Configuring graylog sidecar log collection

Hi there,

I hate having to resort to posting on the forums looking for help but I’m absoloutely stumped and can’t work out where to go from here.

This was all setup on a completely fresh VM running Centos7.

I have a file that is sitting locally on the graylog server, this is updated from an external source every 12 hours, I want to push this into graylog so that I can analyse the messages easily.

I’ve installed graylog sidecar as per the documentation here - https://docs.graylog.org/en/3.3/pages/sidecar.html

I’ve used the default configuration values in the sidecar.yml file and have only edited the config to add my API key and some other host details along with:

# Default: empty list
list_log_files: [/root/Sophos-Central-SIEM-Integration/logs/]

I’ve then disabled and unconfigured the default nxlog service:

$ sudo service nxlog stop
$ sudo chkconfig --del nxlog
$ sudo gpasswd -a nxlog root
$ sudo chown -R nxlog.nxlog /var/spool/nxlog

I have created the GELF_TCP input and I can see that I have an active connection from my sidecar instance:

I have created a new log collector (nxlog_testcollect) by cloning the default nxlog log collector, the parameters are all left as default, the template has been updated like so (I commented out the syslogExt extension as a test):

define ROOT /usr/bin

<Extension gelfExt>
  Module xm_gelf
  # Avoid truncation of the short_message field to 64 characters.
  ShortMessageLength 65536
</Extension>

#<Extension syslogExt>
#  Module xm_syslog
#</Extension>

User nxlog
Group nxlog

Moduledir /usr/lib/nxlog/modules
CacheDir /var/spool/nxlog/data
PidFile /var/run/nxlog/nxlog.pid
LogFile /var/log/nxlog/nxlog.log
LogLevel INFO


<Input file>
	Module im_file
	File '/root/Sophos-Central-SIEM-Integration/logs/*.txt'
	PollInterval 1
	SavePos	True
	ReadFromLast True
	Recursive False
	RenameCheck False
	Exec $FileName = file_name(); # Send file name with each message
</Input>

#<Input syslog-udp>
#	Module im_udp
#	Host 127.0.0.1
#	Port 514
#	Exec parse_syslog_bsd();
#</Input>

<Output gelf>
	Module om_tcp
	Host 127.0.0.1
	Port 12201
	OutputType  GELF_TCP
	<Exec>
	  # These fields are needed for Graylog
	  $gl2_source_collector = '${sidecar.nodeId}';
	  $collector_node_id = '${sidecar.nodeName}';
	</Exec>
</Output>


<Route route-1>
  Path file => gelf
</Route>
#<Route route-2>
#  Path syslog-udp => gelf
#</Route>

I’ve then created a new configuration that uses the nxlog_testcollect collector and is configured as so:

define ROOT /usr/bin

<Extension gelfExt>
  Module xm_gelf
  # Avoid truncation of the short_message field to 64 characters.
  ShortMessageLength 65536
</Extension>

#<Extension syslogExt>
#  Module xm_syslog
#</Extension>

User nxlog
Group nxlog

Moduledir /usr/lib/nxlog/modules
CacheDir /var/spool/nxlog/data
PidFile /var/run/nxlog/nxlog.pid
LogFile /var/log/nxlog/nxlog.log
LogLevel INFO


<Input file>
	Module im_file
	File '/root/Sophos-Central-SIEM-Integration/logs/*.txt'
	PollInterval 1
	SavePos	True
	ReadFromLast True
	Recursive False
	RenameCheck False
	Exec $FileName = file_name(); # Send file name with each message
</Input>

#<Input syslog-udp>
#	Module im_udp
#	Host 127.0.0.1
#	Port 514
#	Exec parse_syslog_bsd();
#</Input>

<Output gelf>
	Module om_tcp
	Host 127.0.0.1
	Port 12201
	OutputType  GELF_TCP
	<Exec>
	  # These fields are needed for Graylog
	  $gl2_source_collector = '${sidecar.nodeId}';
	  $collector_node_id = '${sidecar.nodeName}';
	</Exec>
</Output>


<Route route-1>
  Path file => gelf
</Route>
#<Route route-2>
#  Path syslog-udp => gelf
#</Route>

I’ve then assigned this collector and configuration to my sidecar instance, and this is running:
image

Looking at my sidecar instance I can see the files that I want to process:

But I get no messages coming through:
image

I’m stumped, I really feel like I’ve missed some critical bit somewhere, but I’m not sure where.

Any help to point me in the right direction would be greatly appreciated.

Apologies about the multiple replies, I’m only able to post one embedded link as I’m a new user.

Thanks.

Directory /root, where you have your logs is probably by default readable only by owner (root) rwx------, so user nxlog can’t read it. Please move your logs to another directory if you can, or change group ownership of directory /root.

Hi Shoothub,

Thanks for the suggestion, I’ve moved it over to /var/log and even gone as far as to give it full 777 access, but still, no dice and no messages through my input.

Has anyone else been able to get this bit working with nxlog? I was hoping with fresh eyes I’d spot something obvious, but I’m starting to question my sanity.

Thanks again.

This has to be something to do with NXlog but I’m not sure where.

I’ve just installed filebeat and configured the input and sidecar and I’ve got my messages in straight away. Not sure what I missed but if anyone else has the same issues I would suggest looking at using filebeat, it worked right away.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.