Hi,

I have an issue with the graylog 4.0.0 and the whois data adapter:

When i try to test the whois data adapter i have a “null” result:

{
  "single_value": null,
  "multi_value": null,
  "string_list_value": null,
  "has_error": false,
  "ttl": 9223372036854776000
}

In debug mode i don’t have any information except:

2021-07-01T07:51:57.533Z DEBUG [accesslog] 127.0.0.1 local:admin [-] “GET api/system/lookup/adapters/whois/query?key=23.215.52.250” Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 200 -1

On the linux i can access to whois servers, so the issue is not related to network filtering by firewall:

ubuntu@graylog:/var/log/graylog-server$ whois 23.215.52.250

start

NetRange: 23.192.0.0 - 23.223.255.255
CIDR: 23.192.0.0/11
NetName: AKAMAI
NetHandle: NET-23-192-0-0-1
Parent: NET23 (NET-23-0-0-0-0)
NetType: Direct Allocation
OriginAS:
Organization: Akamai Technologies, Inc. (AKAMAI)
RegDate: 2013-07-12
Updated: 2013-08-09

Hello, Xavier,

Welcome to the community. I’m glad you’ve joined us. I’ve moved your question into our Daily Challenges where you can get more expert eyes on your post and, with help, solve it.

Hi @Geantvert,
i’ve tried it in my graylog 4.0.8 and 4.1 versions and worked fine. So problem is probably in your instalation or environment. Graylog uses standard whois port 43 and server whois.arin.net.

Check if your firewall don’t block connection to this port, or you created too many whois requests and your ip is blocked.

PS: Maybe there is a bug in 4.0.0 version, i can’t test, try to update to lastest version 4.0.9 a check.
Changelog of graylog shows that version 4.0.1 improved whois adapter, so maybe it’s your problem.
https://docs.graylog.org/en/4.0/pages/changelog.html#id13