Whois lookup table is giving a strange error


on the whois lookup table i’m trying to do a test lookup for
and the result is:

  "single_value": "Lookup Error: Connection refused (Connection refused)",
  "multi_value": {
    "value": "Lookup Error: Connection refused (Connection refused)"
  "ttl": 9223372036854776000

any idea what could be wrong?

Check the logs of your Graylog node(s).
:arrow_right: http://docs.graylog.org/en/2.4/pages/configuration/file_location.html

2018-06-02T16:46:36.969-04:00 ERROR [WhoisIpLookup] Could not lookup WHOIS information for [] at [ARIN].
2018-06-02T16:46:36.970-04:00 ERROR [WhoisIpLookup] Could not lookup WHOIS information for [] at [ARIN].

Please post the complete logs.

the complete logs are around 26 MB and it didn’t worked to paste them all in here…

Did you checked if the WHOIS lookup is working from the command line from your Graylog server?

It might be blocked by any firewall that is between the Graylog server and the WHOIS Server of ARIN. Or you have been ratelimited because of an overuse. That would be indicated by the logfiles.

Without providing this information we are not able to look that up and you need to find out and investigate on your own.

with kind regards

there is no firewall that is blocking graylog, but most probably is that rate limit…

graylog needs to perform around 10k msg/s * 2 IPs (source and destination) lookups…

thanks for the support guys.


This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.