Collector sidecare not getting logs

Amine-elhijazi · April 3, 2018, 4:05pm

good morning everyone !
I have two question :
1.
well , i configured my collector sidecar using filebeat , but still i’m not able to get messages :

but i can’t recive logs :
the config files :
collector_sidecare.yml :

server_url: http://192.168.111.132:9000/api/
update_interval: 30
tls_skip_verify: false
send_status: true
list_log_file:
node_id: graylog-collector-sidecar
collector_id: file:/etc/graylog/collector-sidecar/collector-id
cache_path: /var/cache/graylog/collector-sidecar
log_path: /var/log/graylog/collector-sidecar
log_rotation_time: 86400
log_max_age: 604800
tags:
- linux
- apache
backends:
- name: nxlog
enabled: false
binary_path: /usr/bin/nxlog
configuration_path: /etc/graylog/collector-sidecar/generated/nxlog.conf
- name: filebeat
enabled: true
binary_path: /usr/bin/filebeat
configuration_path: /etc/graylog/collector-sidecar/generated/filebeat.yml
~

the filebeat.yml

filebeat:
prospectors:

encoding: utf-8
exclude_files:
fields:
collector_node_id: graylog-collector-sidecar
gl2_source_collector: 31cc46a3-d77f-4566-a0d7-64f4e075b82b
type: log
ignore_older: 0
paths:

/var/log/*.log
scan_frequency: 10s
tail_files: true
type: log
output:
logstash:
hosts:

192.168.111.132:5044
path:
data: /var/cache/graylog/collector-sidecar/filebeat/data
logs: /var/log/graylog/collector-sidecar
tags:

linux

apache
my imput conf

2.question

Is it possible to use UDP with collector ?
and can we crypt the traffic using only udp ?
Thank you everyone for your help

Amine-elhijazi · April 4, 2018, 8:43am

the content of the log file of raylog server :

2018-04-04T09:37:59.350+01:00 WARN [Messages] Failed to index message: index=<graylog_0> id=<7a78a170-37e3-11e8-8085-000c290eb38e> error=<{“type”:“mapper_parsing_exception”,“reason”:“failed to parse”,“caused_by”:{“type”:“illegal_argument_exception”,“reason”:“Can’t parse [index] value [not_analyzed] for field [sourcipadd], expected [true] or [false]”}}>
2018-04-04T09:37:59.350+01:00 WARN [Messages] Failed to index message: index=<graylog_0> id=<7a78a172-37e3-11e8-8085-000c290eb38e> error=<{“type”:“mapper_parsing_exception”,“reason”:“failed to parse”,“caused_by”:{“type”:“illegal_argument_exception”,“reason”:“Can’t parse [index] value [not_analyzed] for field [sourcipadd], expected [true] or [false]”}}>
2018-04-04T09:37:59.350+01:00 ERROR [Messages] Failed to index [8] messages. Please check the index error log in your web interface for the reason. Error: One or more of the items in the Bulk request failed, check BulkResult.getItems() for more information.
2018-04-04T09:38:01.190+01:00 WARN [Messages] Failed to index message: index=<graylog_0> id=<7b606960-37e3-11e8-8085-000c290eb38e> error=<{“type”:“mapper_parsing_exception”,“reason”:“failed to parse”,“caused_by”:{“type”:“illegal_argument_exception”,“reason”:“Can’t parse [index] value [not_analyzed] for field [sourcipadd], expected [true] or [false]”}}>
2018-04-04T09:38:01.190+01:00 ERROR [Messages] Failed to index [1] messages. Please check the index error log in your web interface for the reason. Error: One or more of the items in the Bulk request failed, check BulkResult.getItems() for more information.
2018-04-04T09:38:02.913+01:00 WARN [Messages] Failed to index message: index=<graylog_0> id=<7cb7e312-37e3-11e8-8085-000c290eb38e> error=<{“type”:“mapper_parsing_exception”,“reason”:“failed to parse”,“caused_by”:{“type”:“illegal_argument_exception”,“reason”:“Can’t parse [index] value [not_analyzed] for field [test1], expected [true] or [false]”}}>
2018-04-04T09:38:02.956+01:00 ERROR [Messages] Failed to index [1] messages. Please check the index error log in your web interface for the reason. Error: One or more of the items in the Bulk request failed, check BulkResult.getItems() for more information.

Amine-elhijazi · April 4, 2018, 9:00am

jochen · April 4, 2018, 10:29am

Try rotating the write-active index (via System / Indices / Index Set / Maintenance).

Amine-elhijazi · April 4, 2018, 10:47am

i think the probleme had to do with maping
but i can’t figure it out
i’m always using syslog in my graylog , so the maping form should be as syslog format ? now i’m trying to get filebeat format to the index and it’s not working ?
shall i creat a new index ?

i m trying your solution and i ll came back with result thank you very much Jochen !

Amine-elhijazi · April 4, 2018, 10:50am

maaaaaaaaaaaaaagiiiiiiiiic thank you it’s working if you can just eplain to me what was the probléme and what write-active index does to my solution !

thank you Jochen you make graylog sound easy

system · April 18, 2018, 10:57am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Graylog collector dont send any data Graylog Central (peer support) sidecar , nxlog , filebeat-linux , nodatanx , nosendlogfblx	1	817	November 13, 2018
Sidecar confusion Graylog Central (peer support) sidecar , nxlog , multi-linenx	2	1740	December 6, 2017
Not getting data on Collector-Sidecar Graylog Central (peer support) sidecar , filebeat-linux	2	1240	April 21, 2017
Graylog backend not starting Graylog Central (peer support) sidecar , filebeat-linux , nosendlogfblx , failoadcongfigfblx	2	1288	March 28, 2018
Not able to view multiple logs with collector filebeat configuration Graylog Central (peer support) sidecar , nxlog , filebeat-linux , nodatanx , nosendlogfblx	2	850	August 21, 2018

Collector sidecare not getting logs

Related topics