License Violation Issues

You say “all of them” and while that seems all encompassing, it is a little vague. Do you mean every single file listed on that page under the Omnibus heading? All of the graylog, elasticsearch, and mongodb files? Or just the graylog logs? The /var/log/graylog/server/ folder has a bunch of files in it, do you want just the most recent one, or really all of them? Also, how can I get these two you? Do you guys have an upload site, can I send a sharefile/dropbox link?

Does this mean anything to you?

2018-03-22_21:44:51.70765 WARN [LicenseChecker] License violation - Failed to report license status to Graylog, Inc. - consecutive failures: 118, limit: 72
2018-03-22_21:44:51.70810 WARN [LicenseChecker] License violation - Detected irregular traffic records
2018-03-22_21:49:51.76372 WARN [LicenseChecker] License violation - Failed to report license status to Graylog, Inc. - consecutive failures: 118, limit: 72
2018-03-22_21:49:51.76430 WARN [LicenseChecker] License violation - Detected irregular traffic records

Please provide the complete logs and not just some arbitrary excerpts.

The logs of your Graylog node. Elasticsearch and MongoDB don’t have anything to do with the license management.

You can use a pastebin service like https://gist.github.com/ or https://0bin.net/.

You could always check you can reach the release API, which runs at the same host:

http GET http://api.graylog.com/releases/active

This will give you back the current stable release Version

HTTP/1.1 200 OK
Connection: keep-alive
Content-Length: 217
Content-Type: application/json
Date: Fri, 23 Mar 2018 08:53:41 GMT
Server: Cowboy
Vary: Accept-Encoding
Via: 1.1 vegur

{
    "announcement_link": "https://www.graylog.org/blog/108-announcing-graylog-v2-4-3",
    "codename": "Wildwuchs",
    "published": true,
    "released_at": "2018-01-25T00:00:00.000Z",
    "suffix": "",
    "version": {
        "major": 2,
        "minor": 4,
        "patch": 3
    }
}

@mccrolly this way you could verify if from a network level everything is working. ( I have used httpie for this request)

Seems to be working fine.

ubuntu@graylog:~$ http GET http://api.graylog.com/releases/active
HTTP/1.1 200 OK
Connection: keep-alive
Content-Length: 217
Content-Type: application/json
Date: Fri, 23 Mar 2018 12:11:59 GMT
Server: Cowboy
Vary: Accept-Encoding
Via: 1.1 vegur

{
    "announcement_link": "https://www.graylog.org/blog/108-announcing-graylog-v2-4-3", 
    "codename": "Wildwuchs", 
    "published": true, 
    "released_at": "2018-01-25T00:00:00.000Z", 
    "suffix": "", 
    "version": {
        "major": 2, 
        "minor": 4, 
        "patch": 3
    }
}

just checked it again this morning and everything appears fine connectivity-wise.

ubuntu@graylog:~$ date 
Fri Mar 23 08:12:17 EDT 2018
ubuntu@graylog:~$ 
ubuntu@graylog:~$ 
ubuntu@graylog:~$ curl -v -XGET https://api.graylog.com
* Rebuilt URL to: https://api.graylog.com/
* Hostname was NOT found in DNS cache
*   Trying 50.19.87.162...
* Connected to api.graylog.com (50.19.87.162) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using ECDHE-RSA-AES128-GCM-SHA256
* Server certificate:
*        subject: CN=api.graylog.com
*        start date: 2018-02-22 23:36:53 GMT
*        expire date: 2018-05-23 23:36:53 GMT
*        subjectAltName: api.graylog.com matched
*        issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
*        SSL certificate verify ok.
> GET / HTTP/1.1
> User-Agent: curl/7.35.0
> Host: api.graylog.com
> Accept: */*
> 
< HTTP/1.1 404 Not Found
* Server Cowboy is not blacklisted
< Server: Cowboy
< Connection: keep-alive
< Date: Fri, 23 Mar 2018 12:12:53 GMT
< Content-Type: application/json
< Content-Length: 43
< Via: 1.1 vegur
< 
* Connection #0 to host api.graylog.com left intact
{"code":404,"message":"HTTP 404 Not Found"}
ubuntu@graylog:~$ date
Fri Mar 23 08:12:29 EDT 2018

2018-03-23_12:14:51.79565 WARN [LicenseChecker] License violation - Detected irregular traffic records
2018-03-23_12:14:55.40255 ERROR [AuditLogger] Unable to write audit log entry because there is no valid license.
2018-03-23_12:15:02.93175 WARN [LicenseChecker] License violation - Detected irregular traffic records
2018-03-23_12:15:02.94498 WARN [LicenseChecker] License violation - Failed to report license status to Graylog, Inc. - consecutive failures: 133, limit: 72
2018-03-23_12:15:02.94569 WARN [LicenseChecker] License violation - Detected irregular traffic records

Hi
We have Free Enterprise Graylog Licence.
From several days message about Licence Violation is appear.
We do not reach 5GB traffic limit.
In details in License Management it show message “Remote checks have failed too many times.”
Can anyone explain where is the problem?

2 Likes

Can confirm that I’m seeing the same issue here. Haven’t tripped the volume (max day 500MB), but traceroutes are failing to api[.]graylog[,]com. I’ve even tried to bump the number of hops to 120, but it gets to 72.21.197.223 then dies. (54.225.185.38 is we’re trying to get to)

EDIT: Ok, so the issue on my end appears to have been the fact that I was running an older version of Oracle Java 8 JRE that did not include the Let’s Encrypt CA in its keystore. Instead of futzing around with adding it, I just upgraded to JRE 8u161, verified that it was the default version, rebooted the server and it’s suddenly able to talk to the licensing server.

I hope this helps someone else.

Ok, that looks like it works just fine.

curl -v api[.]graylog[.]com

  • About to connect() to api.graylog.com port 80 (#0)
  • Trying 204.236.236.192… connected
  • Connected to api[.]graylog[.]com (204.236.236.192) port 80 (#0)

GET / HTTP/1.1
User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.27.1 zlib/1.2.3 libidn/1.18 libssh2/1.4.2
Host: api[.]graylog[.]com
Accept: /

< HTTP/1.1 404 Not Found
< Server: Cowboy
< Connection: keep-alive
< Date: Mon, 26 Mar 2018 13:46:46 GMT
< Content-Type: application/json
< Content-Length: 43
< Via: 1.1 vegur
<

  • Connection #0 to host api[.]graylog[.]com left intact
  • Closing connection #0
    {“code”:404,“message”:“HTTP 404 Not Found”}

Is there a way to see some kind of a time frame or history of connection failures? I’m wondering if we had some kind of network issue at some point.

Greetings, everyone! I just upgraded from Graylog 2.2 to 2.4 and decided to go ahead and move to the free enterprise upgrade since we are pretty well under the 5 GB/day threshold and I wanted to check out the some of the features. Since the upgrade, I am seeing the following warning in the graylog server.log:

WARN [LicenseChecker] License violation - Detected irregular traffic records

Seems to spit the warning out every 5 minutes and there is no other information associated with the warning. It doesn’t appear to be causing any issues that I can see and there is no indication in the web interface that might shed some light on things. I’ve scoured the web and Graylog forums and can’t find any helpful information. For background, we are running Graylog on Ubuntu, single node, monitoring a handful of Windows servers (AD, file services, IIS, etc.) and some Cisco devices. License for Enterprise is installed.

Does anyone have any ideas? Thanks in advance for any assistance!

Is this the only license-related message in your logs?
Does your network environment allow HTTPS access to https://api.graylog.com/? (see License Violation Issues)

It should be fine. A regular browser gives me this:

{"code":404,"message":"HTTP 404 Not Found"}

From the appliance itself:

ubuntu@graylog:~$ 
ubuntu@graylog:~$ curl -v -XGET https://api.graylog.com
* Rebuilt URL to: https://api.graylog.com/
* Hostname was NOT found in DNS cache
*   Trying 23.23.209.130...
* Connected to api.graylog.com (23.23.209.130) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using ECDHE-RSA-AES128-GCM-SHA256
* Server certificate:
*        subject: CN=api.graylog.com
*        start date: 2018-02-22 23:36:53 GMT
*        expire date: 2018-05-23 23:36:53 GMT
*        subjectAltName: api.graylog.com matched
*        issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
*        SSL certificate verify ok.
> GET / HTTP/1.1
> User-Agent: curl/7.35.0
> Host: api.graylog.com
> Accept: */*
> 
< HTTP/1.1 404 Not Found
* Server Cowboy is not blacklisted
< Server: Cowboy
< Connection: keep-alive
< Date: Wed, 28 Feb 2018 16:06:24 GMT
< Content-Type: application/json
< Content-Length: 43
< Via: 1.1 vegur
< 
* Connection #0 to host api.graylog.com left intact
{"code":404,"message":"HTTP 404 Not Found"}

Yes, other than messages related to startup of license plugins the warnings are the only license-related messages. I am able to access https://api.graylog.com from the server:

ubuntu@graylog:~$  curl -v -XGET https://api.graylog.com

* Rebuilt URL to: https://api.graylog.com/
*   Trying 23.23.136.239...
* Connected to api.graylog.com (23.23.136.239) port 443 (#0)
* found 148 certificates in /etc/ssl/certs/ca-certificates.crt
* found 592 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* SSL connection using TLS1.2 / ECDHE_RSA_AES_128_GCM_SHA256
*        server certificate verification OK
*        server certificate status verification SKIPPED
*        common name: api.graylog.com (matched)
*        server certificate expiration date OK
*        server certificate activation date OK
*        certificate public key: RSA
*        certificate version: #3
*        subject: CN=api.graylog.com
*        start date: Thu, 22 Feb 2018 23:36:53 GMT
*        expire date: Wed, 23 May 2018 23:36:53 GMT
*        issuer: C=US,O=Let's Encrypt,CN=Let's Encrypt Authority X3
*        compression: NULL
* ALPN, server accepted to use http/1.1
> GET / HTTP/1.1
> Host: api.graylog.com
> User-Agent: curl/7.47.0
> Accept: */*
>
< HTTP/1.1 404 Not Found
< Server: Cowboy
< Connection: keep-alive
< Date: Wed, 28 Feb 2018 16:15:06 GMT
< Content-Type: application/json
< Content-Length: 43
< Via: 1.1 vegur

Hej

could you please check http GET http://api.graylog.com/releases/active

the output should be something like the following:

HTTP/1.1 200 OK
Connection: keep-alive
Content-Length: 217
Content-Type: application/json
Date: Wed, 28 Feb 2018 17:31:53 GMT
Server: Cowboy
Vary: Accept-Encoding
Via: 1.1 vegur

{
    "announcement_link": "https://www.graylog.org/blog/108-announcing-graylog-v2-4-3",
    "codename": "Wildwuchs",
    "published": true,
    "released_at": "2018-01-25T00:00:00.000Z",
    "suffix": "",
    "version": {
        "major": 2,
        "minor": 4,
        "patch": 3
    }
}

The URL checks the latest released version. If that works from your Graylog server Graylog should be able to check the license. If not, did you have configured or need any kind of proxy to connect to the internet?

Hi Jan!

No proxy needed to connect to the internet. Here is the output:

 HTTP/1.1 200 OK
< Server: Cowboy
< Connection: keep-alive
< Date: Wed, 28 Feb 2018 17:43:35 GMT
< Content-Type: application/json
< Vary: Accept-Encoding
< Content-Length: 217
< Via: 1.1 vegur
<
* Connection #0 to host api.graylog.com left intact
{
	"version":{"major":2,"minor":4,"patch":3},
	"suffix":"","codename":"Wildwuchs",
	"released_at":"2018-01-25T00:00:00.000Z",	
	"announcement_link":"https://www.graylog.org/blog/108-announcing-graylog-v2-4-3",
	"published":true
}

Did you have http_proxy set in your Graylog configuration?

Other option would be to raise the http_read_timeout - maybe the connection to the API isn’t the fastest…

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.