Whois for IPs Data Adapter

Whois for IPs data adapter in Graylog allows you to enrich log messages containing IP addresses with information about the registered owner of those IP addresses. Whois data provides details such as the organization or entity responsible for the IP address allocation and contact information.

Prerequisites

Before proceeding, ensure that the following prerequisites are met:

  • Install the Whois for IPs Plugin content pack. This content pack installs the Spamhaus (E) data adapter, cache, and lookup table:

    1. Navigate to System > Content Packs.

    2.    Search for Whois for IPs - Threat Intel Plugin  in the Filter box.

    3. Click on Install.

  • Enable the Threat Intelligence Lookup plugin:

    1. Navigate to System > Configurations.

    2.    From the left menu pane select Plugins.

    3. SelectThreat Intelligence Lookup and click on the Edit configuration button.

    4. Check the Allow Spamhaus DROP/EDROP lookups checkbox.

    5. Click the Update configuration button to save your selection.

    6. Verify that your Graylog server has outbound network access to whois.arin.net on Port 43. This is crucial as Graylog will query this Whois server for IP address information.

Configure the Data Adapter

You can create a data adapter during the lookup table creation workflow, or they can be created separately on the Data Adapters tab. The following configuration options are available for this data adapter:

Configuration Parameters

Title

A short and unique title for this data adapter.

Description

Data adapter description.

Name

The name used to refer to this data adapter. This should be something unique and recognizable within your Graylog environment.

Custom Error TTL

Time-to-live for custom error messages in seconds. This controls how long custom error responses are cached.

Connect Timeout

The connect timeout specifies the maximum amount of time in milliseconds that Graylog will wait for a connection to be established with the remote server. If the server does not respond within this time, a connection timeout error will occur. This parameter is crucial for handling scenarios where the remote server may be slow to respond or unreachable. For example: 5000 milliseconds (5 seconds).

Read Timeout

The read timeout specifies the maximum amount of time in milliseconds that Graylog will wait for data to be read from the remote server once a connection has been established. If the server starts responding but does not complete sending data within this time, a read timeout error will occur. This parameter ensures that Graylog does not wait indefinitely for data that may never arrive. For example: 10000 milliseconds (10 seconds).

Further Reading

Explore the following additional resources and recommended readings to expand your knowledge on related topics: