So, the day began with LOTS of “Could not run WHOIS lookup for IP [X.X.X.X]” and “Could not lookup WHOIS information for [X.X.X.X] at [ARIN].”
Nothing else is showing up on these error logs, that’s all. source_class_name: org.graylog.plugins.threatintel.whois.ip.WhoisIpLookup
Ideas?
Is the WHOIS server accessible from the system running Graylog?
Has your system (or IP address) been throttled by the WHOIS service because of too many lookups?
Are these IP addresses not routed, i. e. are they “private” IP addresses from RFC 1918?
The first question had popped into my mind, but I have no idea because the error doesn’t tell me which WHOIS server it’s trying to query.
Since I don’t know which WHOIS is being queried, I have no idea if I’m getting throttled =(
And I handpicked a few, the first one was from US/Amazon, the others by glance didn’t seem to be private.
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.
