WhoisIpLookup (Threat Intel) errors but only on master pod

We’re getting unexpected WhoisIpLookup errors that only occur on whatever pod is master. We tried making a new pod master and the problem went to the new pod. We tried disabling all calls to it in our pipeline rules and yet the errors persist. The strange part is that it is not attempting to lookup an IP, but rather, the message of a log entry. Example:

2023-06-28 22:26:29,543 ERROR [WhoisIpLookup] - Could not lookup WHOIS information for [May 29 03:25:12 someserver sshd[22]: Connection from x.x.x.x port 22 on x.x.x.x port 22] at [someserver]. - {}

We don’t understand what’s making the calls to it since we disabled it in the pipelines. Any ideas on what else to check?

Kubernetes/docker running pods on Ubuntu 22.04
Graylog version: 5.1.2+d970230
org.graylog.plugins.threatintel.ThreatIntelPlugin 5.1.2
ElasticSearch: 7.10.2
MongoDB: 6.0.6

We removed all pipelines, all inputs, and we are still getting the errors in the logs.

Edit 2:
We also noticed that it seems to be processing old messages. Since it’s passing the log message to the IP field, some of those log messages have a time stamp and they appear to be from about a month ago. We stopped our inputs and the WhoisIpLookup errors are still coming through to the container logs.

Hey @amunoz

Correct me if im wrong , but that plugin looks to old for the version of Graylog you have. you should see something liek this under System/Nodes. mine is older but they should match your version of Graylog being 5.1.x.

Thanks for the response @gsmith

Looks like Threat Intelligence Plugin is also 5.1.2. The version I posted was showing that it met the constraints. My apologies.

Edited the post to add that we removed all pipelines, all inputs, and we are still getting the error in the logs.

We’re also seeing this which may or may not be related:

We found the problem here. It ended up being an Event that was doing a whois and passing in the message.

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.