We’re getting unexpected WhoisIpLookup errors that only occur on whatever pod is master. We tried making a new pod master and the problem went to the new pod. We tried disabling all calls to it in our pipeline rules and yet the errors persist. The strange part is that it is not attempting to lookup an IP, but rather, the message of a log entry. Example:
2023-06-28 22:26:29,543 ERROR [WhoisIpLookup] - Could not lookup WHOIS information for [May 29 03:25:12 someserver sshd[22]: Connection from x.x.x.x port 22 on x.x.x.x port 22] at [someserver]. - {}
We don’t understand what’s making the calls to it since we disabled it in the pipelines. Any ideas on what else to check?
We removed all pipelines, all inputs, and we are still getting the errors in the logs.
Edit 2:
We also noticed that it seems to be processing old messages. Since it’s passing the log message to the IP field, some of those log messages have a time stamp and they appear to be from about a month ago. We stopped our inputs and the WhoisIpLookup errors are still coming through to the container logs.
Correct me if im wrong , but that plugin looks to old for the version of Graylog you have. you should see something liek this under System/Nodes. mine is older but they should match your version of Graylog being 5.1.x.
