Today let’s examine Graylog – an open source log management tool. I am going to run an AWS EC2 instance based on a publicly available AMI. Current list of images is available here.
It’s recommended to have at least 4GB memory for this appliance, so I have chosen t.2medium sized instance.
It’s important to set correct security rules. I have created a special rule set for this test graylog server, allowing only the access from my IP. In a production environment it would be an address from the private network (like Amazon VPC). Ports 80 and 9000 have to be open for web interface access.
When the instance is running, it can be accessed with the command:
ssh -i "yourkey.pem" firstname.lastname@example.org
As a good start, let’s configure a few options:
sudo graylog-ctl set-external-ip http://<external-ip>:9000/api/
sudo graylog-ctl set-admin-password yourpasshere
sudo graylog-ctl set-timezone "Europe/Warsaw"
sudo graylog-ctl reconfigure
After a few minutes it is possible to log in.
I am going to monitor localhost. Graylog does not support (agentless) file input. Graylog agent, Logstash, NXLog or other collector has to be installed. In this case I am going to use standard rsyslog and TCP transport.
I create a new input from “Inputs” menu.
Then I save the following config to /etc/rsyslog.d/90-graylog2.conf
And restart rsyslog.
sudo /etc/init.d/rsyslog restart
Notice: localhost or 127.0.0.1 is not going to work, therefore use the AWS VPC private address (10.0.0.128:514 in my case).
Finally, the message is here! Now we are at a good place to start evaluating Graylog.