Hi guys:
Having an issue with Graylog 3.0.1 and a Windows Server 2012 running Sidecar 1.0.1.
Sidecar registered and FileBeat config gets pushed out with no issues:

Screenshot_20190502_211428.png1280×720 95 KB

Content of winlogbeat.yml (generated folder) in Win Server:

Needed for Graylog

fields_under_root: true
fields.collector_node_id: anms-dc01
fields.gl2_source_collector: 5a51f09b-69d5-4f15-8f26-280ce46f6d67

output.logstash:
hosts: [“192.168.1.150:5045”]
path:
data: C:\Program Files\Graylog\sidecar\cache\winlogbeat\data
logs: C:\Program Files\Graylog\sidecar\logs
tags:

• windows
  winlogbeat:
  event_logs:
  • name: Application
  • name: System
  • name: Security

Input also configured in Graylog server:

Screenshot_20190502_211804.png1280×720 104 KB

However, I see no messages, either via Systems - Sidecars - Show messages or directly from Input.

TCPDump run on Graylogserver and on WinServer show traffic on TCP 9000 but no conns at all on port 5055.

I’d been using “old” sidecar collectors and Graylog 2.x for a while with no issues but I don’t seem to get this one working.

Any ideas?

Thanks!

Also, the Backend Log File throws following entries:

No local FW running on Graylog Server. A telnet from WinServer to Graylog on port 5045 works.

Thanks

In screenshots Graylog server address is 192.168.252.150, in winlogbeat configuration it is 192.168.1.150

Thanks Karlis, I guess I need a new pair of glasses.

Cheers
Juan.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.