Collector is running but no messages from Linux

I’m getting messages from windows servers but not getting from Linux.
Anyone can give me a workable sample/example of NxLog Collector Configuration for Linux, input configuration and sidecar.yml?
My installed version:
Graylog 4.0.7
Graylog-Sidecar 1.1.0
Thanks for your help.

Hello && Welcome.

Here is an example of a Lab INPUT Using GELF_TCP/TLS

 [root@lab]# grep -v "^#\|^$" nxlog.conf
LogFile /var/log/nxlog/nxlog.log
LogLevel INFO

<Extension _gelf>
    Module      xm_gelf

<Input messages>
    Module       im_file
    FILE         "/var/log/messages"
    SavePos       TRUE
    ReadFromLast  TRUE
    PollInterval  1
    Exec  $Message = $raw_event;

<Output out>
    Module      om_ssl
    Host        domain.come
    Port        51411
    OutputType  GELF_TCP
    CertFile        /var/lib/nxlog/cert/graylog3-certificate.pem
    CertKeyFile     /var/lib/nxlog/cert/graylog3-key.pem
    CAFile          /var/lib/nxlog/cert/cert3.pem
    KeyPass         secret
    AllowUntrusted  true
    Exec $short_message = $raw_event;
    Exec $Hostname = hostname_fqdn();

Path messages => out

Couple of notes:

Check your extension are correct.
Check you nxlog input is correct and if its point to a file make sure permissions on the file are correct.
Meaning that nxlog has access it.
You can run nxlog as root for testing by commenting out two lines.


Insure your nxlog Output Type is correct which should match your nxlog INPUT.
Check if you ROUTE is correct.

If you’re going to use Nxlog I would highly recommend using this for reference.

Hope that helps

Thanks @gsmith
I appreciate your quick reply. I’ll follow your instruction and confirm you.

@gsmith what will be the configuration without TLS?
Thanks for your help.

How do you want to send logs?
Can you show a your setup config for Nxlog?
How did you create your input on Graylog?
Maybe take a look at the link I gave you above , That will help you out a lot.

decompress_size_limit: 8388608
max_message_size: 2097152
number_worker_threads: 8
override_source: <empty>
port: 12201
recv_buffer_size: 1048576
tcp_keepalive: false
tls_cert_file: <empty>
tls_client_auth: disabled
tls_client_auth_cert_file: <empty>
tls_enable: false
tls_key_file: <empty>
use_null_delimiter: true

This is my GELF-TCP input config for windows. It’s working.

I’m trying to use port:5140 for Linux

You will find your answer here

If I use TLS then do I have to put CertFile, CertKeyFile, and CAFile in all the Linux Machine?

Yes, thats correct as I showed this above.

Thank you.
For GELF-TCP/TLS input config, do I have to fill these with path?

Yes you do. You must make them accessible to Graylog. So, for testing I would high recommend you just place them (certs) in the same directory as you configuration file.

1 Like

Thank you.
I’ll test

I got messages in System/Inputs (Show Received Messages)
But no messages in System/Sidecar (Show messages)

So you can see the messages in the INPUT you created?

Not sure what you mean by that.
With the lack of informantion your showing us I’m unable to help you further.

I can see the messages in the INPUT I created. But don’t see any messages in sidecar.

I’m sorry I know very little about the sidecar, But I do know alot about Nxlog.
Maybe someone else can help you here.

Thanks for your help. I appreciate

1 Like

Do you see messages when you click ‘System > Sidecars’ then click ‘Show messages’??

Which options should I open in sidecar.yml for Linux?

Thanks for your help

Not sure what messages you want to see under “Sidecars”. you could either find them under the INPUT you created or a Global Search.

You will find your answer here.
Sidecar Configuration

Hope that helps