properties" : {
          "X-Real-IP" : {
            "type" : "keyword"
          },
          "accessTime" : {
            "type" : "keyword"
          },
          "codeLine" : {
            "type" : "keyword"
          },
          "collector_node_id" : {
            "type" : "keyword"
          },
          "facility" : {
            "type" : "keyword"
          },
          "file" : {
            "type" : "keyword"
          },
          "flag" : {
            "type" : "keyword"
          },
          "full_message" : {
            "type" : "text",
            "analyzer" : "standard"
          },
          "gl2_remote_ip" : {
            "type" : "keyword"
          },
          "gl2_remote_port" : {
            "type" : "keyword"
          },
          "gl2_source_collector" : {
            "type" : "keyword"
          },
          "gl2_source_input" : {
            "type" : "keyword"
          },
          "gl2_source_node" : {
            "type" : "keyword"
          },
          "host_Or_cronjob" : {
            "type" : "keyword"
          },
          "http-version" : {
            "type" : "keyword"
          },
          "httpMethod" : {
            "type" : "keyword"
          },
          "httpStatusCode" : {
            "type" : "keyword"
          },
          "ip" : {
            "type" : "keyword"
          },
          "javaClass" : {
            "type" : "keyword"
          },
          "level" : {
            "type" : "keyword"
          },
          "message" : {
            "type" : "text",
            "analyzer" : "standard"
          },
          "name" : {
            "type" : "keyword"
          },
          "offset" : {
            "type" : "long"
          },
          "path" : {
            "type" : "keyword"
          },
          "sendBytes" : {
            "type" : "keyword"
          },
          "source" : {
            "type" : "text",
            "analyzer" : "analyzer_keyword",
            "fielddata" : true
          },
          "streams" : {
            "type" : "keyword"
          },
          "tags" : {
            "type" : "keyword"
          },
          "threadName" : {
            "type" : "keyword"
          },
          "timestamp" : {
            "type" : "date",
            "format" : "yyyy-MM-dd HH:mm:ss.SSS"
          },
          "type" : {
            "type" : "keyword"
          },
          "user" : {
            "type" : "keyword"
          }
        }
      }
    }
  }
}

Is there any other way to check if there is conflicting data?

6

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.