I am currently learning in my company.
My technical manager asked me to set up Graylog which is a very interesting monitoring method.
However using “Graylog Collector Sidecar” I managed to recover the logs using sysmon and see them on my dashboards.
On the other hand I have a server on CentOS to monitor, I think that my configuration is good at the level of collectors. Should I use a pipeline for linux clients? If yes can you give me an example?
thank you in advance
(I work in France and I’m French)
did you read http://docs.graylog.org/en/2.3/pages/collector_sidecar.html ?
Once it is installed and configured on your linux server (ie pointing to the proper graylog server and having a tag defined), you will manage everything from the menu System / Collectors.
There’s no need to define a pipeline or a stream to receive logs.
Thank you for your reply.
Indeed, I have read Collector Sidecar documentation several times.
My collector is configured and my server can talk to my client.
However no log goes back on my server Graylog.
I used Sysmon for W10 and it works fine, but on CentOS I can not do it.
Here are some screenshots of my graylog-collector-sidecar.
Does the tag configured on the linux server (file bby default /etc/graylog/collector-sidecar/collector_sidecar.yml) match the configuration tag (not he name of the configuration) configured in graylog (System / Collectors / Manage Configurations?
Communication between the linux server and the graylog server seems fine since it appears running.
If you change the tag on the linux server side you have to restart the graylog sidecar service.
I checked and my tag is “linux” on both sides.
I still restarted the service collector-sidecar but nothing changes.
How did you configure ‘beats-ouput’ for the ‘linux’ configuration?
Did you check the communication from the linux server to the graylog input (telnet GraylogIP InputPort)?
What is the configuration of the input for the ‘linux’ configuration?
Here is my configuration:
Yes, I checked, my specified Graylog IP address is good at my CentOS client (public IP).
And the port is 9000 (192.168.98.121: 9000 in private). Otherwise 5044
In this case you should check the logs of the client on your linux server: /var/log/graylog/collector-sidecar/
The only potential error in / var / log / graylog / collector-sidecar / filebeat or /var/log/graylog/collector-sidecar/collector-sidecar.log is as follows:
2017-11-02T15:29:21+01:00 INFO No non-zero metrics in the last 30s
This error comes back constantly, do you have an idea?
Just to avoid misunderstanding, you should rename your graylog sidecar clients with proper names in /etc/graylog/collector-sidecar/collector_sidecar.yml, restart the service and check in your messages if you see both clients by displaying the source field.
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.