I have created a AWS instance using the Graylog AMI in the AWS Market place. I have followed the instructions to the letter. I have also added firewall rule to allow port 9000.
The instance has been successfully spun up and I can connect to it via SSH and I can edit the config files as per the instructions.

I have used my AWS assigned public IP address and when I log on via chrome to “http://public--ip-address” i get a blank screen with the tab labelled Graylog Web Interface. If I try “http://public-ip-address:9000” I receive a “This site can’t be reached - connection refused” error message.

I have tried the same with the AWS domain names and the result is the same.

Any ideas on what I can do?

Here are the relevant part of the config fle:

Web interface REST endpoint URI. Must be reachable from the user’s browser. This setting can be overriden on a per-request basis with the X-Graylog-Server-URL heade$

Default: $rest_transport_uri

web_endpoint_uri = http://63.32.53.200:9000/api/

Here’s the other salient part of the configs from
/etc/nginx/sites-available/default

server
{
listen 80 default_server;
listen [::]:80 default_server ipv6only=on;
server_name 63.32.53.200:9000;

Reading through the forum this has been a frequent issue but no examples of it on the AWS instance. Its a shame because I would have expected a marketplace instance to be trouble free.

he @bungo63

what Graylog version did you have?

Jan, here are the AMI details from AWS. Is this what you are looking for? If not tcan you tell me how I will determin teh version from teh command line as I am nit very familiar with Linux.

Graylog3.0.2-Ubuntu18.04-96afbc12-2b01-4fc3-964c-e2ea2eeddac7-ami-035e7a19ab0320cc0.4 (ami-0424bf7ee27338a74).

Today I have experimented with using the internal (Private) IPs (the one mentioned previously are the external (public) IPs, but I’m still getting the same results. I feel so close but I cannot fathom what’s wrong.

One thing I have noticed is that in some of the older posts there is something in the config file called the publish_api. This is not in the current config file, but then then it looks to me like current config file appears to have consolidated a number of things from previous versions.

He @bungo63

I would really recommend to select the latest available version what is 3.2 and not the more than 12 month old 3.0 version.

Not only that the Graylog version is EOL already, but the new version have a cleaner image and the support for this is easier.

Jan, thanks for the reply. Much appreciated. My response is numbered for ease of reference.

1. When you select the Graylog AMI from the AWS marketplace you do not get an option of the versions. This version is the only one available!

2. Is there a plan to update the AMI in the Market place to version 3.2? And if so when?

3. Having installed the Graylog AMI v.3.0 is there a away it can be updated from the command line?

4. Or, do I have to build a unix box and add the components individually? If so where are the best/latest instructions for doing this with v3.2

A prompt response would be appreciated as I have time today to work on this. Thanks.

he @bungo63

I’ll check about the AMI - what region did you choose?

But my personal recommendation would be anyway to do a custom installation. This way you have knowledge about what is running in what version and what parts are essential.

We have for the most used distributions step-by-step guides: https://docs.graylog.org/en/3.2/pages/installation.html

The AWS region is Europe (Ireland) eu-west-1.

I’ll take a look at the installation guide and see if I can start building. If I can get it working then it proves there’s something “odd” with the AMI.

@bungo63

just checked the AMI image name/version and it looks like you use not the official one from Graylog.

The latest release according to our docs is:

The one you have used is https://aws.amazon.com/marketplace/search/results?x=0&y=0&searchTerms=ami-0424bf7ee27338a74 what is created by Websoft9 and got no updates since ages.

Jan, thank you for this update. Good news! I used the links on Github and built a new AMI and was able to access the web GUI first time and login.
The Github AMI builder link is so cool!

For other readers reference the instructions are very good as long as you take your time and are prepared to jump back and forward to copy text (if you’re not an ubuntu person!).
I would add that referencing the Edit the Configuration File section in Docs » Installing Graylog » Operating System Packages » Ubuntu installation is very useful.

I am now having difficult ingesting logs but that is another thread.

So Jan, thanks for helping me out on this occasion. Much appreciated.
I think this thread can be closed.

Quick update. After 2 hours of tinkering and learning more ubuntu have now got my UDP ports permanently redirected and am ingesting syslogs!!

Can I add that when editing the /etc/graylog/server/server.conf, the bind address will be the AWS internal IP address, not the external/elastic/public one (if you have one configured). This is also the bind address that you configure in the Inputs.

Question: Why does the bind address in the input panel of the GUI always default to 0.0.0.0 even if you have another address configured into the config file?

he @bungo63

the reason for using 0.0.0.0 as default is that it will bind to all available interfaces by default. That is something you need also in a cluster environment to be able to define a “global” input that is bound to all servers on the same port.

The recommendation is - if not needed different - bind the inputs to all interfaces.

Jan. Thanks for the clarification. More learning!

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.