Binary path is not included in `collector binaries accesslist' config option

Before you post: Your responses to these questions will help the community help you. Please complete this template if you’re asking a support question.
Don’t forget to select tags to help index your topic!

1. Describe your incident:
Identical Sidecar.yml configs with identical Sidecar Collector config on different VMs with simiar OS (Windows Server 2019 Datacenter and Windows Server 2016 Datacenter) but with different sidecar versions (1.2 works as expected, 1.4 fails) produce different results. Specifically, one works, the other doesn’t. Error output is as follows:

Couldn't execute collector C:\Program Files\PacketBeat\packetbeat.exe [C:\Program Files\Packetbeat\packetbeat.exe], binary path is not included in `collector_binaries_accesslist' config option. 

2. Describe your environment:

  • OS Information:
    Windows Server 2016 Datacenter → works as expected
    Windows Server 2019 Datacenter → fails

  • Package Version:
    1.2 (on 2016) → works as expected
    1.4 (on 2019) → fails

Server: Graylog 5.0

  • Service logs, configurations, and environment variables:
    Sidecar Config:
# The URL to the Graylog server API.
# Default: ""
server_url: "http://redacted/api"

# The API token to use to authenticate against the Graylog server API.
# Default: none
server_api_token: "redacted"

# The node ID of the sidecar. This can be a path to a file or an ID string.
# If set to a file and the file doesn't exist, the sidecar will generate an
# unique ID and writes it to the configured path.
# Example file path: "file:C:\\Program Files\\Graylog\\sidecar\\node-id"
# Example ID string: "6033137e-d56b-47fc-9762-cd699c11a5a9"
# ATTENTION: Every sidecar instance needs a unique ID!
# Default: "file:C:\\Program Files\\Graylog\\sidecar\\node-id"
node_id: "file:C:\\Program Files\\Graylog\\sidecar\\node-id"

# The node name of the sidecar. If this is empty, the sidecar will use the
# hostname of the host it is running on.
# Default: ""
node_name: ""

# The update interval in secods. This configures how often the sidecar will
# contact the Graylog server for keep-alive and configuration update requests.
# Default: 10
update_interval: 10

# This configures if the sidecar should skip the verification of TLS connections.
# Default: false
tls_skip_verify: true

# This enables/disables the transmission of detailed sidecar information like
# collector statues, metrics and log file lists. It can be disabled to reduce
# load on the Graylog server if needed. (disables some features in the server UI)
# Default: true
send_status: true

# A list of directories to scan for log files. The sidecar will scan each
# directory for log files and submits them to the server on each update.
# Example:
#     list_log_files:
#       - "/var/log/nginx"
#       - "/opt/app/logs"
# Default: empty list
#list_log_files: []

# Directory where the sidecar stores internal data.
#cache_path: "C:\\Program Files\\Graylog\\sidecar\\cache"

# Directory where the sidecar stores logs for collectors and the sidecar itself.
#log_path: "C:\\Program Files\\Graylog\\sidecar\\logs"

# The maximum size of the log file before it gets rotated.
#log_rotate_max_file_size: "10MiB"

# The maximum number of old log files to retain.
#log_rotate_keep_files: 10

# Directory where the sidecar generates configurations for collectors.
#collector_configuration_directory: "C:\\Program Files\\Graylog\\sidecar\\generated"

# A list of binaries which are allowed to be executed by the Sidecar. An empty list disables the access list feature.
# Wildcards can be used, for a full pattern description see
# Example:
#     collector_binaries_accesslist:
#       - "C:\\Program Files\\Graylog\\sidecar\\winlogbeat.exe"
#       - "C:\\Program Files\\Filebeat\\filebeat.exe"
# Example disable access listing:
#     collector_binaries_accesslist: []
# Default:
#  - "C:\\Program Files\\Graylog\\sidecar\\filebeat.exe"
  - "C:\\Program Files\\Graylog\\sidecar\\winlogbeat.exe"
#  - "C:\\Program Files\\Filebeat\\filebeat.exe"
  - "C:\\Program Files\\Packetbeat\\packetbeat.exe"
#  - "C:\\Program Files\\Metricbeat\\metricbeat.exe"
#  - "C:\\Program Files\\Heartbeat\\heartbeat.exe"
#  - "C:\\Program Files\\Auditbeat\\auditbeat.exe"
#  - "C:\\Program Files (x86)\\nxlog\\nxlog.exe"
   - name: winlogbeat      
     enabled: true      
     binary_path: C:\Program Files\Graylog\sidecar\winlogbeat.exe      
     configuration_path: C:\Program Files\Graylog\sidecar\generated\winlogbeat.conf
   - name: packetbeat      
     enabled: true      
     binary_path: C:\Program Files\PacketBeat\packetbeat.exe      
     configuration_path: C:\Program Files\Graylog\sidecar\generated\packetbeat.conf

Collector Config:

# Needed for Graylog
fields_under_root: true
fields.collector_node_id: ${sidecar.nodeName}
fields.gl2_source_collector: ${sidecar.nodeId}
   hosts: ["redacted"]
  data: C:\Program Files\Graylog\sidecar\cache\packetbeat\data
  logs: C:\Program Files\Graylog\sidecar\logs
 - windows
 device: 0
    ports: [53,5335]
    include authorities: true
    include additionals: true
    enabled: true
    ports: [67,68]
    ports: [80,8080,8000,5000,8002]
    ports: [443,993,995,5223,8443,8883,9243]

Master Collector Config:

3. What steps have you already taken to try and solve the problem?

Multiple configurations; google-foo

4. How can the community help?
Just some solid insight :slight_smile:
Thank you!

Helpful Posting Tips: Tips for Posting Questions that Get Answers [Hold down CTRL and link on link to open tips documents in a separate tab]

Hey @accidentaladmin

Just heads up, I have a few 2019 MS servers in my lab. Im going to test this out.


I was struggling for about an hour, I think I resolved this issue.
Not sure how you install PacketBeat but I used the EXE file downloaded from here

As you can see below it created a Folder called Elastic in my “Program Files”.

Ran through the setup.

Next, created the config for packetbeat, BTW i used your configuration above, it worked great :+1:

Once completed I attached it to my Windows Server 2019 (veeam).

My Graylog sidecar confiuration, I made it simple for testing/troubleshooting Because I was recieveing the same errors and having the same issues as yourself.

# Example disable access listing:
#     collector_binaries_accesslist: []
# Default:
#  - "C:\\Program Files\\Graylog\\sidecar\\filebeat.exe"
#  - "C:\\Program Files\\Graylog\\sidecar\\winlogbeat.exe"
#  - "C:\\Program Files\\Filebeat\\filebeat.exe"
- "C:\\Program Files\\Elastic\\Beats\\8.6.2\\packetbeat\\packetbeat.exe"
# - "C:\\Program Files\\Elastic\\Beats\\8.6.2\\packetbeat.exe"
#  - "C:\\Program Files\\Metricbeat\\metricbeat.exe"
#  - "C:\\Program Files\\Heartbeat\\heartbeat.exe"
#  - "C:\\Program Files\\Auditbeat\\auditbeat.exe"
#  - "C:\\Program Files (x86)\\nxlog\\nxlog.exe"

Dont know if you know this but the configuration is case sensitive


EDIT: Note, I did have permission issues, pretty easy to resolve on windows

Hope that helps

As always your assistance has been invaluable. Your suggested solution of installing via .msi (I think thats what you suggested) did not work on my server (it actually only installed config files, no .exe. Probably a GPO thing). However, it did lead me to what maybe I should have thought to do from the get-go: Uninstall / Reinstall.

Abracadabra, it works.

You rock!

1 Like

awesome-yes-will-ferrell (1)

Always good to help you @accidentaladmin

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.