Irregular Traffic Records events

Single Graylog node running 3.2.4 with free enterprise license
This event is logged every 5 minutes for past 5 days:

2020-04-23T15:50:03.362Z WARN  [LicenseChecker] License violation - Detected irregular traffic records

What are traffic records in this context?
I have read quite a few threads on this but not come to much of a conclusion.
Server can reach the API:

# curl -v https://api.graylog.com
* Rebuilt URL to: https://api.graylog.com/
*   Trying 52.2.164.113...
* TCP_NODELAY set
* Connected to api.graylog.com (52.2.164.113) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: CN=api.graylog.com
*  start date: Apr 16 00:06:52 2020 GMT
*  expire date: Jul 15 00:06:52 2020 GMT
*  subjectAltName: host "api.graylog.com" matched cert's "api.graylog.com"
*  issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
*  SSL certificate verify ok.
> GET / HTTP/1.1
> Host: api.graylog.com
> User-Agent: curl/7.58.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Server: Cowboy
< Connection: keep-alive
< Date: Thu, 23 Apr 2020 15:58:28 GMT
< Content-Type: text/plain
< Vary: Accept-Encoding
< Content-Length: 133
< Via: 1.1 vegur
<
* Connection #0 to host api.graylog.com left intact

I have tested this multiple times, it always succeeds, Trying IP varies.
No messages in web interface about license violation.

Not getting anywhere near 5GB/day and never have done:

image1577×279 16 KB

License status:

image1567×172 24 KB

Looks like refreshing the /system/licenses page causes that event to be logged.

2020-04-23T15:40:03.346Z WARN  [LicenseChecker] License violation - Detected irregular traffic records
2020-04-23T15:45:03.347Z WARN  [LicenseChecker] License violation - Detected irregular traffic records
2020-04-23T15:50:03.362Z WARN  [LicenseChecker] License violation - Detected irregular traffic records
2020-04-23T15:55:03.346Z WARN  [LicenseChecker] License violation - Detected irregular traffic records
2020-04-23T16:00:03.348Z WARN  [LicenseChecker] License violation - Detected irregular traffic records
2020-04-23T16:05:03.349Z WARN  [LicenseChecker] License violation - Detected irregular traffic records
2020-04-23T16:05:07.848Z WARN  [LicenseChecker] License violation - Detected irregular traffic records
2020-04-23T16:10:03.386Z WARN  [LicenseChecker] License violation - Detected irregular traffic records
2020-04-23T16:10:48.442Z WARN  [LicenseChecker] License violation - Detected irregular traffic records
2020-04-23T16:11:23.836Z WARN  [LicenseChecker] License violation - Detected irregular traffic records

Hi there, thats wierd, do you have only one node? Is there a change that you have 2 ips in the same node? Duplicating traffic? Maybe use “netstat” to check the connections?

Hi,

Seeing exactly the same thing here - very odd. And only one node. Multiple IP’s, but that’s normal - IP for the NIC, but also, for example, there is an IP for the (cable) tuner card in the machine. Different network / subnet completely.

Thoughts?

Thanks!

One node with one IP, deployed using Graylog OVA. One data source sending syslog to Graylog. Basically, just about the most trivial use-case for Graylog I can imagine.
Would the “duplicating traffic” you’re referring to be duplicated logging records from things sending logs to Graylog? I can’t see this being the case here, it’s such a simple setup.

With the wirdness of the this, duplicating i mean if is receive 2 messages twice (for example) but if only use one “ip add” i don´t think thats the case.

Hi,

I checked my records, not seeing any duplicates … but of course I may be missing it. Any suggestions of a good way to check?

FYI, I did check - netstat result below (but not sure what it should be ). I’m listening on port 5140, avoid the < 1024 (root) issue.

netstat -ul | grep 5140
udp        0      0 0.0.0.0:5140            0.0.0.0:*
udp        0      0 0.0.0.0:5140            0.0.0.0:*
udp        0      0 0.0.0.0:5140            0.0.0.0:*
udp        0      0 0.0.0.0:5140            0.0.0.0:*

Thanks!

well, i say, if you can do the things with the enterprise licence, you must ignore that warning. Maybe the measures for the message counting / traffic have a bug?

Sure seems like it - thanks!

please ignore this message.

While the wording is harsh it is nothing to worry about.

Great, thanks - appreciate the note! Perhaps something to address in the SW longer term, but definitley not a priority of course.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.