Hi!
We deploy collectors-sidecar on Windows systems. From some of them we need only Windows Event Logs and so defined a configuration only for Winlogbeat. But these systems are displayed in the Graylog UI as failing probably due to the missing Filebeat configuration.
Though I can disable Filebeat in collectors-sidecar configuration, is there any way to do this on a server side?
To recap:
you have hosts where you use filebeat and winlogbeat via collector-sidecar. Other hosts have only winlogbeat.
The hosts that are running only winlogbeat are showed as failing in the Graylog UI?
Did you checked the logfiles? Of the collector sidecar, and Graylog?
Thank you for reply.
Yes, you are correct. If a host has Filebeat enabled but don’t has assigned configuration on a server, it’s status set to “Failing”.
Here is some related peaces from the logs of a newly deployed Sidecar 0.1.6 (x64).
logs/collector_sidecar:
...
time="2018-08-15T17:07:21+03:00" level=info msg="[filebeat] Configuration change detected, rewriting configuration file."
time="2018-08-15T17:07:21+03:00" level=error msg="[filebeat] Error during configuration validation: Exiting: error initializing publisher: No outputs are defined. Please define one under the output section.\n"
time="2018-08-15T17:07:21+03:00" level=error msg="[filebeat] Collector configuration file is not valid, waiting for the next update."
time="2018-08-15T17:07:23+03:00" level=info msg="[winlogbeat] Starting (exec driver)"
logs/filebeat:
2018-08-15T17:07:21+03:00 INFO Home path: [C:\Program Files\graylog\collector-sidecar] Config path: [C:\Program Files\graylog\collector-sidecar] Data path: [C:\Program Files\graylog\collector-sidecar\cache\filebeat\data] Logs path: [C:\Program Files\graylog\collector-sidecar\logs]
2018-08-15T17:07:21+03:00 INFO Metrics logging every 30s
2018-08-15T17:07:21+03:00 INFO Beat UUID: ...
2018-08-15T17:07:21+03:00 INFO Setup Beat: filebeat; Version: 6.1.2
2018-08-15T17:07:21+03:00 INFO No outputs are defined. Please define one under the output section.
2018-08-15T17:07:21+03:00 CRIT Exiting: error initializing publisher: No outputs are defined. Please define one under the output section.
logs/filebeat_stderr.log:
filebeat2018/08/15 14:07:10.860786 beat.go:635: CRIT Exiting: error loading config file: open C:\Program Files\graylog\collector-sidecar\generated\filebeat.yml: The system cannot find the file specified.
Exiting: error loading config file: open C:\Program Files\graylog\collector-sidecar\generated\filebeat.yml: The system cannot find the file specified.
...
filebeat2018/08/15 14:07:19.670231 beat.go:635: CRIT Exiting: error loading config file: open C:\Program Files\graylog\collector-sidecar\generated\filebeat.yml: The system cannot find the file specified.
Exiting: error loading config file: open C:\Program Files\graylog\collector-sidecar\generated\filebeat.yml: The system cannot find the file specified.
If I define a dummy configuration with an output, the error message in the logs/filebeat file changes:
2018-08-14T18:37:10+03:00 CRIT Exiting: No modules or prospectors enabled and configuration reloading disabled. What files do you want me to watch?
I can go further and define an input from a some empty file but maybe there are simpler ways to leave Filebeat enabled on a host. This makes auto deploy and management a bit easier.
From the Docker logs for the server I can’t see anything interesting but I will look more closely later.
that sounds like a bug to me.
Could you please open a bug report after your additional research https://github.com/Graylog2/graylog2-server/issues
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.