Hi,
This page
https://www.graylog.org/post/windows-filebeat-configuration-and-graylog-sidecar
describes that there is now in graylog a log collector for filebeat (windows). But I can’t find it in the current version 3.3.4 (docker image)
Do I still have to configure it manually ?
thx
Check the following URI on your system: /system/sidecars/configuration
I see the following log collectors in my 3.3.4 system by default (I don’t use the docker image though)
The documentation for the sidecar may also be useful to you:
https://docs.graylog.org/en/3.3/pages/sidecar.html
Can you send me the configuration of filebeat from Windows ? Neither in the Docker Image 3.2. nor in 3.3 this configuration is available
Thank you very much.
Here’s a content pack containing the default sidecar collector configurations…
{
"v": 1,
"id": "1c1c57b4-b91c-46c2-a1d4-dfb228b8e84e",
"rev": 1,
"name": "Sidecar Collectors",
"summary": "Graylog Default Sidecar Collector Configurations",
"description": "",
"vendor": "Graylog",
"url": "",
"parameters": [],
"entities": [
{
"v": "1",
"type": {
"name": "sidecar_collector",
"version": "1"
},
"id": "dbb32cad-be50-48c2-905a-3e925e09f50f",
"data": {
"name": {
"@type": "string",
"@value": "winlogbeat"
},
"service_type": {
"@type": "string",
"@value": "svc"
},
"node_operating_system": {
"@type": "string",
"@value": "windows"
},
"executable_path": {
"@type": "string",
"@value": "C:\\Program Files\\Graylog\\sidecar\\winlogbeat.exe"
},
"execute_parameters": {
"@type": "string",
"@value": "-c \"%s\""
},
"validation_parameters": {
"@type": "string",
"@value": "test config -c \"%s\""
},
"default_template": {
"@type": "string",
"@value": "# Needed for Graylog\nfields_under_root: true\nfields.collector_node_id: ${sidecar.nodeName}\nfields.gl2_source_collector: ${sidecar.nodeId}\n\noutput.logstash:\n hosts: [\"192.168.1.1:5044\"]\npath:\n data: C:\\Program Files\\Graylog\\sidecar\\cache\\winlogbeat\\data\n logs: C:\\Program Files\\Graylog\\sidecar\\logs\ntags:\n - windows\nwinlogbeat:\n event_logs:\n - name: Application\n - name: System\n - name: Security"
}
},
"constraints": [
{
"type": "server-version",
"version": ">=3.3.4+279ef2c"
}
]
},
{
"v": "1",
"type": {
"name": "sidecar_collector",
"version": "1"
},
"id": "ade27f5f-4a6f-46a9-a89c-cfcd962b3376",
"data": {
"name": {
"@type": "string",
"@value": "nxlog"
},
"service_type": {
"@type": "string",
"@value": "exec"
},
"node_operating_system": {
"@type": "string",
"@value": "linux"
},
"executable_path": {
"@type": "string",
"@value": "/usr/bin/nxlog"
},
"execute_parameters": {
"@type": "string",
"@value": "-f -c %s"
},
"validation_parameters": {
"@type": "string",
"@value": "-v -c %s"
},
"default_template": {
"@type": "string",
"@value": "define ROOT /usr/bin\n\n<Extension gelfExt>\n Module xm_gelf\n # Avoid truncation of the short_message field to 64 characters.\n ShortMessageLength 65536\n</Extension>\n\n<Extension syslogExt>\n Module xm_syslog\n</Extension>\n\nUser nxlog\nGroup nxlog\n\nModuledir /usr/lib/nxlog/modules\nCacheDir /var/spool/nxlog/data\nPidFile /var/run/nxlog/nxlog.pid\nLogFile /var/log/nxlog/nxlog.log\nLogLevel INFO\n\n\n<Input file>\n\tModule im_file\n\tFile '/var/log/*.log'\n\tPollInterval 1\n\tSavePos\tTrue\n\tReadFromLast True\n\tRecursive False\n\tRenameCheck False\n\tExec $FileName = file_name(); # Send file name with each message\n</Input>\n\n#<Input syslog-udp>\n#\tModule im_udp\n#\tHost 127.0.0.1\n#\tPort 514\n#\tExec parse_syslog_bsd();\n#</Input>\n\n<Output gelf>\n\tModule om_tcp\n\tHost 192.168.1.1\n\tPort 12201\n\tOutputType GELF_TCP\n\t<Exec>\n\t # These fields are needed for Graylog\n\t $gl2_source_collector = '${sidecar.nodeId}';\n\t $collector_node_id = '${sidecar.nodeName}';\n\t</Exec>\n</Output>\n\n\n<Route route-1>\n Path file => gelf\n</Route>\n#<Route route-2>\n# Path syslog-udp => gelf\n#</Route>\n\n\n"
}
},
"constraints": [
{
"type": "server-version",
"version": ">=3.3.4+279ef2c"
}
]
},
{
"v": "1",
"type": {
"name": "sidecar_collector",
"version": "1"
},
"id": "669962f5-6bc2-431d-8047-b68bfa627cea",
"data": {
"name": {
"@type": "string",
"@value": "nxlog"
},
"service_type": {
"@type": "string",
"@value": "svc"
},
"node_operating_system": {
"@type": "string",
"@value": "windows"
},
"executable_path": {
"@type": "string",
"@value": "C:\\Program Files (x86)\\nxlog\\nxlog.exe"
},
"execute_parameters": {
"@type": "string",
"@value": "-c \"%s\""
},
"validation_parameters": {
"@type": "string",
"@value": "-v -f -c \"%s\""
},
"default_template": {
"@type": "string",
"@value": "define ROOT C:\\Program Files (x86)\\nxlog\n\nModuledir %ROOT%\\modules\nCacheDir %ROOT%\\data\nPidfile %ROOT%\\data\\nxlog.pid\nSpoolDir %ROOT%\\data\nLogFile %ROOT%\\data\\nxlog.log\nLogLevel INFO\n\n<Extension logrotate>\n Module xm_fileop\n <Schedule>\n When @daily\n Exec file_cycle('%ROOT%\\data\\nxlog.log', 7);\n </Schedule>\n</Extension>\n\n\n<Extension gelfExt>\n Module xm_gelf\n # Avoid truncation of the short_message field to 64 characters.\n ShortMessageLength 65536\n</Extension>\n\n<Input eventlog>\n Module im_msvistalog\n PollInterval 1\n SavePos True\n ReadFromLast True\n \n #Channel System\n #<QueryXML>\n # <QueryList>\n # <Query Id='1'>\n # <Select Path='Security'>*[System/Level=4]</Select>\n # </Query>\n # </QueryList>\n #</QueryXML>\n</Input>\n\n\n<Input file>\n\tModule im_file\n\tFile 'C:\\Windows\\MyLogDir\\\\*.log'\n\tPollInterval 1\n\tSavePos\tTrue\n\tReadFromLast True\n\tRecursive False\n\tRenameCheck False\n\tExec $FileName = file_name(); # Send file name with each message\n</Input>\n\n\n<Output gelf>\n\tModule om_tcp\n\tHost 192.168.1.1\n\tPort 12201\n\tOutputType GELF_TCP\n\t<Exec>\n\t # These fields are needed for Graylog\n\t $gl2_source_collector = '${sidecar.nodeId}';\n\t $collector_node_id = '${sidecar.nodeName}';\n\t</Exec>\n</Output>\n\n\n<Route route-1>\n Path eventlog => gelf\n</Route>\n<Route route-2>\n Path file => gelf\n</Route>\n\n"
}
},
"constraints": [
{
"type": "server-version",
"version": ">=3.3.4+279ef2c"
}
]
},
{
"v": "1",
"type": {
"name": "sidecar_collector",
"version": "1"
},
"id": "b560863b-a59d-49d0-b6ae-607fafec61ea",
"data": {
"name": {
"@type": "string",
"@value": "filebeat"
},
"service_type": {
"@type": "string",
"@value": "exec"
},
"node_operating_system": {
"@type": "string",
"@value": "linux"
},
"executable_path": {
"@type": "string",
"@value": "/usr/share/filebeat/bin/filebeat"
},
"execute_parameters": {
"@type": "string",
"@value": "-c %s"
},
"validation_parameters": {
"@type": "string",
"@value": "test config -c %s"
},
"default_template": {
"@type": "string",
"@value": "# Needed for Graylog\nfields_under_root: true\nfields.collector_node_id: ${sidecar.nodeName}\nfields.gl2_source_collector: ${sidecar.nodeId}\n\nfilebeat.inputs:\n- input_type: log\n paths:\n - /var/log/*.log\n type: log\noutput.logstash:\n hosts: [\"192.168.1.1:5044\"]\npath:\n data: /var/lib/graylog-sidecar/collectors/filebeat/data\n logs: /var/lib/graylog-sidecar/collectors/filebeat/log"
}
},
"constraints": [
{
"type": "server-version",
"version": ">=3.3.4+279ef2c"
}
]
},
{
"v": "1",
"type": {
"name": "sidecar_collector",
"version": "1"
},
"id": "f18efd57-a7ac-4513-ab56-7f5d2db1e00b",
"data": {
"name": {
"@type": "string",
"@value": "filebeat"
},
"service_type": {
"@type": "string",
"@value": "svc"
},
"node_operating_system": {
"@type": "string",
"@value": "windows"
},
"executable_path": {
"@type": "string",
"@value": "C:\\Program Files\\Graylog\\sidecar\\filebeat.exe"
},
"execute_parameters": {
"@type": "string",
"@value": "-c \"%s\""
},
"validation_parameters": {
"@type": "string",
"@value": "test config -c \"%s\""
},
"default_template": {
"@type": "string",
"@value": "# Needed for Graylog\nfields_under_root: true\nfields.collector_node_id: ${sidecar.nodeName}\nfields.gl2_source_collector: ${sidecar.nodeId}\n\noutput.logstash:\n hosts: [\"192.168.1.1:5044\"]\npath:\n data: C:\\Program Files\\Graylog\\sidecar\\cache\\filebeat\\data\n logs: C:\\Program Files\\Graylog\\sidecar\\logs\ntags:\n - windows\nfilebeat.inputs:\n- type: log\n enabled: true\n paths:\n - C:\\logs\\log.log\n"
}
},
"constraints": [
{
"type": "server-version",
"version": ">=3.3.4+279ef2c"
}
]
}
]
}
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.