I’m getting messages from windows servers but not getting from Linux.
Anyone can give me a workable sample/example of NxLog Collector Configuration for Linux, input configuration and sidecar.yml?
My installed version:
Graylog 4.0.7
Graylog-Sidecar 1.1.0
Thanks for your help.
Hello && Welcome.
Here is an example of a Lab INPUT Using GELF_TCP/TLS
nxlog_config
[root@lab]# grep -v "^#\|^$" nxlog.conf
LogFile /var/log/nxlog/nxlog.log
LogLevel INFO
<Extension _gelf>
Module xm_gelf
</Extension>
<Input messages>
Module im_file
FILE "/var/log/messages"
SavePos TRUE
ReadFromLast TRUE
PollInterval 1
Exec $Message = $raw_event;
</Input>
<Output out>
Module om_ssl
Host domain.come
Port 51411
OutputType GELF_TCP
CertFile /var/lib/nxlog/cert/graylog3-certificate.pem
CertKeyFile /var/lib/nxlog/cert/graylog3-key.pem
CAFile /var/lib/nxlog/cert/cert3.pem
KeyPass secret
AllowUntrusted true
Exec $short_message = $raw_event;
Exec $Hostname = hostname_fqdn();
</Output>
<Route>
Path messages => out
</Route>
[root@lab]#
Couple of notes:
Check your extension are correct.
Check you nxlog input is correct and if its point to a file make sure permissions on the file are correct.
Meaning that nxlog has access it.
You can run nxlog as root for testing by commenting out two lines.
nxlog_user:
nxlog_group:
Insure your nxlog Output Type is correct which should match your nxlog INPUT.
Check if you ROUTE is correct.
If you’re going to use Nxlog I would highly recommend using this for reference.
Hope that helps
Thanks @gsmith
I appreciate your quick reply. I’ll follow your instruction and confirm you.
@gsmith what will be the configuration without TLS?
Thanks for your help.
How do you want to send logs?
Can you show a your setup config for Nxlog?
How did you create your input on Graylog?
Maybe take a look at the link I gave you above , That will help you out a lot.
bind_address: 0.0.0.0
decompress_size_limit: 8388608
max_message_size: 2097152
number_worker_threads: 8
override_source: <empty>
port: 12201
recv_buffer_size: 1048576
tcp_keepalive: false
tls_cert_file: <empty>
tls_client_auth: disabled
tls_client_auth_cert_file: <empty>
tls_enable: false
tls_key_file: <empty>
tls_key_password:********
use_null_delimiter: true
This is my GELF-TCP input config for windows. It’s working.
I’m trying to use port:5140 for Linux
You will find your answer here
If I use TLS then do I have to put CertFile, CertKeyFile, and CAFile in all the Linux Machine?
Yes, thats correct as I showed this above.
Thank you.
For GELF-TCP/TLS input config, do I have to fill these with path?
tls_cert_file:
tls_client_auth_cert_file:
tls_key_file:
Yes you do. You must make them accessible to Graylog. So, for testing I would high recommend you just place them (certs) in the same directory as you configuration file.
1 Like
Thank you.
I’ll test
I got messages in System/Inputs (Show Received Messages)
But no messages in System/Sidecar (Show messages)
So you can see the messages in the INPUT you created?
Not sure what you mean by that.
With the lack of informantion your showing us I’m unable to help you further.
I can see the messages in the INPUT I created. But don’t see any messages in sidecar.
I’m sorry I know very little about the sidecar, But I do know alot about Nxlog.
Maybe someone else can help you here.
Thanks for your help. I appreciate
1 Like
@gsmith
Do you see messages when you click ‘System > Sidecars’ then click ‘Show messages’??
@gsmith
Which options should I open in sidecar.yml for Linux?
Thanks for your help
Not sure what messages you want to see under “Sidecars”. you could either find them under the INPUT you created or a Global Search.
You will find your answer here.
Sidecar Configuration
Hope that helps