Hi,
I am very new to graylog installation and I could not find enough data for the installation that I draw in this topic.
I have thousands of questions and documents seem not to reply most of it so I need help
1_ how should I set my filebeat so it can collect any log (I even tried to use sidecar but no way it does not get my logs to graylog.
2_Somehow graylog nodes seems in elasticsearch cluster so my elasticsearch cluster has 6 nodes but I can not see any indices in graylog screens (tough when I look at my elasticsearch clusters I have two indices using ElasticHQ plugin)
3_Why there is no step by step examples for some simple or example configurations to make it easier.
4_ How should I set my nginx so http 9000 works for sidecar and filebeat to communicate with otherside back and forth
Create a Beats input in Graylog and configure Filebeat to use a logstash output to send data to the Graylog node(s).
Up to version 2.2.3, Graylog joins the Elasticsearch cluster as a client node (i. e. not master eligible, doesn’t store data) which is shown in the Elasticsearch cluster state.
There are step-by-step guides in the documentation and the Graylog Collector Sidecar aims to help users to configure all sorts of log collectors such as NXLOG, Filebeat, and Winlogbeat.
I would like to go step by step.
How should I set my sidecar so it uses filebeat harvests logs and send data to nginx here is my "collector_sidecar.yml "
The configuration of the Graylog Collector Sidecar looks correct (if http://89.22.104.82:9000/api/ is the address of the Graylog REST API), although be aware that Filebeat doesn’t send data to nginx (or the Graylog REST API), but to a Beats input in Graylog which you’ll have to create on the System / Inputs page in the Graylog web interface.
.82 is nginx ip.
But there is something I did not understand.
When I start sidecar it connects to graylog and asks for configuration receives it and starts filebeat.
What are the steps of this process.
For example :
sidecar–>graylog rest (protocol - http)
graylog rest -->sidecar (protocol tcp)…
I know thats not right but knowing the correct version can help
The Graylog Collector Sidecar connects to the Graylog REST API (HTTP) to send its ping and fetch the intended configuration.
After that, the Graylog Collector Sidecar configures the actual log shipper (Filebeat in your case) accordingly and starts it.
The actual log shipper (Filebeat) then starts and sends data to the Graylog Beats input (port 5044/tcp by default).
Name : access-logs
Forward to (req) : Beats-Output[filebeat]
type : [FileBeat] file input
Path to lLogfile : [/home/cb/Apache-Log/*.log']
Encoding : plain
Type of Input : log
Ignore files older than :slight_smile: 0
Scan frequency in seconds : 10s
Exclude []
Include []
Tail Files
Thats another interesting problem there I have a 3 node cluster for graylog but only 2 runs
settings in Input Beats :
Global
Title : Beats
Bind address 127.0.0.1 (not accepted 0.0.0.0)
Port 9000
Receive Buffer Size : 1048576
the rest of it is empty.
But thats the ip its trying to bind and listen to is not it?
my graylogs are .79 .80 and .81 can I use any of thems Ip?
Or can you give an exaple for it? may be I didnot understand the purpose of that ip
so I setup my port to 8000 and did nginx tcp loadbalancing
this has given me
Throughput / Metrics
1 minute average rate: 0 msg/s
Network IO: 0B 0B (total: 1.3KB 0B )
Active connections: 0 (11 total)
Empty messages discarded: 0
in beats inputs
If i am not mistaken this shows my beats connected to Gl over nginx is that correct?
so everytime I start filebeat number of connections increases.
when I look at the logs of filebeat everytime I get this error one more connection is also added
2017-07-18T11:04:23+02:00 ERR Connecting error publishing events (retrying): Get http://89.22.104.82:8000: EOF
Whats the problem here I can not understand