Trying to set up the Greynoise Community API Adapter

Graylog Central (peer support)
1

Before you post: Your responses to these questions will help the community help you. Please complete this template if you’re asking a support question.
Don’t forget to select tags to help index your topic!

1. Describe your incident:
Trying to set up the Greynoise Community API, obtain the API key and enter it into Data Adapter, when running the test I get this result
{
“single_value”: null,
“multi_value”: null,
“string_list_value”: null,
“has_error”: true,
“ttl”: 5000
}

2. Describe your environment:

  • OS Information: Ubuntu 22.04

  • Package Version: 5.0.2-1

  • Service logs, configurations, and environment variables:

3. What steps have you already taken to try and solve the problem?
Searched everywhere that I know to look, I’m new at Graylog.
I’ve found the curl statement to run the Greynoise API call and using my key it works but from the DataAdapter test, I just get the error no matter what address is used.

4. How can the community help?
Tell me where I can find the cause of the error, I’m stumbling around looking at logs trying to find the “here this is wrong error message”

Helpful Posting Tips: Tips for Posting Questions that Get Answers [Hold down CTRL and link on link to open tips documents in a separate tab]

2

I use Graylog 4.X with greynoise community ip, which works as expected.
as long as the API Key correct that should work as expected.
Also, check any Firewall between Graylog Server and the Internet which may be blocking.

if the curl works then - may be need to look GL 5.0 have any bugs ?

image
image1506×491 26 KB

3

Get the same error whether I use the Community or the Quick Ip adapter type, very frustrating.

4

Hey @rgarvin

Just chimming in, by chance can you show your log files here? Perpahs it would gives us a clue on whats going on.

5

Sure, which log would you like?
I’ll get it uploaded in the morning.

Thanks!

6

hey,

Start with Graylog.

thx

8

Thanks for taking the time

Ron

9

I posted part of the log files, Akismet says they have hidden it

What now?

Ron

10

I uploaded the logs but it says akismet blocked the post

11

hello @rgarvin

Perhaps copy & paste it here.
Make sure you use the markdown for posting logs, & configuration files.
For further imformation on this look here…

12

When you did the curl command was it from the graylog host? Are you running GL in a corporate environment or home lab?

13

Lets try this again

2023-01-16T15:22:31.283Z WARN  [RestClient] request [GET https://192.168.1.7:9200/_cluster/health?master_timeout=60s&level=cluster&timeout=60>
2023-01-16T15:22:32.284Z WARN  [RestClient] request [GET https://192.168.1.7:9200/_cluster/health?master_timeout=60s&level=cluster&timeout=60>
2023-01-16T15:22:32.689Z ERROR [GreyNoiseCommunityIpLookupAdapter] an error occurred while retrieving GreyNoise IP data. PKIX path building f>
javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find va>
        at sun.security.ssl.Alert.createSSLException(Alert.java:131) ~[?:?]
        at sun.security.ssl.TransportContext.fatal(TransportContext.java:371) ~[?:?]
        at sun.security.ssl.TransportContext.fatal(TransportContext.java:314) ~[?:?]
        at sun.security.ssl.TransportContext.fatal(TransportContext.java:309) ~[?:?]
        at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:654) ~[?:?]
        at sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:473) ~[?:?]
        at sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:369) ~[?:?]
        at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:396) ~[?:?]
        at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:480) ~[?:?]
        at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:458) ~[?:?]
        at sun.security.ssl.TransportContext.dispatch(TransportContext.java:201) ~[?:?]
        at sun.security.ssl.SSLTransport.decode(SSLTransport.java:172) ~[?:?]
        at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1505) ~[?:?]
        at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1420) ~[?:?]
        at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:455) ~[?:?]
        at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:426) ~[?:?]
        at okhttp3.internal.connection.RealConnection.connectTls(RealConnection.java:336) ~[graylog.jar:?]
        at okhttp3.internal.connection.RealConnection.establishProtocol(RealConnection.java:300) ~[graylog.jar:?]
        at okhttp3.internal.connection.RealConnection.connect(RealConnection.java:185) ~[graylog.jar:?]
        at okhttp3.internal.connection.ExchangeFinder.findConnection(ExchangeFinder.java:224) ~[graylog.jar:?]
        at okhttp3.internal.connection.ExchangeFinder.findHealthyConnection(ExchangeFinder.java:108) ~[graylog.jar:?]
        at okhttp3.internal.connection.ExchangeFinder.find(ExchangeFinder.java:88) ~[graylog.jar:?]
        at okhttp3.internal.connection.Transmitter.newExchange(Transmitter.java:169) ~[graylog.jar:?]
        at okhttp3.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.java:41) ~[graylog.jar:?]
        at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142) ~[graylog.jar:?]
        at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:117) ~[graylog.jar:?]
        at okhttp3.internal.cache.CacheInterceptor.intercept(CacheInterceptor.java:94) ~[graylog.jar:?]
        at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142) ~[graylog.jar:?]
        at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:117) ~[graylog.jar:?]
        at okhttp3.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.java:93) ~[graylog.jar:?]
        at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142) ~[graylog.jar:?]
        at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.java:88) ~[graylog.jar:?]
        at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142) ~[graylog.jar:?]
        at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:117) ~[graylog.jar:?]
        at okhttp3.RealCall.getResponseWithInterceptorChain(RealCall.java:229) ~[graylog.jar:?]
        at okhttp3.RealCall.execute(RealCall.java:81) ~[graylog.jar:?]
        at org.graylog.integrations.dataadapters.GreyNoiseCommunityIpLookupAdapter.doGet(GreyNoiseCommunityIpLookupAdapter.java:129) ~[?:?]
        at org.graylog2.plugin.lookup.LookupDataAdapter.get(LookupDataAdapter.java:143) ~[graylog.jar:?]
        at org.graylog2.rest.resources.system.lookup.LookupTableResource.performAdapterLookup(LookupTableResource.java:543) ~[graylog.jar:?]
        at jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:104) ~[?:?]
        at java.lang.reflect.Method.invoke(Method.java:577) ~[?:?]
        at org.glassfish.jersey.server.model.internal.ResourceMethodInvocationHandlerFactory.lambda$static$0(ResourceMethodInvocationHandlerF>
        at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher$1.run(AbstractJavaResourceMethodDispatcher.java:13>
        at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.invoke(AbstractJavaResourceMethodDispatcher.java:1>
        at org.glassfish.jersey.server.model.internal.JavaResourceMethodDispatcherProvider$TypeOutInvoker.doDispatch(JavaResourceMethodDispat>
        at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.dispatch(AbstractJavaResourceMethodDispatcher.java>
        at org.glassfish.jersey.server.model.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:478) [graylog.jar:?]
        at org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:400) [graylog.jar:?]
        at org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:81) [graylog.jar:?]
        at org.glassfish.jersey.server.ServerRuntime$1.run(ServerRuntime.java:255) [graylog.jar:?]
        at org.glassfish.jersey.internal.Errors$1.call(Errors.java:248) [graylog.jar:?]
        at org.glassfish.jersey.internal.Errors$1.call(Errors.java:244) [graylog.jar:?]
        at org.glassfish.jersey.internal.Errors.process(Errors.java:292) [graylog.jar:?]
        at org.glassfish.jersey.internal.Errors.process(Errors.java:274) [graylog.jar:?]
        at org.glassfish.jersey.internal.Errors.process(Errors.java:244) [graylog.jar:?]
        at org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:265) [graylog.jar:?]
        at org.glassfish.jersey.server.ServerRuntime.process(ServerRuntime.java:234) [graylog.jar:?]
        at org.glassfish.jersey.server.ApplicationHandler.handle(ApplicationHandler.java:684) [graylog.jar:?]
        at org.glassfish.jersey.grizzly2.httpserver.GrizzlyHttpContainer.service(GrizzlyHttpContainer.java:356) [graylog.jar:?]
        at org.glassfish.grizzly.http.server.HttpHandler$1.run(HttpHandler.java:200) [graylog.jar:?]
        at com.codahale.metrics.InstrumentedExecutorService$InstrumentedRunnable.run(InstrumentedExecutorService.java:180) [graylog.jar:?]
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136) [?:?]
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635) [?:?]
        at java.lang.Thread.run(Thread.java:833) [?:?]
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: >
        at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:388) ~[?:?]
        at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:271) ~[?:?]
        at sun.security.validator.Validator.validate(Validator.java:256) ~[?:?]
        at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231) ~[?:?]
        at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:132) ~[?:?]
        at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:638) ~[?:?]
        ... 59 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141) ~[?:?]
        at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126) ~[?:?]
        at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297) ~[?:?]
        at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:383) ~[?:?]
        at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:271) ~[?:?]
        at sun.security.validator.Validator.validate(Validator.java:256) ~[?:?]
        at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231) ~[?:?]
        at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:132) ~[?:?]
        at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:638) ~[?:?]
        ... 59 more
2023-01-16T15:22:33.283Z WARN  [RestClient] request [GET https://192.168.1.7:9200/_cluster/health?master_timeout=60s&level=cluster&timeout=60
14

yes, from the Graylog host server

It is a installed version not a docker container

15

Hey @rgarvin

From this ERROR

PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Looks like you have a certificate issue. Normally when I see this its because Graylog can not find the certiticates or the Keystore. Even can be from the incorrrect certiticate used.
Also see that Rest Client is timeing out, this might be from a configuration issue

16

I thought I had solved the cert issues since it would not start to begin with. I’m using a cert created by the Wazuh installer and is being used by Wazuh-indexer, Wazuh-dashboard, Filebeat, and Wazuh-manager. Thought I had copied it to the correct places and made the proper setting changes. I will go thru them again though. Why would the curl statement work properly though ?

Thanks for the suggestions

Ron

17

Should I run Graylog off a separate certificate?

18

Hey

If you have time for troubleshooting, I personally would.

19

curl checks your index server/s but not Graylog against your index server. so I would imagine something is blocking Graylog from your index server cluster. Remember Graylog is your frontend/web, MongoDb holds configurations and Metadata, then you have Elasticsearch/opensearch which stores and querys logs/messages.

20

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.