Lookup Table Problem

[cmiscloni]

Hi all,

After migration of Graylog from 2.3 to 2.4, I have now some troubles on Lookup tables

How can I fix this please ?

Thanks

[dennisoelkers]

Do you see any other errors in the server log?

[cmiscloni]

Yes, this for example:

java.util.concurrent.ExecutionException: java.lang.IllegalArgumentException: Could not parse [https://play.google.com/]
        at org.graylog2.lookup.caches.GuavaLookupCache$InstrumentedCache.get(GuavaLookupCache.java:243) ~[graylog.jar:?]
        at org.graylog2.lookup.caches.GuavaLookupCache.get(GuavaLookupCache.java:104) ~[graylog.jar:?]
        at org.graylog2.lookup.LookupTable.lookup(LookupTable.java:72) ~[graylog.jar:?]
        at org.graylog2.lookup.LookupTableService$Function.lookup(LookupTableService.java:534) ~[graylog.jar:?]
        at org.graylog.plugins.threatintel.functions.spamhaus.SpamhausIpLookupFunction.evaluate(SpamhausIpLookupFunction.java:43) ~[?:?]
        at org.graylog.plugins.threatintel.functions.spamhaus.SpamhausIpLookupFunction.evaluate(SpamhausIpLookupFunction.java:16) ~[?:?]
        at org.graylog.plugins.threatintel.functions.global.AbstractGlobalLookupFunction.lambda$matchEntityAgainstFunctions$2(AbstractGlobalLookupFunction.java:44) ~[?:?]
        at java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:193) ~[?:1.8.0_131]
        at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:175) ~[?:1.8.0_131]
        at java.util.Collections$UnmodifiableMap$UnmodifiableEntrySet.lambda$entryConsumer$0(Collections.java:1575) ~[?:1.8.0_131]
        at java.util.Iterator.forEachRemaining(Iterator.java:116) [?:1.8.0_131]
        at java.util.Spliterators$IteratorSpliterator.forEachRemaining(Spliterators.java:1801) [?:1.8.0_131]
        at java.util.Collections$UnmodifiableMap$UnmodifiableEntrySet$UnmodifiableEntrySetSpliterator.forEachRemaining(Collections.java:1600) [?:1.8.0_131]
        at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:481) [?:1.8.0_131]
        at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471) [?:1.8.0_131]
        at java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:708) [?:1.8.0_131]
        at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234) [?:1.8.0_131]
        at java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:499) [?:1.8.0_131]
        at org.graylog.plugins.threatintel.functions.global.AbstractGlobalLookupFunction.matchEntityAgainstFunctions(AbstractGlobalLookupFunction.java:48) [graylog-plugin-threatintel-2.4.0.jar:?]
        at org.graylog.plugins.threatintel.functions.global.GlobalIpLookupFunction.evaluate(GlobalIpLookupFunction.java:61) [graylog-plugin-threatintel-2.4.0.jar:?]
        at org.graylog.plugins.threatintel.functions.global.GlobalIpLookupFunction.evaluate(GlobalIpLookupFunction.java:23) [graylog-plugin-threatintel-2.4.0.jar:?]
        at org.graylog.plugins.pipelineprocessor.ast.expressions.FunctionExpression.evaluateUnsafe(FunctionExpression.java:63) [graylog-plugin-pipeline-processor-2.4.0.jar:?]
        at org.graylog.plugins.pipelineprocessor.ast.expressions.Expression.evaluate(Expression.java:41) [graylog-plugin-pipeline-processor-2.4.0.jar:?]
        at org.graylog.plugins.pipelineprocessor.ast.statements.VarAssignStatement.evaluate(VarAssignStatement.java:33) [graylog-plugin-pipeline-processor-2.4.0.jar:?]
        at org.graylog.plugins.pipelineprocessor.ast.statements.VarAssignStatement.evaluate(VarAssignStatement.java:22) [graylog-plugin-pipeline-processor-2.4.0.jar:?]
        at org.graylog.plugins.pipelineprocessor.processors.PipelineInterpreter.evaluateStatement(PipelineInterpreter.java:377) [graylog-plugin-pipeline-processor-2.4.0.jar:?]
        at org.graylog.plugins.pipelineprocessor.processors.PipelineInterpreter.executeRuleActions(PipelineInterpreter.java:364) [graylog-plugin-pipeline-processor-2.4.0.jar:?]
        at org.graylog.plugins.pipelineprocessor.processors.PipelineInterpreter.evaluateStage(PipelineInterpreter.java:305) [graylog-plugin-pipeline-processor-2.4.0.jar:?]
        at org.graylog.plugins.pipelineprocessor.processors.PipelineInterpreter.processForResolvedPipelines(PipelineInterpreter.java:263) [graylog-plugin-pipeline-processor-2.4.0.jar:?]
        at org.graylog.plugins.pipelineprocessor.processors.PipelineInterpreter.process(PipelineInterpreter.java:143) [graylog-plugin-pipeline-processor-2.4.0.jar:?]
        at org.graylog.plugins.pipelineprocessor.processors.PipelineInterpreter.process(PipelineInterpreter.java:99) [graylog-plugin-pipeline-processor-2.4.0.jar:?]
        at org.graylog2.shared.buffers.processors.ProcessBufferProcessor.handleMessage(ProcessBufferProcessor.java:114) [graylog.jar:?]
        at org.graylog2.shared.buffers.processors.ProcessBufferProcessor.dispatchMessage(ProcessBufferProcessor.java:100) [graylog.jar:?]
        at org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:77) [graylog.jar:?]
        at org.graylog2.shared.buffers.processors.ProcessBufferProcessor.onEvent(ProcessBufferProcessor.java:42) [graylog.jar:?]
        at com.lmax.disruptor.WorkProcessor.run(WorkProcessor.java:143) [graylog.jar:?]
        at com.codahale.metrics.InstrumentedThreadFactory$InstrumentedRunnable.run(InstrumentedThreadFactory.java:66) [graylog.jar:?]

[cmiscloni]

Worked good with 2.4 beta but not since the official release

[danotorrey]

Hi @cmiscloni, Are you still able to reproduce this error? We would appreciate any additional details that might help us to reproduce the issue.

[cmiscloni]

Hi @danotorrey, yes problem still existing as soon I enable Spamhaus plugin
Let me know where I can search to give you more details.