Hi All,
I have installed graylog 2.3.1 in ubuntu 16.04 and I configured beats input in my graylog as like below,
bind_address: 0.0.0.0
override_source: <empty>
port: 5045
recv_buffer_size: 1048576
tcp_keepalive: false
tls_cert_file: /etc/graylog/server/graylog-certificate.pem
tls_client_auth: optional
tls_client_auth_cert_file: <empty>
tls_enable: true
tls_key_file: /etc/graylog/server/graylogkey.pem
In my client windows machine I have installed Graylog collector sidecar and configured the below changes in .yml file,
server_url: https://devserver.com:9002/api
update_interval: 30
tls_skip_verify: false
send_status: true
list_log_files:
node_id: graylog-collector-sidecar
collector_id: file:C:\Program Files\Graylog-Collector-Sidecar\agent\collector-id
cache_path: C:\Program Files\Graylog-Collector-Sidecar\agent\cache
log_path: C:\Program Files\Graylog-Collector-Sidecar\agent\logs
log_rotation_time: 86400
log_max_age: 604800
tags: [windows]
backends:
- name: nxlog
enabled: false
binary_path: C:\Program Files (x86)\nxlog\nxlog.exe
configuration_path: C:\Program Files\Graylog-Collector-Sidecar\agent\generated\nxlog.conf
- name: winlogbeat
enabled: true
binary_path: C:\Program Files\Graylog-Collector-Sidecar\agent\winlogbeat.exe
configuration_path: C:\Program Files\Graylog-Collector-Sidecar\agent\generated\winlogbeat.yml
- name: filebeat
enabled: false
binary_path: C:\Program Files\Graylog-Collector-Sidecar\agent\filebeat.exe
configuration_path: C:\Program Files\Graylog-Collector-Sidecar\agent\generated\filebeat.yml
After I started the collector sidecar and below are the response I could see in my collector_sidecar.log file,
time="2018-02-14T10:54:11+05:30" level=info msg="[winlogbeat] Configuration change detected, rewriting configuration file."
time="2018-02-14T10:54:12+05:30" level=info msg="[winlogbeat] Stopping"
time="2018-02-14T10:54:15+05:30" level=info msg="[winlogbeat] Starting (exec driver)"
Below is the response when I checked the winlogbeat log file,
2018-02-14T11:12:46+05:30 INFO Non-zero metrics in the last 30s: uptime={"server_time":"2018-02-14T05:42:46.1499282Z","start_time":"2018-02-14T05:24:16.0389301Z","uptime":"18m30.1109981s","uptime_ms":"1110110998"}
2018-02-14T11:12:57+05:30 ERR Connecting error publishing events (retrying): remote error: tls: unknown certificate
2018-02-14T11:13:16+05:30 INFO Non-zero metrics in the last 30s: libbeat.logstash.publish.read_bytes=1833 libbeat.logstash.publish.write_bytes=1933 uptime={"server_time":"2018-02-14T05:43:16.1492162Z","start_time":"2018-02-14T05:24:16.0389301Z","uptime":"19m0.1102861s","uptime_ms":"1140110286"}
2018-02-14T11:13:46+05:30 INFO Non-zero metrics in the last 30s: uptime={"server_time":"2018-02-14T05:43:46.1497756Z","start_time":"2018-02-14T05:24:16.0389301Z","uptime":"19m30.1108455s","uptime_ms":"1170110845"}
2018-02-14T11:14:16+05:30 INFO Non-zero metrics in the last 30s: uptime={"server_time":"2018-02-14T05:44:16.1494677Z","start_time":"2018-02-14T05:24:16.0389301Z","uptime":"20m0.1105376s","uptime_ms":"1200110537"}
2018-02-14T11:14:19+05:30 ERR Connecting error publishing events (retrying): remote error: tls: unknown certificate
2018-02-14T11:14:46+05:30 INFO Non-zero metrics in the last 30s: libbeat.logstash.publish.read_bytes=1833 libbeat.logstash.publish.write_bytes=1933 uptime={"server_time":"2018-02-14T05:44:46.1494595Z","start_time":"2018-02-14T05:24:16.0389301Z","uptime":"20m30.1105294s","uptime_ms":"1230110529"}
2018-02-14T11:15:16+05:30 INFO Non-zero metrics in the last 30s: uptime={"server_time":"2018-02-14T05:45:16.1499364Z","start_time":"2018-02-14T05:24:16.0389301Z","uptime":"21m0.1110063s","uptime_ms":"1260111006"}
2018-02-14T11:15:41+05:30 ERR Connecting error publishing events (retrying): remote error: tls: unknown certificate
2018-02-14T11:15:46+05:30 INFO Non-zero metrics in the last 30s: libbeat.logstash.publish.read_bytes=1833 libbeat.logstash.publish.write_bytes=1933 uptime={"server_time":"2018-02-14T05:45:46.1496704Z","start_time":"2018-02-14T05:24:16.0389301Z","uptime":"21m30.1107403s","uptime_ms":"1290110740"}
Generated winlogbeat.yml file,
fields:
collector_node_id: graylog-collector-sidecar
gl2_source_collector: d6e8f47e-8e18-4a4a-8ec6-0e7e4e1563a1
output:
logstash:
hosts:
- devserver.com:5045
ssl:
certificate: D:\certs\graylog-certificate.pem
key: D:\certs\graylogkey.pem
verification_mode: none
path:
data: C:\Program Files\Graylog-Collector-Sidecar\agent\cache\winlogbeat\data
logs: C:\Program Files\Graylog-Collector-Sidecar\agent\logs
tags:
- windows
winlogbeat:
event_logs:
- name: Application
- name: System
- name: Security
I have given the same certificates in both input & client output configuration. I am not using the certificate in the right way and I am doing something wrong.
Please share your thoughts and correct me it would be very helpful.
Regards,
Ganeshbabu R