We’re in the process of microsegmenting our Graylog, Elasticsearch, and Mongo that is required for Graylog to function. We’re going to block all outbound communication except those required to receive updates from Graylog and to satisfy the licensing compliance check. Does that list exist anywhere? We’re seeing some AWS IP addresses among others.
Graylog uses this URL to check graylog license violation (for enterprise license), and also to check for new version available. https://api.graylog.com curl -v https://api.graylog.com/releases/active
For anyone else looking for this info, we were able to successfully microsegment around Graylog and its dependencies only accounting for api.graylog.com, or more generally Amazon EC2 as the DNS appears to resolve to all of EC2. So, we just have a process now that checks for changes to those IP ranges and updates the microsegmentation rules accordingly.