Couldn't refresh data adapter

Shelin · May 2, 2018, 3:04am

Hi all,
I found the following message in the gralog server log:

    2018-05-02T07:32:29.057+08:00 ERROR [LookupDataAdapter] Couldn't refresh data adapter <tor-exit-node/5a9523b823adbbeeba06b10d/@750e46a8>
    java.net.SocketTimeoutException: connect timed out
            at java.net.PlainSocketImpl.socketConnect(Native Method) ~[?:1.8.0_65]
            at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350) ~[?:1.8.0_65]
            at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206) ~[?:1.8.0_65]
            at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188) ~[?:1.8.0_65]
            at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392) ~[?:1.8.0_65]
            at java.net.Socket.connect(Socket.java:589) ~[?:1.8.0_65]
            at okhttp3.internal.platform.Platform.connectSocket(Platform.java:125) ~[graylog.jar:?]
            at okhttp3.internal.connection.RealConnection.connectSocket(RealConnection.java:238) ~[graylog.jar:?]
            at okhttp3.internal.connection.RealConnection.connect(RealConnection.java:158) ~[graylog.jar:?]
            at okhttp3.internal.connection.StreamAllocation.findConnection(StreamAllocation.java:256) ~[graylog.jar:?]
            at okhttp3.internal.connection.StreamAllocation.findHealthyConnection(StreamAllocation.java:134) ~[graylog.jar:?]
            at okhttp3.internal.connection.StreamAllocation.newStream(StreamAllocation.java:113) ~[graylog.jar:?]
            at okhttp3.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.java:42) ~[graylog.jar:?]
            at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:147) ~[graylog.jar:?]
            at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:121) ~[graylog.jar:?]
            at okhttp3.internal.cache.CacheInterceptor.intercept(CacheInterceptor.java:93) ~[graylog.jar:?]
            at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:147) ~[graylog.jar:?]
            at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:121) ~[graylog.jar:?]
            at okhttp3.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.java:93) ~[graylog.jar:?]
            at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:147) ~[graylog.jar:?]
            at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.java:125) ~[graylog.jar:?]
            at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:147) ~[graylog.jar:?]
            at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:121) ~[graylog.jar:?]
            at okhttp3.RealCall.getResponseWithInterceptorChain(RealCall.java:200) ~[graylog.jar:?]
            at okhttp3.RealCall.execute(RealCall.java:77) ~[graylog.jar:?]
            at org.graylog.plugins.threatintel.adapters.tor.TorExitNodeDataAdapter.doStart(TorExitNodeDataAdapter.java:83) ~[?:?]
            at org.graylog.plugins.threatintel.adapters.tor.TorExitNodeDataAdapter.doRefresh(TorExitNodeDataAdapter.java:104) ~[?:?]
            at org.graylog2.plugin.lookup.LookupDataAdapter.refresh(LookupDataAdapter.java:89) ~[graylog.jar:?]
            at org.graylog2.lookup.LookupDataAdapterRefreshService.lambda$schedule$0(LookupDataAdapterRefreshService.java:142) ~[graylog.jar:?]
            at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) [?:1.8.0_65]
            at java.util.concurrent.FutureTask.runAndReset(FutureTask.java:308) [?:1.8.0_65]
            at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$301(ScheduledThreadPoolExecutor.java:180) [?:1.8.0_65]
            at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:294) [?:1.8.0_65]
     at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [?:1.8.0_65]
            at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [?:1.8.0_65]
            at java.lang.Thread.run(Thread.java:745) [?:1.8.0_65]
    2018-05-02T08:00:05.779+08:00 INFO  [AbstractRotationStrategy] Deflector index <hap index set> (index set <hap_43>) should be rotated, Pointing deflector to new index now!

I clicked “System->Lookup Tables” and saw this:

I have checked elasticsearch log, there is no error or warning messages. Only find some warn message in /var/log/elasticsearch/graylog_deprecation.log:

[2018-05-02T08:04:37,406][WARN ][o.e.d.i.m.TypeParsers    ] Expected a boolean [true/false] for property [index] but got [not_analyzed]
[2018-05-02T08:04:37,407][WARN ][o.e.d.i.m.TypeParsers    ] Expected a boolean [true/false] for property [index] but got [not_analyzed]
[2018-05-02T08:04:37,407][WARN ][o.e.d.i.m.TypeParsers    ] Expected a boolean [true/false] for property [index] but got [not_analyzed]
[2018-05-02T08:04:37,408][WARN ][o.e.d.i.m.TypeParsers    ] Expected a boolean [true/false] for property [index] but got [not_analyzed]
[2018-05-02T08:04:37,408][WARN ][o.e.d.i.m.TypeParsers    ] Expected a boolean [true/false] for property [index] but got [not_analyzed]
[2018-05-02T08:04:37,408][WARN ][o.e.d.i.m.TypeParsers    ] Expected a boolean [true/false] for property [index] but got [not_analyzed]
[2018-05-02T08:04:37,409][WARN ][o.e.d.i.m.TypeParsers    ] Expected a boolean [true/false] for property [index] but got [not_analyzed]
[2018-05-02T08:04:37,409][WARN ][o.e.d.i.m.TypeParsers    ] Expected a boolean [true/false] for property [index] but got [not_analyzed]

I don’t know what causes this situation.
I installed graylog cluster with three nodes.
Version:

graylog 2.4
elasticsearch 5.6.8
mongoDB 3.2.19

Please help me solve this problem.

jan · May 2, 2018, 6:18am

both errors are not connected.

The Tor Data Adapter tries to connect to the outside world and it looks like this is not possible for your Graylog Servers.

The second ‘problem’ is that your Elasticsearch had saved some value as boolean but you are sending in the same field name with non boolean values.

Shelin · May 2, 2018, 6:25am

Thank you!
Will the first error affect the use of the entire graylog cluster?

jan · May 2, 2018, 7:59am

only the tor lookup function will not work.

Shelin · May 2, 2018, 8:21am

Ok, Thank you!
I checked elasticsearch fields mapping and didn’t find conflict field.

{
  "graylog_0" : {
    "mappings" : {
      "message" : {
        "dynamic_templates" : [
          {
            "internal_fields" : {
              "match" : "gl2_*",
              "mapping" : {
                "type" : "keyword"
              }
            }
          },
          {
            "store_generic" : {
              "match" : "*",
              "mapping" : {
                "index" : "not_analyzed"
              }
            }
          }
        ],
        "properties" : {
          "X-Real-IP" : {
            "type" : "keyword"
          },
          "accessTime" : {
            "type" : "keyword"
          },
          "codeLine" : {
            "type" : "keyword"
          },
          "collector_node_id" : {
            "type" : "keyword"
          },
          "facility" : {
            "type" : "keyword"
          },
          "file" : {
            "type" : "keyword"
          },
          "flag" : {
            "type" : "keyword"
          },
          "full_message" : {
            "type" : "text",
            "analyzer" : "standard"
          },
          "gl2_remote_ip" : {
            "type" : "keyword"
          },
          "gl2_remote_port" : {
            "type" : "keyword"
          },
          "gl2_source_collector" : {
            "type" : "keyword"
          },
          "gl2_source_input" : {
            "type" : "keyword"
          },
          "gl2_source_node" : {
            "type" : "keyword"
          },
          "host_Or_cronjob" : {
            "type" : "keyword"
          },
          "http-version" : {
            "type" : "keyword"
          },
          "httpMethod" : {
            "type" : "keyword"
          },
          "httpStatusCode" : {
            "type" : "keyword"
          },
          "ip" : {
            "type" : "keyword"
          },
          "javaClass" : {
            "type" : "keyword"
          },
          "level" : {
            "type" : "keyword"
          },
          "message" : {
            "type" : "text",
            "analyzer" : "standard"
          },
          "name" : {
            "type" : "keyword"
          },
          "offset" : {
            "type" : "long"
          },
          "path" : {
            "type" : "keyword"
          },
          "sendBytes" : {
            "type" : "keyword"
          },
          "source" : {
            "type" : "text",
            "analyzer" : "analyzer_keyword",
            "fielddata" : true
          },
          "streams" : {
            "type" : "keyword"
          },
          "tags" : {
            "type" : "keyword"
          },
          "threadName" : {
            "type" : "keyword"
          },
          "timestamp" : {
            "type" : "date",
            "format" : "yyyy-MM-dd HH:mm:ss.SSS"
          },
          "type" : {
            "type" : "keyword"
          },
          "user" : {
            "type" : "keyword"
          }
        }
      }
    }
  }
}

Is there any other way to check if there is conflicting data?

system · May 16, 2018, 8:21am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Couldn't refresh adapter <abuse-ch-ransomware-domains> Graylog Central (peer support)	3	2072	May 21, 2018
"Couldn't refresh data adapter..." logged, but lookup table works fine Graylog Central (peer support)	6	473	June 7, 2022
[RESOLVED] - Couldn't refresh data adapter- Lookup table issue Graylog Central (peer support)	7	2518	June 19, 2018
LookuptTable and Socket timeout Graylog Central (peer support)	1	321	November 23, 2020
WARN [ProxiedResource] Unable to call http Graylog Central (peer support)	10	8631	July 27, 2018

Couldn't refresh data adapter

Related Topics