This IPv6 address cannot be used in IPv4 context


(Dustin Tennill) #1

Hello,

We have been slowly working through debugging the various error messages seen in our graylog server.log file so we can see when there are real issues.

This particular message is a current concern:

2017-02-19T12:10:51.869-05:00 WARN  [ProcessBufferProcessor] Unable to process message <5dc778dc-f6c6-11e6-9b33-0025b5ff0071>: org.graylog.plugins.pipelineprocessor.ast.exceptions.FunctionEvaluationException: java.lang.IllegalArgumentException: This IPv6 address cannot be used in IPv4 context

It occurs around 2500 times each day.
What is the BEST way to troubleshoot error messages related to “unable to process message”? Has anyone written up a basic procedure that one could follow?

In older versions of Graylog I vaguely remember an interface where I could see the message that could not be processed, making it simple to find and fix the problem. If that’s here now I might be missing it.

I like this new discussion forum.

Dustin Tennill


(Jochen) #2

Hi Dustin,

these messages are most likely produced by some invalid call to the cidr_match() function.

You should check the usage of that function and make sure to only pass valid parameters.

Cheers,
Jochen


(Lennart Koopmann) #3

@jochen This looks like the message is being discarded. Can you confirm? If so, we should change the behavior of cidr_match() and make the function throw a warning but handle it gracefully, i.e. not lose the whole message.


(Dustin Tennill) #4

Thanks !!!

Sounds like a pipeline is the next place to check.


(Dustin Tennill) #5

Here is a reduced bit of pipeline we currently have deployed.

rule "from datacenter subnet"
when
    cidr_match("192.168.1.0/24", to_ip($message.gl2_remote_ip)) OR cidr_match("192.168.2.0/24", to_ip($message.gl2_remote_ip)) 
then
    set_field(field: "LocationTag", value: "datacenter");
end

I am trying to confirm with log data, but I am assuming that an ipv6 address isn’t safely handled by “to_ip”. Will post back once I know for sure.