Graylog Plugin AWS

SnazzyBootMan · April 20, 2017, 11:11am

So I was looking at setting up the AWS Plugin so ingest Flowlogs and then CloudTrail events.

It was all going well until “Step 4” in the readme for Flowlogs - Launching a new input.

The region I am using (eu-west-2 - London) is missing from the AWS Region drop down.

So my question is if London is available what is the minimum version I need to upgrade to? I am currently on Graylog 2.1.1, would 2.1.3 (with plugin 1.2.1) have this region available?

I also noticed that plugin version 1.2.0 also only has the ability to add one set of AWS Credentials thus limiting the usefulness of the plugin. Has this been addressed in later versions? How are multiple accounts handled?

Any constructive input would be greatly appreciated.

jochen · April 20, 2017, 12:11pm

Yes, that version should include the eu-west-2 region (which was added in awsk-sdk-java 1.11.67).

That’s currently not supported.

SnazzyBootMan · April 20, 2017, 12:36pm

Thanks @jochen - I will look at upgrading tomorrow and delve into the pain of cross account access.

SnazzyBootMan · April 21, 2017, 11:09am

Hello @jochen, I upgraded GrayLog server to 2.1.3 and the AWS plugin to 1.2.1 and I can now add eu-west-2 but I am seeing an API call error in the server log file.

2017-04-21T11:56:56.061+01:00 ERROR [InstanceLookupTable] Error when trying to refresh AWS instance lookup table in [eu-west-2] com.amazonaws.SdkClientException: Unable to execute HTTP request: Connect to ec2.eu-west-2.amazonaws.com:443 [ec2.eu-west-2.amazonaws.com/52.94.56.52] failed: connect timed out

I have tried adding both dynamodb.eu-west-2.amazonaws.com and ec2.eu-west-2.amazonaws.com to the proxy allowed list and I can hit both these URLs from the command line on the GrayLog server. I have also tried turning off the proxy filter (thus allowing all outbound traffic) and the CLI give the same results (using curl).

I must have missed something, have you seen this before?

jochen · April 21, 2017, 11:53am

I don’t think that the Graylog AWS plugin currently supports using proxy servers for all parts.

SnazzyBootMan · April 21, 2017, 12:18pm

@jochen - that’s okay the routing table handles the proxy and even with the proxy turned off I still get:

 2017-04-21T12:51:56.694+01:00 ERROR [LeaseManager] Failed to get table status for graylog-aws-plugin

SnazzyBootMan · April 21, 2017, 3:12pm

@jochen - I notice that AWSPluginConfiguration.jsx in v1.3.2 mentions:

help={When enabled, we'll access the AWS APIs through the HTTP proxy configured (http_proxy_uri) in your Graylog configuration file. Important: You might have to restart AWS message inputs for this configuration to take effect.}

So i guess that newer versions of the Plugin can deal with a Proxy (no mention of HTTPS) and that my /etc/environment proxy settings is being ignored. I think I might have to upgrade again to the latest versions.

Topic		Replies	Views
How to use this fix #36 with graylog for multiple AWS accounts? Graylog Add-ons	3	998	August 23, 2017
Cloudtrail integration with Graylog Graylog Central (peer support)	4	1874	February 14, 2018
AWS Cross Account Cloudtrails Parsing Graylog Add-ons	1	840	June 6, 2017
Aws graylog pluging with multiple accounts Graylog Central (peer support)	6	1185	July 16, 2018
AWS Plugin For Graylog Plug-Ins plug-in	0	2367	February 17, 2022

Graylog Plugin AWS

Related topics