Graylog server tries to talk to a tor node


#1

Hi, I’m configuring a Graylog server to collect syslogs from servers and network devices. When I check the firewall, I saw communication from Graylog server to a tor node has been blocked. As per the firewall, Graylog server tried to access a URL chiwui.torproject.org

I found one line in the Graylog server log that match with the IP address 138.201.14.212, log reads as
Caused by: java.net.ConnectException: Failed to connect to check.torproject.org/138.201.14.212:443

I presume connection was refused because it was interrupted by the firewall.

There are not much information about this URL, so I checked this in Alien Vault OTX.

I’m trying to understand why Graylog server tried to communicate with this tor node. Has anyone seen this before?


(Jan Doberstein) #2

hej @Salinda

did you have any Plugins installed or other software that is running on that server?

if you - for example has installed the thread-intel plugin and activate the check for tor exit nodes that would be the request to get the list of exit nodes.


#3

Hi @jan, you are right. I’ve installed Graylog threatintel plugin and from the logs found that it queries tor exit nodes.

Thanks for your reply.

Cheers,
Salinda


(system) #4

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.