Graylog Plugin AWS


(Chris Broll) #1

So I was looking at setting up the AWS Plugin so ingest Flowlogs and then CloudTrail events.

It was all going well until “Step 4” in the readme for Flowlogs - Launching a new input.

The region I am using (eu-west-2 - London) is missing from the AWS Region drop down.

So my question is if London is available what is the minimum version I need to upgrade to? I am currently on Graylog 2.1.1, would 2.1.3 (with plugin 1.2.1) have this region available?

I also noticed that plugin version 1.2.0 also only has the ability to add one set of AWS Credentials thus limiting the usefulness of the plugin. Has this been addressed in later versions? How are multiple accounts handled?

Any constructive input would be greatly appreciated.


(Jochen) #2

Yes, that version should include the eu-west-2 region (which was added in awsk-sdk-java 1.11.67).

That’s currently not supported.

https://github.com/graylog-labs/graylog-plugin-aws/issues/13


(Chris Broll) #3

Thanks @jochen - I will look at upgrading tomorrow and delve into the pain of cross account access.


(Chris Broll) #4

Hello @jochen, I upgraded GrayLog server to 2.1.3 and the AWS plugin to 1.2.1 and I can now add eu-west-2 but I am seeing an API call error in the server log file.

2017-04-21T11:56:56.061+01:00 ERROR [InstanceLookupTable] Error when trying to refresh AWS instance lookup table in [eu-west-2] com.amazonaws.SdkClientException: Unable to execute HTTP request: Connect to ec2.eu-west-2.amazonaws.com:443 [ec2.eu-west-2.amazonaws.com/52.94.56.52] failed: connect timed out

I have tried adding both dynamodb.eu-west-2.amazonaws.com and ec2.eu-west-2.amazonaws.com to the proxy allowed list and I can hit both these URLs from the command line on the GrayLog server. I have also tried turning off the proxy filter (thus allowing all outbound traffic) and the CLI give the same results (using curl).

I must have missed something, have you seen this before?


(Jochen) #5

I don’t think that the Graylog AWS plugin currently supports using proxy servers for all parts.


(Chris Broll) #6

@jochen - that’s okay the routing table handles the proxy and even with the proxy turned off I still get:

 2017-04-21T12:51:56.694+01:00 ERROR [LeaseManager] Failed to get table status for graylog-aws-plugin

(Chris Broll) #7

@jochen - I notice that AWSPluginConfiguration.jsx in v1.3.2 mentions:

help={When enabled, we'll access the AWS APIs through the HTTP proxy configured (http_proxy_uri) in your Graylog configuration file. Important: You might have to restart AWS message inputs for this configuration to take effect.}

So i guess that newer versions of the Plugin can deal with a Proxy (no mention of HTTPS) and that my /etc/environment proxy settings is being ignored. I think I might have to upgrade again to the latest versions.