Graylog and AWS quick start

Graylog and AWS quick start

Today let’s examine Graylog – an open source log management tool. I am going to run an AWS EC2 instance based on a publicly available AMI. Current list of images is available here.


It’s recommended to have at least 4GB memory for this appliance, so I have chosen t.2medium sized instance.


It’s important to set correct security rules. I have created a special rule set for this test graylog server, allowing only the access from my IP. In a production environment it would be an address from the private network (like Amazon VPC). Ports 80 and 9000 have to be open for web interface access.


When the instance is running, it can be accessed with the command:

ssh -i "yourkey.pem"

As a good start, let’s configure a few options:

After a few minutes it is possible to log in.


I am going to monitor localhost. Graylog does not support (agentless) file input. Graylog agent, Logstash, NXLog or other collector has to be installed. In this case I am going to use standard rsyslog and TCP transport.

I create a new input from “Inputs” menu.


Then I save the following config to /etc/rsyslog.d/90-graylog2.conf


And restart rsyslog.

sudo /etc/init.d/rsyslog restart

Notice: localhost or is not going to work, therefore use the AWS VPC private address ( in my case).

Finally, the message is here! Now we are at a good place to start evaluating Graylog.




One thought on “Graylog and AWS quick start

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.