GrayLog 3.1 license violation

Hi All,

I have recently upgraded GrayLog 2.4 to 3.1. It’s a single node server.

I noticed that I am getting license violation errors.

[centos@ip-172-17-1-87 ~]$ sudo tail -f -n 1000 /var/log/graylog-server/server.log | grep WARN
2019-09-09T02:56:11.437Z WARN  [LicenseChecker] License violation - Failed to report license status to Graylog, Inc. - consecutive failures: 234, limit: 72
2019-09-09T02:56:11.437Z WARN  [LicenseChecker] License violation - Detected irregular traffic records
2019-09-09T03:01:11.443Z WARN  [LicenseChecker] License violation - Failed to report license status to Graylog, Inc. - consecutive failures: 234, limit: 72
2019-09-09T03:01:11.443Z WARN  [LicenseChecker] License violation - Detected irregular traffic records
2019-09-09T03:01:16.930Z WARN  [LicenseChecker] License violation - Failed to report license status to Graylog, Inc. - consecutive failures: 234, limit: 72
2019-09-09T03:01:16.930Z WARN  [LicenseChecker] License violation - Detected irregular traffic records

The daily traffic is well below 1gb.

The graylog server is able to connect to https://api.graylog.com/report

[centos@ip-172-17-1-87 ~]$ curl -v https://api.graylog.com/report
* About to connect() to api.graylog.com port 443 (#0)
*   Trying 52.200.123.104...
* Connected to api.graylog.com (52.200.123.104) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate:
*       subject: CN=api.graylog.com
*       start date: Aug 19 23:37:41 2019 GMT
*       expire date: Nov 17 23:37:41 2019 GMT
*       common name: api.graylog.com
*       issuer: CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US
> GET /report HTTP/1.1
> User-Agent: curl/7.29.0
> Host: api.graylog.com
> Accept: */*
>
< HTTP/1.1 405 Method Not Allowed
< Server: Cowboy
< Connection: keep-alive
< Date: Mon, 09 Sep 2019 03:14:48 GMT
< Allow: POST,OPTIONS
< Content-Type: application/json
< Content-Length: 52
< Via: 1.1 vegur
<
* Connection #0 to host api.graylog.com left intact
{"code":405,"message":"HTTP 405 Method Not Allowed"}

There is no proxy or load balancer between the server and internet. The server time is correct, not skewed.

http_read_timeout is set to 30s.

Any other suggestion to findout what is causing license violation?

Tks,
Nav

do you have a custome truststore in Graylog for certificates?

Maybe your Graylog is not able to verify the certificate of the API

yes, i have a custom trust store for greylog cert. What changes shall i make to trust the api cert?

you need to check if that trust store has the information to verify the lets-encrypt certificates.

It is very likely that you had created an empty truststore and did not take the systems pre-filled one.

yes, that’s the case. Is it possible to point 2 truststore in graylog startup config?

no that is not possible. you need to have one truststore that contain all necessary information.

Alright, I will try that and update you.

I have imported the ssl cert into copy of default java cert store. Now the store has 134 entries

[centos@ip-172-17-1-87 backup]$ sudo keytool -list -keystore /etc/graylog/java_keystore.jks
Enter keystore password:
Keystore type: jks
Keystore provider: SUN

Your keystore contains 134 entries

However, I don’t see Let’s Encrypt CA in default store

sudo keytool -list -keystore /etc/graylog/java_keystore.jks | grep lets* -A1

results in empty result.

I then exported the root & intermediate cert from https://api.graylog.com/report and restart the graylog-server.

Now, all looks good, and there is no license violation notification.

Thanks @jan

1 Like