Whois lookup table is giving a strange error


(Mariusgeonea) #1

Hello,

on the whois lookup table i’m trying to do a test lookup for 8.8.8.8
and the result is:

{
  "single_value": "Lookup Error: Connection refused (Connection refused)",
  "multi_value": {
    "value": "Lookup Error: Connection refused (Connection refused)"
  },
  "ttl": 9223372036854776000
}

any idea what could be wrong?


(Jochen) #2

Check the logs of your Graylog node(s).
:arrow_right: http://docs.graylog.org/en/2.4/pages/configuration/file_location.html


(Mariusgeonea) #3

2018-06-02T16:46:36.969-04:00 ERROR [WhoisIpLookup] Could not lookup WHOIS information for [159.66.236.64] at [ARIN].
2018-06-02T16:46:36.970-04:00 ERROR [WhoisIpLookup] Could not lookup WHOIS information for [138.68.46.177] at [ARIN].


(Jochen) #4

Please post the complete logs.


(Mariusgeonea) #5

the complete logs are around 26 MB and it didn’t worked to paste them all in here…


(Jan Doberstein) #6

Did you checked if the WHOIS lookup is working from the command line from your Graylog server?

It might be blocked by any firewall that is between the Graylog server and the WHOIS Server of ARIN. Or you have been ratelimited because of an overuse. That would be indicated by the logfiles.

Without providing this information we are not able to look that up and you need to find out and investigate on your own.

with kind regards
Jan


(Mariusgeonea) #7

there is no firewall that is blocking graylog, but most probably is that rate limit…

graylog needs to perform around 10k msg/s * 2 IPs (source and destination) lookups…

thanks for the support guys.

Br,
Marius.


(system) #8

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.