Graylog server tries to talk to a tor node

Hi, I’m configuring a Graylog server to collect syslogs from servers and network devices. When I check the firewall, I saw communication from Graylog server to a tor node has been blocked. As per the firewall, Graylog server tried to access a URL chiwui.torproject.org

I found one line in the Graylog server log that match with the IP address 138.201.14.212, log reads as
Caused by: java.net.ConnectException: Failed to connect to check.torproject.org/138.201.14.212:443

I presume connection was refused because it was interrupted by the firewall.

There are not much information about this URL, so I checked this in Alien Vault OTX.
https://otx.alienvault.com/indicator/hostname/chiwui.torproject.org

I’m trying to understand why Graylog server tried to communicate with this tor node. Has anyone seen this before?

hej @Salinda

did you have any Plugins installed or other software that is running on that server?

if you - for example has installed the thread-intel plugin and activate the check for tor exit nodes that would be the request to get the list of exit nodes.

Hi @jan, you are right. I’ve installed Graylog threatintel plugin and from the logs found that it queries tor exit nodes.

Thanks for your reply.

Cheers,
Salinda

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.