Graylog and AWS quick start

Graylog and AWS quick start

Today let’s examine Graylog – an open source log management tool. I am going to run an AWS EC2 instance based on a publicly available AMI. Current list of images is available here.

007

It’s recommended to have at least 4GB memory for this appliance, so I have chosen t.2medium sized instance.

000

It’s important to set correct security rules. I have created a special rule set for this test graylog server, allowing only the access from my IP. In a production environment it would be an address from the private network (like Amazon VPC). Ports 80 and 9000 have to be open for web interface access.

001

When the instance is running, it can be accessed with the command:

ssh -i "yourkey.pem" ubuntu@ec2-xxx-xxx-xxx-xxx.eu-central-1.compute.amazonaws.com

As a good start, let’s configure a few options:

After a few minutes it is possible to log in.

004

I am going to monitor localhost. Graylog does not support (agentless) file input. Graylog agent, Logstash, NXLog or other collector has to be installed. In this case I am going to use standard rsyslog and TCP transport.

I create a new input from “Inputs” menu.

006

Then I save the following config to /etc/rsyslog.d/90-graylog2.conf

*.* @@graylog.example.org:514;RSYSLOG_SyslogProtocol23Format

And restart rsyslog.

sudo /etc/init.d/rsyslog restart

Notice: localhost or 127.0.0.1 is not going to work, therefore use the AWS VPC private address (10.0.0.128:514 in my case).

Finally, the message is here! Now we are at a good place to start evaluating Graylog.

005

References

  1. http://docs.graylog.org/en/2.1/pages/installation/aws.html
  2. http://docs.graylog.org/en/2.1/pages/configuration/graylog_ctl.html
  3. https://marketplace.graylog.org/addons/a47beb3b-0bd9-4792-a56a-33b27b567856

One thought on “Graylog and AWS quick start

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.