Hello:
Anyone can help me how to write a sidecar config template for Auditbeat ( Windows )
Binaries are installed on c:\Program Files\Auditbeat
Sidecar is installed c:\Program files\graylog\sidecar
I can’t get it to work config fails
Also if you can provide a link with a better explanation of how to write this template.
I have Winlogbeat running perfectly with the config file provided by sidecar.
I will appreciate it
jc
nothing??
a mute community?
he @juanquy
I guess that nobody that is active in this community has done that before - or is allowed to share his solution.
Jan
Probably you have error in your auditbeat config file. First check official documentation:
https://www.elastic.co/guide/en/beats/auditbeat/master/auditbeat-configuration.html
https://www.elastic.co/guide/en/beats/auditbeat/current/configuring-howto-auditbeat.html
https://www.elastic.co/guide/en/beats/auditbeat/current/auditbeat-modules.html
I checked google and find this interesting article, hope it helps:
Maybe a miss understands, what I need is help understanding how to do a “New Collector Configuration”, is this new config, based on the auditbeat yml config file?
why this?
# Needed for Graylog
fields_under_root: true
fields.collector_node_id: ${sidecar.nodeName}
fields.gl2_source_collector: ${sidecar.nodeId}
I can’t find a page in the manual to explain it.
Probably you didn’t read manual carefully. Did you?
https://docs.graylog.org/en/3.1/pages/sidecar.html#adopt-configuration-to-graylog-3-0
https://docs.graylog.org/en/3.1/pages/sidecar.html#runtime-variables
And this is the failing code:
# Needed for Graylog
fields_under_root: true
fields.collector_node_id: ${sidecar.nodeName}
fields.gl2_source_collector: ${sidecar.nodeId}
output.logstash:
hosts: ["192.168.1.1:5044"]
auditbeat.modules:
- module: file_integrity
paths:
- C:/windows
- C:/windows/system32
- C:/Program Files
- C:/Program Files (x86)
- module: system
datasets:
- host # General host information, e.g. uptime, IPs
- process # Started and stopped processes
state.period: 12
processors:
- add_host_metadata: ~
- add_cloud_metadata: ~
regards
jc
-
Please check, that your generated auditbeat config file syntax using this command:
auditbeat test config PATH_TO_CONFIG_FILE.yml
https://www.elastic.co/guide/en/beats/auditbeat/current/command-line-options.html#test-command -
you included a lot of auditbeat modules. I will probably start with one, if it works, continue with another. This way, you can discover problem easily.
-
Your path in paths parameter contains spaces, but you don’t wrapped it to quote mark:
https://www.elastic.co/guide/en/beats/filebeat/7.4/yaml-tips.html#wrap-paths-in-quotes
Thanks bro: and yes I did read it and the manual still confusing
I included only 2 modules,
- module: file_integrity
- module: system
The file generated by "New Collector Config " GUI is saved by the sidecar on
c:\Program Files\Graylog\sidecar\generated\beatName.conf
not a yml , so how I can check syntax?
The other yml I have is the original that came with Auditbeat install but I thought New sidecar only needs the binaries, sidecar use the config file we generate in the GUI. right?
I had wanted to see if I could get this going - a good morning challenge. Here is the working config I modified off the one you posted. Simple troubleshooting: under sidecar overview, click on the client, then hover your mouse over the failed beat and it will give a comment about what it doesn’t like.
# Needed for Graylog
fields_under_root: true
fields.collector_node_id: ${sidecar.nodeName}
fields.gl2_source_collector: ${sidecar.nodeId}
output.logstash:
hosts: [${user.BeatsInput}]
path: #missing
data: C:\Program Files\Graylog\sidecar\cache\winlogbeat\data #missing
logs: C:\Program Files\Graylog\sidecar\logs #missing
tags:
- windows #added
- auditbeat #added
auditbeat.modules:
- module: file_integrity
paths:
- C:/windows
- C:/windows/system32
- C:/Program Files
- C:/Program Files (x86)
- module: system
datasets:
- host # General host information, e.g. uptime, IPs
- process # Started and stopped processes
# - login #!!linux only
state.period: 12
user.detect_password_changes: true #added
#processors: #Commented out
# - add_host_metadata: ~ #Commented out
# - add_cloud_metadata: ~ #Commented out
Thank you for the advice!
click on the client, then hover your mouse over the failed beat and it will give a comment about what it doesn’t like.
So here you sending to put the data in the winlogbeat directory, that directory is already created by sidecar winlog collector, do I should manuall create a new directory for Auditbeat?
path: #missing
data: C:\Program Files\Graylog\sidecar\cache\winlogbeat\data #missing
logs: C:\Program Files\Graylog\sidecar\logs #missing
so path will be more like:
path:
data: C:\Program Files\Graylog\sidecar\cache\auditbeat\data
logs: C:\Program Files\Graylog\sidecar\logs
having a data path that uses auditbeat rather than winlogbeat would technically be correct but it didn’t seem to make a difference… you end up with the same stuff you don’t touch existing twice. You don’t have to make the directory, the configuration is smart enough to make the new path.
On a side note - others have mentioned that (lack of) indentation can cause issues… and it makes readability better…
