I’m not receiving linux logs,with filebeat
every time check alert there is exclamation next to graylog
gl2_source_collector:3158f974-c860-4765-ac89-4454a5516eff and says
Unknown field: Query contains unknown field: gl2_source_collector

Needed for Graylog

fields_under_root: true
fields.collector_node_id: ${sidecar.nodeName}
fields.gl2_source_collector: ${sidecar.nodeId}

filebeat.inputs:

• input_type: log
  paths:
  • /var/log/*.log
    type: log
    output.logstash:
    hosts: [“192.168.1.188:5044”]
    path:
    data: ${sidecar.spoolDir!“/var/lib/graylog-sidecar/collectors/filebeat”}/data
    logs: ${sidecar.spoolDir!“/var/lib/graylog-sidecar/collectors/filebeat”}/log

time/date is currecrt.
i use graylog-sidecar -debug but i have not error or warning.
linux client has ping graylog server.
linux client send log with rsyslog to graylog server but do not send log with filebeat.
filebeat is start on linux client.
graylog sidecar is start on linux client.
please help me.

Hey @abntkpi

On your Graylog Sidecar dashboard does the collector Status show running? I would imagine that if GL sidecar is not working then the field (i.e., gl2_source_collector) would not be present.

Example:

image1677×350 17.6 KB

thank you for reply.
i remove graylog 5 and install graylog 4 .
I use * on graylog 4 , gray log show me error Query parsing error: Cannot parse query, cause: ‘*’ or ‘?’ not allowed as first character in WildcardQuery.
This is very strange. I did everything according to the graylog document, but even though I changed the versions, I still have a problem.

Hey @abntkpi

Check Graylog Sidecar log to find more information on whts goign on, It could be a connection issue or a incorrect configuration.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.