OTX Rate Limit causes Process Buffer then Journal to Fill

Magneton · July 13, 2020, 3:10pm

Dear All,

Perhaps some one can help me here.

I have some PA firewalls which I need to do threat look ups on using OTX. etc, there is roughly 20k events a minute.

Situation
I have observed in Graylog server log that when I get rate limited , error =429 the processor buffer starts to fill and then the journal.

The pipeline rule is correctly configured to not do look ups against RFC 1918 address,if I remove the threat hunting rule from the pipeline the situation resolves.

Attempts to Resolve.
My first thought was to increase the caches for the OTX so that it would not do look ups. I have increase size to 20,000 entries and set the cache time to 30 mins as shown below.

Does anyone here have any other tweeks / ideas that might resolve the issue?

Does anyone know the OTX rate limits?

Cheers

Jake Smith

jan · July 17, 2020, 12:32pm

he @Magneton

easiest solution - pay for OTX to do not run into the ratelimit.

Magneton · July 17, 2020, 12:55pm

Hi Jan,

Would an alternative be to increase cache further?

If I increase cache , it will just use more ram on Graylog processing node, so I would have to increase ram?

Cheers

Jake

system · July 31, 2020, 12:55pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Open Threat Exchange Plugin Slow Graylog Add-ons	1	624	August 27, 2020
Pipelines are filling the process buffer and journal Graylog Central (peer support) pipeline-rules , route-to-streampl , debuggingpl	15	1503	September 19, 2019
Process buffer repeatedly filling up until restart Graylog Central (peer support) pipeline-rules	9	2608	December 24, 2019
Process buffer filling Graylog Central (peer support)	6	755	April 15, 2021
Process Buffer Full - How do i fault find? Graylog Central (peer support)	6	4307	June 19, 2020

OTX Rate Limit causes Process Buffer then Journal to Fill

Related Topics