Previously I have installed several instances of Graylog Sidecar 1.5.1 on Linux systems (Ubuntu Server 24.04) where everything was fine - both the auditbeat and filebeat was running and sending messages to Graylog-.
However when I installed two Linux servers (Ubuntu Server 24.04 ) yesterday with Graylog Sidecar 1.5.1 and the mentioned beats the sidecar agents have appeared in Graylog but there was no messages in any streams.
I have compared configuration files and saw no difference between a working server and these ones. For a clean I wanted to have the sidecars connected to the not working servers removed from graylog, so I turned off one of the server, however in the Graylog web UI the sidecar is still present and shows that auditbeat is running.
This is interesting, so the lvc-src-reptest host is currently not powered on and that is reflected by the inactive status but Graylog is still seeing auditbeat as running?
What happens you try to stop the process from within the Graylog UI?
Hey!
Yes. The host was not powered on, but it seemed like auditbeat was running (atleast on the UI). I was not able to stop the collector from the UI - even after clicking stop it stated that the beat was running-. Yesterday I did a clean beat and sidecar agent install on the server, and eventually the agent with this issue timed out. I think what happened is when I installed the new instance the older stopped working and it eventually timed out. This behaviour is interesting still and it’s the second time something similiar happened in our infrastructure.
You can alter the time to clear the entry from the MongoDB collection under system/configuration/Sidecars although I’m not sure in this instance that help.
