1. Describe your incident:
After uninstall graylog security licence, there some error log which appears periodically .
2. Describe your environment:
Rocky Linux release 8.10 (Green Obsidian)
One cluster with 3 Nodes
- Package Version:
graylog-6.0-repository.noarch 1-1 @@commandline
graylog-enterprise.x86_64 6.0.3-1 @graylog
libmongocrypt.x86_64 1.10.0-1.el8 @epel
mongo-c-driver-libs.x86_64 1.27.4-1.el8 @epel
mongodb-database-tools.x86_64 100.9.5-1 @mongodb-org-6.0
mongodb-mongosh.x86_64 2.2.12-1.el8 @mongodb-org-6.0
mongodb-org.x86_64 6.0.16-1.el8 @mongodb-org-6.0
mongodb-org-database.x86_64 6.0.16-1.el8 @mongodb-org-6.0
mongodb-org-database-tools-extra.x86_64 6.0.16-1.el8 @mongodb-org-6.0
mongodb-org-mongos.x86_64 6.0.16-1.el8 @mongodb-org-6.0
mongodb-org-server.x86_64 6.0.16-1.el8 @mongodb-org-6.0
mongodb-org-shell.x86_64 5.0.15-1.el8 @mongodb-org-5.0
mongodb-org-tools.x86_64 6.0.16-1.el8 @mongodb-org-6.0
- Service logs, configurations, and environment variables:
in /var/log/graylog-server/server.log :
2024-08-12T14:44:10.593+02:00 INFO [SigmaRuleStatusSyncService] Scheduling event processor job for out of sync Sigma rule [****************]
2024-08-12T14:44:10.595+02:00 ERROR [SigmaRuleStatusSyncPeriodical] Uncaught exception in Periodical
java.lang.IllegalArgumentException: Event definition <667180cf3f327b013718a9bd> doesn't exist
at org.graylog.events.processor.EventDefinitionHandler.lambda$getEventDefinitionOrThrowIAE$5(EventDefinitionHandler.java:278) ~[graylog.jar:?]
at java.base/java.util.Optional.orElseThrow(Unknown Source) ~[?:?]
at org.graylog.events.processor.EventDefinitionHandler.getEventDefinitionOrThrowIAE(EventDefinitionHandler.java:278) ~[graylog.jar:?]
at org.graylog.events.processor.EventDefinitionHandler.schedule(EventDefinitionHandler.java:228) ~[graylog.jar:?]
at org.graylog.plugins.securityapp.sigma.SigmaRuleStatusSyncService.lambda$syncSigmaRuleEventStatus$6(SigmaRuleStatusSyncService.java:62) ~[?:?]
at java.base/java.util.stream.ForEachOps$ForEachOp$OfRef.accept(Unknown Source) ~[?:?]
at java.base/java.util.stream.ReferencePipeline$2$1.accept(Unknown Source) ~[?:?]
at java.base/java.util.Iterator.forEachRemaining(Unknown Source) ~[?:?]
at java.base/java.util.Spliterators$IteratorSpliterator.forEachRemaining(Unknown Source) ~[?:?]
at java.base/java.util.stream.AbstractPipeline.copyInto(Unknown Source) ~[?:?]
at java.base/java.util.stream.AbstractPipeline.wrapAndCopyInto(Unknown Source) ~[?:?]
at java.base/java.util.stream.ForEachOps$ForEachOp.evaluateSequential(Unknown Source) ~[?:?]
at java.base/java.util.stream.ForEachOps$ForEachOp$OfRef.evaluateSequential(Unknown Source) ~[?:?]
at java.base/java.util.stream.AbstractPipeline.evaluate(Unknown Source) ~[?:?]
at java.base/java.util.stream.ReferencePipeline.forEach(Unknown Source) ~[?:?]
at org.graylog.plugins.securityapp.sigma.SigmaRuleStatusSyncService.syncSigmaRuleEventStatus(SigmaRuleStatusSyncService.java:60) ~[?:?]
at org.graylog.plugins.securityapp.sigma.SigmaRuleStatusSyncPeriodical.doRun(SigmaRuleStatusSyncPeriodical.java:72) ~[?:?]
at org.graylog2.plugin.periodical.Periodical.run(Periodical.java:99) [graylog.jar:?]
at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source) [?:?]
at java.base/java.util.concurrent.FutureTask.runAndReset(Unknown Source) [?:?]
at java.base/java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(Unknown Source) [?:?]
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source) [?:?]
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) [?:?]
at java.base/java.lang.Thread.run(Unknown Source) [?:?]
3. What steps have you already taken to try and solve the problem?
- install graylog security licence
- uninstall graylog security licence
- restart all graylog node