License Violation Issues

adam.ap · March 14, 2018, 12:47pm

Hi
We have Free Enterprise Graylog Licence.
From several days message about Licence Violation is appear.
We do not reach 5GB traffic limit.
In details in License Management it show message “Remote checks have failed too many times.”
Can anyone explain where is the problem?

jochen · March 14, 2018, 12:54pm

Xiofett · March 23, 2018, 7:53pm

Can confirm that I’m seeing the same issue here. Haven’t tripped the volume (max day 500MB), but traceroutes are failing to api[.]graylog[,]com. I’ve even tried to bump the number of hops to 120, but it gets to 72.21.197.223 then dies. (54.225.185.38 is we’re trying to get to)

jochen · March 24, 2018, 9:41am

Xiofett · March 26, 2018, 1:56pm

EDIT: Ok, so the issue on my end appears to have been the fact that I was running an older version of Oracle Java 8 JRE that did not include the Let’s Encrypt CA in its keystore. Instead of futzing around with adding it, I just upgraded to JRE 8u161, verified that it was the default version, rebooted the server and it’s suddenly able to talk to the licensing server.

I hope this helps someone else.

Ok, that looks like it works just fine.

curl -v api[.]graylog[.]com

About to connect() to api.graylog.com port 80 (#0)
Trying 204.236.236.192… connected
Connected to api[.]graylog[.]com (204.236.236.192) port 80 (#0)

GET / HTTP/1.1
User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.27.1 zlib/1.2.3 libidn/1.18 libssh2/1.4.2
Host: api[.]graylog[.]com
Accept: /

< HTTP/1.1 404 Not Found
< Server: Cowboy
< Connection: keep-alive
< Date: Mon, 26 Mar 2018 13:46:46 GMT
< Content-Type: application/json
< Content-Length: 43
< Via: 1.1 vegur
<

Connection #0 to host api[.]graylog[.]com left intact
Closing connection #0
{“code”:404,“message”:“HTTP 404 Not Found”}

Is there a way to see some kind of a time frame or history of connection failures? I’m wondering if we had some kind of network issue at some point.

kmcq · February 28, 2018, 3:51pm

Greetings, everyone! I just upgraded from Graylog 2.2 to 2.4 and decided to go ahead and move to the free enterprise upgrade since we are pretty well under the 5 GB/day threshold and I wanted to check out the some of the features. Since the upgrade, I am seeing the following warning in the graylog server.log:

WARN [LicenseChecker] License violation - Detected irregular traffic records

Seems to spit the warning out every 5 minutes and there is no other information associated with the warning. It doesn’t appear to be causing any issues that I can see and there is no indication in the web interface that might shed some light on things. I’ve scoured the web and Graylog forums and can’t find any helpful information. For background, we are running Graylog on Ubuntu, single node, monitoring a handful of Windows servers (AD, file services, IIS, etc.) and some Cisco devices. License for Enterprise is installed.

Does anyone have any ideas? Thanks in advance for any assistance!

jochen · February 28, 2018, 3:53pm

Is this the only license-related message in your logs?
Does your network environment allow HTTPS access to https://api.graylog.com/? (see License Violation Issues)

mccrolly · February 28, 2018, 4:07pm

It should be fine. A regular browser gives me this:

{"code":404,"message":"HTTP 404 Not Found"}

From the appliance itself:

ubuntu@graylog:~$ 
ubuntu@graylog:~$ curl -v -XGET https://api.graylog.com
* Rebuilt URL to: https://api.graylog.com/
* Hostname was NOT found in DNS cache
*   Trying 23.23.209.130...
* Connected to api.graylog.com (23.23.209.130) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using ECDHE-RSA-AES128-GCM-SHA256
* Server certificate:
*        subject: CN=api.graylog.com
*        start date: 2018-02-22 23:36:53 GMT
*        expire date: 2018-05-23 23:36:53 GMT
*        subjectAltName: api.graylog.com matched
*        issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
*        SSL certificate verify ok.
> GET / HTTP/1.1
> User-Agent: curl/7.35.0
> Host: api.graylog.com
> Accept: */*
> 
< HTTP/1.1 404 Not Found
* Server Cowboy is not blacklisted
< Server: Cowboy
< Connection: keep-alive
< Date: Wed, 28 Feb 2018 16:06:24 GMT
< Content-Type: application/json
< Content-Length: 43
< Via: 1.1 vegur
< 
* Connection #0 to host api.graylog.com left intact
{"code":404,"message":"HTTP 404 Not Found"}

kmcq · February 28, 2018, 4:17pm

Yes, other than messages related to startup of license plugins the warnings are the only license-related messages. I am able to access https://api.graylog.com from the server:

ubuntu@graylog:~$  curl -v -XGET https://api.graylog.com

* Rebuilt URL to: https://api.graylog.com/
*   Trying 23.23.136.239...
* Connected to api.graylog.com (23.23.136.239) port 443 (#0)
* found 148 certificates in /etc/ssl/certs/ca-certificates.crt
* found 592 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* SSL connection using TLS1.2 / ECDHE_RSA_AES_128_GCM_SHA256
*        server certificate verification OK
*        server certificate status verification SKIPPED
*        common name: api.graylog.com (matched)
*        server certificate expiration date OK
*        server certificate activation date OK
*        certificate public key: RSA
*        certificate version: #3
*        subject: CN=api.graylog.com
*        start date: Thu, 22 Feb 2018 23:36:53 GMT
*        expire date: Wed, 23 May 2018 23:36:53 GMT
*        issuer: C=US,O=Let's Encrypt,CN=Let's Encrypt Authority X3
*        compression: NULL
* ALPN, server accepted to use http/1.1
> GET / HTTP/1.1
> Host: api.graylog.com
> User-Agent: curl/7.47.0
> Accept: */*
>
< HTTP/1.1 404 Not Found
< Server: Cowboy
< Connection: keep-alive
< Date: Wed, 28 Feb 2018 16:15:06 GMT
< Content-Type: application/json
< Content-Length: 43
< Via: 1.1 vegur

jan · February 28, 2018, 5:35pm

Hej

could you please check http GET http://api.graylog.com/releases/active

the output should be something like the following:

HTTP/1.1 200 OK
Connection: keep-alive
Content-Length: 217
Content-Type: application/json
Date: Wed, 28 Feb 2018 17:31:53 GMT
Server: Cowboy
Vary: Accept-Encoding
Via: 1.1 vegur

{
    "announcement_link": "https://www.graylog.org/blog/108-announcing-graylog-v2-4-3",
    "codename": "Wildwuchs",
    "published": true,
    "released_at": "2018-01-25T00:00:00.000Z",
    "suffix": "",
    "version": {
        "major": 2,
        "minor": 4,
        "patch": 3
    }
}

The URL checks the latest released version. If that works from your Graylog server Graylog should be able to check the license. If not, did you have configured or need any kind of proxy to connect to the internet?

kmcq · February 28, 2018, 5:46pm

Hi Jan!

No proxy needed to connect to the internet. Here is the output:

 HTTP/1.1 200 OK
< Server: Cowboy
< Connection: keep-alive
< Date: Wed, 28 Feb 2018 17:43:35 GMT
< Content-Type: application/json
< Vary: Accept-Encoding
< Content-Length: 217
< Via: 1.1 vegur
<
* Connection #0 to host api.graylog.com left intact
{
	"version":{"major":2,"minor":4,"patch":3},
	"suffix":"","codename":"Wildwuchs",
	"released_at":"2018-01-25T00:00:00.000Z",	
	"announcement_link":"https://www.graylog.org/blog/108-announcing-graylog-v2-4-3",
	"published":true
}

jan · March 1, 2018, 8:05am

Did you have http_proxy set in your Graylog configuration?

github.com

Graylog2/graylog2-server/blob/2.4.3/misc/graylog.conf#L529


# Values must be a positive duration (and between 1 and 2147483647 when converted to milliseconds).
# Default: 10s
#http_read_timeout = 10s


# The default write timeout for outgoing HTTP connections.
# Values must be a positive duration (and between 1 and 2147483647 when converted to milliseconds).
# Default: 10s
#http_write_timeout = 10s


# HTTP proxy for outgoing HTTP connections
#http_proxy_uri =


# Disable the optimization of Elasticsearch indices after index cycling. This may take some load from Elasticsearch
# on heavily used systems with large indices, but it will decrease search performance. The default is to optimize
# cycled indices.
#
# ATTENTION: These settings have been moved to the database in Graylog 2.2.0. When you upgrade, make sure to set these
#            to your previous settings so they will be migrated to the database!
#disable_index_optimization = true


# Optimize the index down to <= index_optimization_max_num_segments. A higher number may take some load from Elasticsearch

Other option would be to raise the http_read_timeout - maybe the connection to the API isn’t the fastest…

system · March 26, 2018, 3:07pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
License violation message Graylog Central (peer support)	6	3577	July 23, 2018
Enterprise License Violation Graylog Central (peer support)	2	1830	March 26, 2018
Enterprise license error still occure Graylog Central (peer support)	11	1649	March 10, 2020
License violation problem Graylog Central (peer support)	4	1271	August 16, 2021
New License, Violation Too Much Traffic Graylog Central (peer support)	6	1009	May 22, 2020

License Violation Issues

Related topics