Docker Windows Container with Graylog Sidecar and Fluentd - Anyone with a succesful story?

Graylog Central (peer support)
,
1

1. Describe your incident:
I’m trying to create a Windows Container with Graylog Sidecar and Fluentd, but when I run the container, I receive this message in the log:

level=fatal msg=“The service process could not connect to the service controller.”

2. Describe your environment:

  • OS Information:
    Microsoft Artifact Registry base docker image

  • Package Version:
    1.1.0-1 exe file, installed inside docker image with /S parameter

  • Service logs, configurations, and environment variables:
    sidecar log:

time=“2022-04-26T00:59:22-03:00” level=info msg=“[ConfigFile] Replacing config environment variable ‘${GS_SERVER_URL}’ with ‘https://redacted/api/’”
time=“2022-04-26T00:59:22-03:00” level=info msg=“[ConfigFile] Replacing config environment variable ‘${GS_SERVER_API_TOKEN}’ with ‘redacted’”
time=“2022-04-26T00:59:22-03:00” level=info msg=“[ConfigFile] Replacing config environment variable ‘${GS_UPDATE_INTERVAL}’ with ‘10’”
time=“2022-04-26T00:59:22-03:00” level=info msg=“[ConfigFile] Replacing config environment variable ‘${GS_TLS_SKIP_VERIFY}’ with ‘true’”
time=“2022-04-26T00:59:22-03:00” level=info msg=“[ConfigFile] Replacing config environment variable ‘${GS_SEND_STATUS}’ with ‘true’”
time=“2022-04-26T00:59:22-03:00” level=info msg=“[ConfigFile] Replacing config environment variable ‘${GS_LIST_LOG_FILES}’ with ‘’”
time=“2022-04-26T00:59:22-03:00” level=info msg=“[ConfigFile] Replacing config environment variable ‘${GS_NODE_ID}’ with ‘Fluentd-Windows-Docker’”
time=“2022-04-26T00:59:22-03:00” level=info msg=“[ConfigFile] Replacing config environment variable ‘${GS_NODE_NAME}’ with ‘windows-fluentd-docker’”
time=“2022-04-26T00:59:22-03:00” level=info msg=“[ConfigFile] Replacing config environment variable ‘${GS_COLLECTOR_ID}’ with ‘’”
time=“2022-04-26T00:59:22-03:00” level=info msg=“[ConfigFile] Replacing config environment variable ‘${GS_LOG_ROTATION_TIME}’ with ‘86400’”
time=“2022-04-26T00:59:22-03:00” level=info msg=“[ConfigFile] Replacing config environment variable ‘${GS_LOG_MAX_AGE}’ with ‘604800’”
time=“2022-04-26T00:59:22-03:00” level=info msg=“Using node-id: Fluentd-Windows-Docker”
time=“2022-04-26T00:59:22-03:00” level=fatal msg=“The service process could not connect to the service controller.”

3. What steps have you already taken to try and solve the problem?
Tried to play with different kind of configurations, like different entrypoints (first powershell or cmd, and after that a bat script that run the graylog-sidecar executable with -c to point to sidecar.yml config, or directly as entrypoint the graylog-sidecar executable with -c to point to sidecar.yml config), with no luck.

4. How can the community help?
Anybody tried to use Graylog Sidecar inside a Windows Docker Container with success? The idea here is to use Fluentd newest input in_windows_eventlog2 of fluentd, that can collect Windows Event Logs remotely, so I can do it from inside a Docker Container, controlling the versioning with Docker and the configuration with Graylog Sidecar.

Thanks in advance for your help.
Regards,
Alejandro

2

Reading about this in other technologies, I think maybe is related to this:

Collector doesn’t start in Windows Docker containers

The process might fail to start in a custom built, Windows-based Docker container, resulting in a “The service process could not connect to the service controller.” error message.

In this case, the NO_WINDOWS_SERVICE=1 environment variable must be set to force the Splunk OpenTelemetry Collector to start as if it were running in an interactive terminal, without attempting to run as a Windows service.

Is somebody know if there is a similar environment variable for Graylog Sidecar, like the mentioned NO_WINDOWS_SERVICE?

Thanks in advance.
Regards,
Alejandro

3

Hello @aguida79

Started using Docker a few months ago but unfortunately I have not created a container for windows.

I was going to mock this up in my lab to find out how this works, but the link you posted showed this.

image
image1246×259 13.2 KB

By chance what does you .yml file look like? The reason I ask was this in your logs.

Correct me if I’m wrong but I would assume it should have looked like this.

GRAYLOG_SERVER_API_TOKEN

I do have a question with this. If your Windows container is functioning is there access using like RDP, or something similar?
If so, then can you logon to this windows node and download Graylog sidecar from w Web UI?

4

Hi @gsmith , how are you?

Windows Containers are really different on how do they work on many ways to Linux Containers (in a bad way, :frowning: )

About your question of GS_X environment variables, I think they refer to Graylog Sidecar, and that is the reason. For instance, on Linux Containers they are working right.

The Windows container image that I’m using, which is servercore:ltsc2019, I think don’t have RDP option, but I didn’t review that. Anyway, is not common to access to a container using RDP or SSH, you access using “docker exec” commonly.

I’m doing the installation of the Graylog Sidecar and Fluentd binary with a Dockerfile. Here is the file:

FROM Microsoft Artifact Registry
LABEL maintainer “Alejandro redacted@redated
ENV GS_SERVER_URL=“https://redacted/api/
GS_SERVER_API_TOKEN=“redacted”
GS_NODE_ID=“Fluentd-Windows-RemoteCollector”
GS_NODE_NAME=“redacted”
GS_UPDATE_INTERVAL=10
GS_SEND_STATUS=“true”
GS_TLS_SKIP_VERIFY=“true”
GS_LIST_LOG_FILES=“
GS_LOG_ROTATION_TIME=86400
GS_LOG_MAX_AGE=604800
RUN mkdir c:\tmp
RUN curl -SL --output c:\tmp\graylog_sidecar_installer.exe https://github.com/Graylog2/collector-sidecar/releases/download/1.1.0/graylog_sidecar_installer_1.1.0-1.exe
RUN curl -SL --output c:\tmp\fluent-bit-win64.exe https://fluentbit.io/releases/1.9/fluent-bit-1.9.2-win64.exe
RUN curl -SL --output c:\tmp\fluentd-x64.msi https://calyptia-fluentd.s3.us-east-2.amazonaws.com/1/windows/calyptia-fluentd-1.3.6-x64.msi
RUN c:\tmp\graylog_sidecar_installer.exe /S
RUN c:\tmp\fluentd-x64.msi /quiet
RUN c:\tmp\fluent-bit-win64.exe /S
RUN echo 10.12.2.225 redacted >> “C:\Windows\System32\drivers\etc\hosts”
COPY [“sidecar.yml”, “C:/Program Files/Graylog/sidecar/”]
ENTRYPOINT [“C:\Program Files\graylog\sidecar\graylog-sidecar.exe”, “-c”, “C:\Program Files\graylog\sidecar\sidecar.yml”]

Let me know if you find something new about how to do this.

Thanks.
Regards,
Alejandro

5

I see your running Windows Server 2019 core? Is this correct? If so that sucks on my plan for logging into the windows container and downloading Graylog sidecar through browser. It can be done through PowerShell thou if permissions will allow it.

Second, Windows server 2019 Core/Desktop does have RDP but you need to enable it through the server Manager.

image
image1102×432 20.1 KB

I do have another question , how do you create the service for the sidecar when creating Windows container?

& "C:\Program Files\graylog\sidecar\graylog-sidecar.exe" -service install
& "C:\Program Files\graylog\sidecar\graylog-sidecar.exe" -service start

My apologies, I don’t think I explain this well. I was looking at creating a Windows Docker container and then log into it using RDP session. Once you in the Windows environment you can down load it through the Browser and/or PowerShell. Not sure if that would help but its an idea if the Windows server 2019 is running. I believe once that is functioning you can make a copy of that container.
Just an Idea, sorry I can be more help but if I run into a situation like yours I post back here.

6

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.