Graylog Open 4.2 on AWS with Ubuntu

All for around $30 a month.

Part 1: AWS Setup

• Go to Amazon AWS > EC2 and create a new instance
• Name your instance
• Choose Ubuntu AMI
• Choose Instance Type t3a.medium
• Create new key pair
• Edit Network Settings
• Allow ports 22 only to your IP, 80, 514, 1514 to the world
• Set 30GB Space
• Launch Instance

Part 2: Install Greylog

• SSH Into Instance Here you will need to use the Secret Key you setup during your instance creation. If your on Windows, make sure it resides somewhere in the Users/{YourUserName} directories, otherwise you will be continually told you have an unprotected key.
• Get Your SSH Connection String
• Connect using your SSH client of choice, I use Powershell on Windows
• Update Ubuntu
  • sudo apt-get update
  • sudo apt-get upgrade
• Install OpenJDK
  • sudo apt-get update && sudo apt-get upgrade
  • sudo apt-get install apt-transport-https openjdk-8-jre-headless uuid-runtime pwgen
• Install MongoDB
  • sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv 9DA31620334BD75D9DCB49F368818C72E52529D4
  • echo "deb [ arch=amd64 ] https://repo.mongodb.org/apt/ubuntu bionic/mongodb-org/4.0 multiverse" | sudo tee /etc/apt/sources.list.d/mongodb-org-4.0.list
  • sudo apt-get update
  • sudo apt-get install -y mongodb-org
• Setup MongoDB to Autorun
  • sudo systemctl daemon-reload
  • sudo systemctl enable mongod.service
  • sudo systemctl restart mongod.service
  • sudo systemctl --type=service --state=active | grep mongod
  • sudo systemctl status mongod
• Install Elasticsearch
  • wget -q https://artifacts.elastic.co/GPG-KEY-elasticsearch -O myKey
  • sudo apt-key add myKey
  • echo "deb https://artifacts.elastic.co/packages/oss-6.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-6.x.list
  • sudo apt-get update && sudo apt-get install elasticsearch-oss
• Modify Elasticsearch Config
  • sudo tee -a /etc/elasticsearch/elasticsearch.yml > /dev/null <<EOT
  • cluster.name: graylog
  • action.auto_create_index: false
  • EOT
• Start Elasticsearch and Autorun
  • sudo systemctl daemon-reload
  • sudo systemctl enable elasticsearch.service
  • sudo systemctl restart elasticsearch.service
  • sudo systemctl --type=service --state=active | grep elasticsearch
  • sudo systemctl status elasticsearch.service
• Install Graylog
  • sudo apt-get install apt-transport-https
  • wget https://packages.graylog2.org/repo/packages/graylog-4.2-repository_latest.deb
  • sudo dpkg -i graylog-4.2-repository_latest.deb
  • sudo apt-get update
  • sudo apt-get update && sudo apt-get install graylog-server graylog-integrations-plugins
• Configure Graylog
  • pwgen -N 1 -s 96
• Copy Password This Generates
  • Replace secrey_key with that password you just copied
  • echo -n secret_key | sha256sum
• Copy the sha256sum this prints
• Open the Graylog Config
  • sudo nano /etc/graylog/server/server.conf
  • Copy the first password you generated in the password_secret section
  • Copy the sha256sum you generated into the root_password_sha section
  • Uncomment http_bind_address and set it to 127.0.0.1:80
  • Ctrl+Xthen Y then Enter to save our changes.
• Set Graylog to Autorun
  • sudo systemctl daemon-reload
  • sudo systemctl enable graylog-server.service
  • sudo systemctl start graylog-server.service
  • sudo systemctl --type=service --state=active | grep graylog
  • sudo systemctl status graylog-server
• Allow out 80 Port in Ubuntu
  • sudo ufw allow 80
• Reboot for good measure
  • sudo reboot
  • sudo apt update
  • sudo apt upgrade