"who is" not working for many ips

If you poke into the adapter/plugin documentation or code, you should be able to find that out yourself. I assume that you would definitely need an account with the WHOIS provider, or an API key. They usually don’t take it lightly when an unsubscribed party keeps spamming their API or site with queries for data.

I’ve been looking around a bit and found this older thread. It seems that I misunderstood: it’s not a separate plugin, but the Graylog standard “threatintel plugins”. Correct? That would mean you’d need the relevant docs for that one, though I doubt you can poke into the code.

See also:

The docs are here →

It notes:

The plugin will use the ARIN WHOIS servers for the first lookup because they have the best redirect to other registries in case they are not responsible for the block of the requested IP address. Graylog will follow the redirect to other registries like RIPE-NCC, AFRINI, APNIC or LACNIC. Future versions will support initial lookups in other registries, but for now, you might experience longer latencies if your Graylog cluster is not located in Nort America.

So I guess they (Graylog team) are relying on unauthenticated WHOIS lookups. Is that correct @jan?

The ARIN information pages don’t mention rate limiting specifically. They also suggest that unauthenticated lookups are just fine and that, in many cases, you won’t need an API key.