Before you post: Your responses to these questions will help the community help you. Please complete this template if you’re asking a support question.
Don’t forget to select tags to help index your topic!
1. Describe your incident:
Identical Sidecar.yml configs with identical Sidecar Collector config on different VMs with simiar OS (Windows Server 2019 Datacenter and Windows Server 2016 Datacenter) but with different sidecar versions (1.2 works as expected, 1.4 fails) produce different results. Specifically, one works, the other doesn’t. Error output is as follows:
Couldn't execute collector C:\Program Files\PacketBeat\packetbeat.exe [C:\Program Files\Packetbeat\packetbeat.exe], binary path is not included in `collector_binaries_accesslist' config option.
2. Describe your environment:
-
OS Information:
Windows Server 2016 Datacenter → works as expected
Windows Server 2019 Datacenter → fails -
Package Version:
1.2 (on 2016) → works as expected
1.4 (on 2019) → fails
Server: Graylog 5.0
- Service logs, configurations, and environment variables:
Sidecar Config:
# The URL to the Graylog server API.
# Default: "http://127.0.0.1:9000/api/"
server_url: "http://redacted/api"
# The API token to use to authenticate against the Graylog server API.
# Default: none
server_api_token: "redacted"
# The node ID of the sidecar. This can be a path to a file or an ID string.
# If set to a file and the file doesn't exist, the sidecar will generate an
# unique ID and writes it to the configured path.
#
# Example file path: "file:C:\\Program Files\\Graylog\\sidecar\\node-id"
# Example ID string: "6033137e-d56b-47fc-9762-cd699c11a5a9"
#
# ATTENTION: Every sidecar instance needs a unique ID!
#
# Default: "file:C:\\Program Files\\Graylog\\sidecar\\node-id"
node_id: "file:C:\\Program Files\\Graylog\\sidecar\\node-id"
# The node name of the sidecar. If this is empty, the sidecar will use the
# hostname of the host it is running on.
# Default: ""
node_name: ""
# The update interval in secods. This configures how often the sidecar will
# contact the Graylog server for keep-alive and configuration update requests.
# Default: 10
update_interval: 10
# This configures if the sidecar should skip the verification of TLS connections.
# Default: false
tls_skip_verify: true
# This enables/disables the transmission of detailed sidecar information like
# collector statues, metrics and log file lists. It can be disabled to reduce
# load on the Graylog server if needed. (disables some features in the server UI)
# Default: true
send_status: true
# A list of directories to scan for log files. The sidecar will scan each
# directory for log files and submits them to the server on each update.
#
# Example:
# list_log_files:
# - "/var/log/nginx"
# - "/opt/app/logs"
#
# Default: empty list
#list_log_files: []
# Directory where the sidecar stores internal data.
#cache_path: "C:\\Program Files\\Graylog\\sidecar\\cache"
# Directory where the sidecar stores logs for collectors and the sidecar itself.
#log_path: "C:\\Program Files\\Graylog\\sidecar\\logs"
# The maximum size of the log file before it gets rotated.
#log_rotate_max_file_size: "10MiB"
# The maximum number of old log files to retain.
#log_rotate_keep_files: 10
# Directory where the sidecar generates configurations for collectors.
#collector_configuration_directory: "C:\\Program Files\\Graylog\\sidecar\\generated"
# A list of binaries which are allowed to be executed by the Sidecar. An empty list disables the access list feature.
# Wildcards can be used, for a full pattern description see https://golang.org/pkg/path/filepath/#Match
# Example:
# collector_binaries_accesslist:
# - "C:\\Program Files\\Graylog\\sidecar\\winlogbeat.exe"
# - "C:\\Program Files\\Filebeat\\filebeat.exe"
#
# Example disable access listing:
# collector_binaries_accesslist: []
#
# Default:
collector_binaries_accesslist:
# - "C:\\Program Files\\Graylog\\sidecar\\filebeat.exe"
- "C:\\Program Files\\Graylog\\sidecar\\winlogbeat.exe"
# - "C:\\Program Files\\Filebeat\\filebeat.exe"
- "C:\\Program Files\\Packetbeat\\packetbeat.exe"
# - "C:\\Program Files\\Metricbeat\\metricbeat.exe"
# - "C:\\Program Files\\Heartbeat\\heartbeat.exe"
# - "C:\\Program Files\\Auditbeat\\auditbeat.exe"
# - "C:\\Program Files (x86)\\nxlog\\nxlog.exe"
backends:
- name: winlogbeat
enabled: true
binary_path: C:\Program Files\Graylog\sidecar\winlogbeat.exe
configuration_path: C:\Program Files\Graylog\sidecar\generated\winlogbeat.conf
- name: packetbeat
enabled: true
binary_path: C:\Program Files\PacketBeat\packetbeat.exe
configuration_path: C:\Program Files\Graylog\sidecar\generated\packetbeat.conf
Collector Config:
# Needed for Graylog
fields_under_root: true
fields.collector_node_id: ${sidecar.nodeName}
fields.gl2_source_collector: ${sidecar.nodeId}
output.logstash:
hosts: ["redacted"]
path:
data: C:\Program Files\Graylog\sidecar\cache\packetbeat\data
logs: C:\Program Files\Graylog\sidecar\logs
tags:
- windows
packetbeat.interfaces:
device: 0
packetbeat.protocols:
dns:
ports: [53,5335]
include authorities: true
include additionals: true
icmp:
enabled: true
dhcpv4:
ports: [67,68]
http:
ports: [80,8080,8000,5000,8002]
tls:
ports: [443,993,995,5223,8443,8883,9243]
Master Collector Config:
3. What steps have you already taken to try and solve the problem?
Multiple configurations; google-foo
4. How can the community help?
Just some solid insight
Thank you!
Helpful Posting Tips: Tips for Posting Questions that Get Answers [Hold down CTRL and link on link to open tips documents in a separate tab]