Graylog packetbeat on ubuntu

Hi, guys
I have a problem with elastic packetbeat on ubuntu
I use graylog version 3.1 and elasticsearch 6.8 and mongo 4
installed packetbeat 7 but nothing received on graylog input
…

bahram@localdomain:~$ sudo curl -XGET 'http://localhost:9200'
[sudo] password for bahram:
{
  "name" : "myPLie2",
  "cluster_name" : "graylog",
  "cluster_uuid" : "7TUMoNZpTk6DUY4ssc3y1A",
  "version" : {
    "number" : "6.8.23",
    "build_flavor" : "oss",
    "build_type" : "deb",
    "build_hash" : "4f67856",
    "build_date" : "2022-01-06T21:30:50.087716Z",
    "build_snapshot" : false,
    "lucene_version" : "7.7.3",
    "minimum_wire_compatibility_version" : "5.6.0",
    "minimum_index_compatibility_version" : "5.0.0"
  },
  "tagline" : "You Know, for Search"
}
-------------------------------------------------------------
bahram@localdomain:~$ sudo mongod --version
db version v4.0.28

--------------------------------------------------------------
curl -L -O https://artifacts.elastic.co/downloads/beats/packetbeat/packetbeat-oss-7.15.1-amd64.deb
sudo dpkg -i packetbeat-oss-7.15.1-amd64.deb

-------------------------------------------------------------------------------------
bahram@ubuntu192:~$ sudo packetbeat test config
bahram@ubuntu192:~$ sudo packetbeat test config
Config OK
bahram@ubuntu192:~$ sudo packetbeat test output
logstash: 192.168.110.131:5050...
  connection...
    parse host... OK
    dns lookup... OK
    addresses: 192.168.110.131
    dial up... OK
  TLS... WARN secure connection disabled
  talk to server... OK
bahram@ubuntu192:~$ sudo systemctl status packetbeat.service
● packetbeat.service - Packetbeat analyzes network traffic and sends the data to Elasticsearch.
     Loaded: loaded (/lib/systemd/system/packetbeat.service; enabled; vendor preset: enabled)
     Active: active (running) since Wed 2022-03-02 02:40:40 PST; 250ms ago
       Docs: https://www.elastic.co/beats/packetbeat
   Main PID: 61101 (packetbeat)
      Tasks: 8 (limit: 7075)
     Memory: 38.1M
     CGroup: /system.slice/packetbeat.service
             └─61101 /usr/share/packetbeat/bin/packetbeat --environment systemd -c /etc/packetbeat/packetbeat.yml --path.home /usr/share/packetbeat --path.config /etc/packetbeat --pa>

Mar 02 02:40:40 ubuntu192.168.110.130 systemd[1]: Stopped Packetbeat analyzes network traffic and sends the data to Elasticsearch..
Mar 02 02:40:40 ubuntu192.168.110.130 systemd[1]: Started Packetbeat analyzes network traffic and sends the data to Elasticsearch..
Mar 02 02:40:41 ubuntu192.168.110.130 packetbeat[61101]: {"log.level":"info","@timestamp":"2022-03-02T02:40:41.035-0800","log.origin":{"file.name":"instance/beat.go","file.line":679}>
Mar 02 02:40:41 ubuntu192.168.110.130 packetbeat[61101]: {"log.level":"info","@timestamp":"2022-03-02T02:40:41.035-0800","log.origin":{"file.name":"instance/beat.go","file.line":687}>
Mar 02 02:40:43 ubuntu192.168.110.130 packetbeat[61101]: {"log.level":"warn","@timestamp":"2022-03-02T02:40:43.811-0800","log.logger":"add_cloud_metadata","log.origin":{"file.name":">
Mar 02 02:40:43 ubuntu192.168.110.130 packetbeat[61101]: {"log.level":"info","@timestamp":"2022-03-02T02:40:43.984-0800","log.logger":"seccomp","log.origin":{"file.name":"seccomp/sec>
Mar 02 02:40:44 ubuntu192.168.110.130 packetbeat[61101]: {"log.level":"info","@timestamp":"2022-03-02T02:40:43.985-0800","log.logger":"beat","log.origin":{"file.name":"instance/beat.>
Mar 02 02:40:44 ubuntu192.168.110.130 packetbeat[61101]: {"log.level":"info","@timestamp":"2022-03-02T02:40:43.985-0800","log.logger":"beat","log.origin":{"file.name":"instance/beat.>
Mar 02 02:40:44 ubuntu192.168.110.130 packetbeat[61101]: {"log.level":"info","@timestamp":"2022-03-02T02:40:43.985-0800","log.logger":"beat","log.origin":{"file.name":"instance/beat.>
Mar 02 02:40:43 ubuntu192.168.110.130 systemd[1]: packetbeat.service: Main process exited, code=exited, status=1/FAILURE
Mar 02 02:40:44 ubuntu192.168.110.130 packetbeat[61101]: {"log.level":"info","@timestamp":"2022-03-02T02:40:43.986-0800","log.logger":"beat","log.origin":{"file.name":"instance/beat.>
Mar 02 02:40:43 ubuntu192.168.110.130 systemd[1]: packetbeat.service: Failed with result 'exit-code'.
Mar 02 02:40:44 ubuntu192.168.110.130 packetbeat[61101]: {"log.level":"info","@timestamp":"2022-03-02T02:40:43.986-0800","log.logger":"beat","log.origin":{"file.name":"instance/beat.>
Mar 02 02:40:44 ubuntu192.168.110.130 packetbeat[61101]: {"log.level":"info","@timestamp":"2022-03-02T02:40:43.986-0800","log.origin":{"file.name":"instance/beat.go","file.line":332}>
Mar 02 02:40:44 ubuntu192.168.110.130 packetbeat[61101]: {"log.level":"info","@timestamp":"2022-03-02T02:40:43.987-0800","log.logger":"publisher","log.origin":{"file.name":"pipeline/>
Mar 02 02:40:44 ubuntu192.168.110.130 packetbeat[61101]: {"log.level":"info","@timestamp":"2022-03-02T02:40:43.988-0800","log.origin":{"file.name":"procs/procs.go","file.line":103},">
Mar 02 02:40:44 ubuntu192.168.110.130 packetbeat[61101]: {"log.level":"warn","@timestamp":"2022-03-02T02:40:43.989-0800","log.logger":"cfgwarn","log.origin":{"file.name":"sip/plugin.>
Mar 02 02:40:44 ubuntu192.168.110.130 packetbeat[61101]: {"log.level":"info","@timestamp":"2022-03-02T02:40:43.989-0800","log.logger":"monitoring","log.origin":{"file.name":"log/log.>
Mar 02 02:40:44 ubuntu192.168.110.130 packetbeat[61101]: {"log.level":"info","@timestamp":"2022-03-02T02:40:43.989-0800","log.logger":"kibana","log.origin":{"file.name":"kibana/clien>
Mar 02 02:40:44 ubuntu192.168.110.130 packetbeat[61101]: {"log.level":"info","@timestamp":"2022-03-02T02:40:43.992-0800","log.logger":"monitoring","log.origin":{"file.name":"log/log.>
Mar 02 02:40:44 ubuntu192.168.110.130 packetbeat[61101]: {"log.level":"info","@timestamp":"2022-03-02T02:40:43.992-0800","log.logger":"monitoring","log.origin":{"file.name":"log/log.>
Mar 02 02:40:44 ubuntu192.168.110.130 packetbeat[61101]: {"log.level":"info","@timestamp":"2022-03-02T02:40:43.992-0800","log.logger":"monitoring","log.origin":{"file.name":"log/log.>
Mar 02 02:40:44 ubuntu192.168.110.130 packetbeat[61101]: {"log.level":"info","@timestamp":"2022-03-02T02:40:43.992-0800","log.origin":{"file.name":"instance/beat.go","file.line":495}>
Mar 02 02:40:44 ubuntu192.168.110.130 packetbeat[61101]: {"log.level":"error","@timestamp":"2022-03-02T02:40:43.992-0800","log.origin":{"file.name":"instance/beat.go","file.line":102>
Mar 02 02:40:44 ubuntu192.168.110.130 packetbeat[61101]: Exiting: error connecting to Kibana: fail to get the Kibana version: HTTP GET request to http://localhost:5601/api/status fai>
Mar 02 02:40:44 ubuntu192.168.110.130 systemd[1]: packetbeat.service: Scheduled restart job, restart counter is at 681.
lines 1-36/36 (END)...skipping...
● packetbeat.service - Packetbeat analyzes network traffic and sends the data to Elasticsearch.
     Loaded: loaded (/lib/systemd/system/packetbeat.service; enabled; vendor preset: enabled)
     Active: active (running) since Wed 2022-03-02 02:40:40 PST; 250ms ago
       Docs: https://www.elastic.co/beats/packetbeat
   Main PID: 61101 (packetbeat)
      Tasks: 8 (limit: 7075)
     Memory: 38.1M
     CGroup: /system.slice/packetbeat.service
             └─61101 /usr/share/packetbeat/bin/packetbeat --environment systemd -c /etc/packetbeat/packetbeat.yml --path.home /usr/share/packetbeat --path.config /etc/packetbeat --path.data /var/lib/packetbeat --path.l>

Mar 02 02:40:40 ubuntu192.168.110.130 systemd[1]: Stopped Packetbeat analyzes network traffic and sends the data to Elasticsearch..
Mar 02 02:40:40 ubuntu192.168.110.130 systemd[1]: Started Packetbeat analyzes network traffic and sends the data to Elasticsearch..
Mar 02 02:40:41 ubuntu192.168.110.130 packetbeat[61101]: {"log.level":"info","@timestamp":"2022-03-02T02:40:41.035-0800","log.origin":{"file.name":"instance/beat.go","file.line":679},"message":"Home path: [/usr/share/p>
Mar 02 02:40:41 ubuntu192.168.110.130 packetbeat[61101]: {"log.level":"info","@timestamp":"2022-03-02T02:40:41.035-0800","log.origin":{"file.name":"instance/beat.go","file.line":687},"message":"Beat ID: 1cda43ff-bccb-4>
Mar 02 02:40:43 ubuntu192.168.110.130 packetbeat[61101]: {"log.level":"warn","@timestamp":"2022-03-02T02:40:43.811-0800","log.logger":"add_cloud_metadata","log.origin":{"file.name":"add_cloud_metadata/provider_aws_ec2.>
Mar 02 02:40:43 ubuntu192.168.110.130 packetbeat[61101]: {"log.level":"info","@timestamp":"2022-03-02T02:40:43.984-0800","log.logger":"seccomp","log.origin":{"file.name":"seccomp/seccomp.go","file.line":124},"message":>
Mar 02 02:40:44 ubuntu192.168.110.130 packetbeat[61101]: {"log.level":"info","@timestamp":"2022-03-02T02:40:43.985-0800","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":1050},"message":"Bea>
Mar 02 02:40:44 ubuntu192.168.110.130 packetbeat[61101]: {"log.level":"info","@timestamp":"2022-03-02T02:40:43.985-0800","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":1059},"message":"Bui>
Mar 02 02:40:44 ubuntu192.168.110.130 packetbeat[61101]: {"log.level":"info","@timestamp":"2022-03-02T02:40:43.985-0800","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":1062},"message":"Go >
Mar 02 02:40:43 ubuntu192.168.110.130 systemd[1]: packetbeat.service: Main process exited, code=exited, status=1/FAILURE
Mar 02 02:40:44 ubuntu192.168.110.130 packetbeat[61101]: {"log.level":"info","@timestamp":"2022-03-02T02:40:43.986-0800","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":1066},"message":"Hos>
Mar 02 02:40:43 ubuntu192.168.110.130 systemd[1]: packetbeat.service: Failed with result 'exit-code'.
Mar 02 02:40:44 ubuntu192.168.110.130 packetbeat[61101]: {"log.level":"info","@timestamp":"2022-03-02T02:40:43.986-0800","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":1095},"message":"Pro>
Mar 02 02:40:44 ubuntu192.168.110.130 packetbeat[61101]: {"log.level":"info","@timestamp":"2022-03-02T02:40:43.986-0800","log.origin":{"file.name":"instance/beat.go","file.line":332},"message":"Setup Beat: packetbeat; >
Mar 02 02:40:44 ubuntu192.168.110.130 packetbeat[61101]: {"log.level":"info","@timestamp":"2022-03-02T02:40:43.987-0800","log.logger":"publisher","log.origin":{"file.name":"pipeline/module.go","file.line":113},"message>
Mar 02 02:40:44 ubuntu192.168.110.130 packetbeat[61101]: {"log.level":"info","@timestamp":"2022-03-02T02:40:43.988-0800","log.origin":{"file.name":"procs/procs.go","file.line":103},"message":"Process watcher disabled",>
Mar 02 02:40:44 ubuntu192.168.110.130 packetbeat[61101]: {"log.level":"warn","@timestamp":"2022-03-02T02:40:43.989-0800","log.logger":"cfgwarn","log.origin":{"file.name":"sip/plugin.go","file.line":67},"message":"BETA:>
Mar 02 02:40:44 ubuntu192.168.110.130 packetbeat[61101]: {"log.level":"info","@timestamp":"2022-03-02T02:40:43.989-0800","log.logger":"monitoring","log.origin":{"file.name":"log/log.go","file.line":142},"message":"Star>
Mar 02 02:40:44 ubuntu192.168.110.130 packetbeat[61101]: {"log.level":"info","@timestamp":"2022-03-02T02:40:43.989-0800","log.logger":"kibana","log.origin":{"file.name":"kibana/client.go","file.line":182},"message":"Ki>
Mar 02 02:40:44 ubuntu192.168.110.130 packetbeat[61101]: {"log.level":"info","@timestamp":"2022-03-02T02:40:43.992-0800","log.logger":"monitoring","log.origin":{"file.name":"log/log.go","file.line":192},"message":"Tota>
Mar 02 02:40:44 ubuntu192.168.110.130 packetbeat[61101]: {"log.level":"info","@timestamp":"2022-03-02T02:40:43.992-0800","log.logger":"monitoring","log.origin":{"file.name":"log/log.go","file.line":193},"message":"Upti>
Mar 02 02:40:44 ubuntu192.168.110.130 packetbeat[61101]: {"log.level":"info","@timestamp":"2022-03-02T02:40:43.992-0800","log.logger":"monitoring","log.origin":{"file.name":"log/log.go","file.line":160},"message":"Stop>
Mar 02 02:40:44 ubuntu192.168.110.130 packetbeat[61101]: {"log.level":"info","@timestamp":"2022-03-02T02:40:43.992-0800","log.origin":{"file.name":"instance/beat.go","file.line":495},"message":"packetbeat stopped.","se>
Mar 02 02:40:44 ubuntu192.168.110.130 packetbeat[61101]: {"log.level":"error","@timestamp":"2022-03-02T02:40:43.992-0800","log.origin":{"file.name":"instance/beat.go","file.line":1025},"message":"Exiting: error connect>
Mar 02 02:40:44 ubuntu192.168.110.130 packetbeat[61101]: Exiting: error connecting to Kibana: fail to get the Kibana version: HTTP GET request to http://localhost:5601/api/status fails: fail to execute the HTTP GET req>
Mar 02 02:40:44 ubuntu192.168.110.130 systemd[1]: packetbeat.service: Scheduled restart job, restart counter is at 681.

bahram00011910×977 171 KB

bahram0021916×985 191 KB

bahram00031882×648 38.3 KB

tail -f the sidecar logs on the client as you restart the beat, the error messages you find there are usually pretty good at describing where the issue is. A quick look at the docs for Packetbeat… I think you want :

- type: dns
   ports: [53]

not sure about the icmp…

It helps if you post collector configuration code with the </> forum tool as well

Hi, tmacgbay
Thanks a lot for guide me

bahram@ubuntu192:~$ cat /etc/graylog/sidecar/sidecar.yml
# The URL to the Graylog server API.
#server_url: "http://127.0.0.1:9000/api/"
server_url: "http://192.168.x.x:9000/api/"

# The API token to use to authenticate against the Graylog server API.
# This field is mandatory
server_api_token: "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXg"

# The node ID of the sidecar. This can be a path to a file or an ID string.
# If set to a file and the file doesn't exist, the sidecar will generate an
# unique ID and writes it to the configured path.
#
# Example file path: "file:/etc/graylog/sidecar/node-id"
# Example ID string: "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
#
# ATTENTION: Every sidecar instance needs a unique ID!
#
#node_id: "file:/etc/graylog/sidecar/node-id"

# The node name of the sidecar. If this is empty, the sidecar will use the
# hostname of the host it is running on.
node_name: "ubuntu_bahram"

# The update interval in seconds. This configures how often the sidecar will
# contact the Graylog server for keep-alive and configuration update requests.
#update_interval: 10

# This configures if the sidecar should skip the verification of TLS connections.
# Default: false
#tls_skip_verify: false

# This enables/disables the transmission of detailed sidecar information like
# collector statues, metrics and log file lists. It can be disabled to reduce
# load on the Graylog server if needed. (disables some features in the server UI)
#send_status: true

# A list of directories to scan for log files. The sidecar will scan each
# directory for log files and submits them to the server on each update.
#
# Example:
#     list_log_files:
#       - "/var/log/nginx"
#       - "/opt/app/logs"
#
# Default: empty list
#list_log_files: []

# Directory where the sidecar stores internal data.
#cache_path: "/var/cache/graylog-sidecar"

# Directory where the sidecar stores logs for collectors and the sidecar itself.
#log_path: "/var/log/graylog-sidecar"

# The maximum size of the log file before it gets rotated.
#log_rotate_max_file_size: "10MiB"

# The maximum number of old log files to retain.
#log_rotate_keep_files: 10

# Directory where the sidecar generates configurations for collectors.
#collector_configuration_directory: "/var/lib/graylog-sidecar/generated"

# A list of binaries which are allowed to be executed by the Sidecar. An empty list disables the whitelist feature.
# Wildcards can be used, for a full pattern description see https://golang.org/pkg/path/filepath/#Match
# Example:
#     collector_binaries_whitelist:
#       - "/usr/bin/filebeat"
#       - "/opt/collectors/*"
#
# Example disable whitelisting:
#     collector_binaries_whitelist: []


collector_binaries_whitelist: []
backends:
    - name: packetbeat
      enabled: true
      binary_path: /usr/share/packetbeat/bin/packetbeat
      configuration_path: /etc/packetbeat/packetbeat.yml
    - name: filebeat
      enabled: true
      binary_path: /usr/share/filebeat/bin/filebeat
      configuration_path: /etc/filebeat/filebeat.yml
---------------------------------------------------------------------------------------------------
bahram@ubuntu192:~$ sudo cat  /etc/packetbeat/packetbeat.yml

#################### Packetbeat Configuration Example #########################

# This file is an example configuration file highlighting only the most common
# options. The packetbeat.reference.yml file from the same directory contains all the
# supported options with more comments. You can use it as a reference.
#
# You can find the full configuration reference here:
# https://www.elastic.co/guide/en/beats/packetbeat/index.html

# =============================== Network device ===============================

# Select the network interface to sniff the data. On Linux, you can use the
# "any" keyword to sniff on all connected interfaces.
packetbeat.interfaces.device: any

# =================================== Flows ====================================

# Set `enabled: false` or comment out all options to disable flows reporting.
packetbeat.flows:
  # Set network flow timeout. Flow is killed if no packet is received before being
  # timed out.
  timeout: 30s

  # Configure reporting period. If set to -1, only killed flows will be reported
  period: 10s

# =========================== Transaction protocols ============================

packetbeat.protocols:
- type: icmp
  # Enable ICMPv4 and ICMPv6 monitoring. Default: false
  enabled: true

- type: amqp
  # Configure the ports where to listen for AMQP traffic. You can disable
  # the AMQP protocol by commenting out the list of ports.
  ports: [5672]

- type: cassandra
  #Cassandra port for traffic monitoring.
  ports: [9042]

- type: dhcpv4
  # Configure the DHCP for IPv4 ports.
  ports: [67, 68]

- type: dns
  # Configure the ports where to listen for DNS traffic. You can disable
  # the DNS protocol by commenting out the list of ports.
  ports: [53]

- type: http
  # Configure the ports where to listen for HTTP traffic. You can disable
  # the HTTP protocol by commenting out the list of ports.
  ports: [80, 8080, 8000, 5000, 8002]

- type: memcache
  # Configure the ports where to listen for memcache traffic. You can disable
  # the Memcache protocol by commenting out the list of ports.
  ports: [11211]

- type: mysql
  # Configure the ports where to listen for MySQL traffic. You can disable
  # the MySQL protocol by commenting out the list of ports.
  ports: [3306,3307]

- type: pgsql
  # Configure the ports where to listen for Pgsql traffic. You can disable
  # the Pgsql protocol by commenting out the list of ports.
  ports: [5432]

- type: redis
  # Configure the ports where to listen for Redis traffic. You can disable
  # the Redis protocol by commenting out the list of ports.
  ports: [6379]

- type: thrift
  # Configure the ports where to listen for Thrift-RPC traffic. You can disable
  # the Thrift-RPC protocol by commenting out the list of ports.
  ports: [9090]

- type: mongodb
  # Configure the ports where to listen for MongoDB traffic. You can disable
  # the MongoDB protocol by commenting out the list of ports.
  ports: [27017]

- type: nfs
  # Configure the ports where to listen for NFS traffic. You can disable
  # the NFS protocol by commenting out the list of ports.
  ports: [2049]

- type: tls
  # Configure the ports where to listen for TLS traffic. You can disable
  # the TLS protocol by commenting out the list of ports.
  ports:
    - 443   # HTTPS
    - 993   # IMAPS
    - 995   # POP3S
    - 5223  # XMPP over SSL
    - 8443
    - 8883  # Secure MQTT
    - 9243  # Elasticsearch

- type: sip
  # Configure the ports where to listen for SIP traffic. You can disable the SIP protocol by commenting out the list of ports.
  ports: [5060]

# ======================= Elasticsearch template setting =======================

setup.template.settings:
  index.number_of_shards: 1
  #index.codec: best_compression
  #_source.enabled: false

# ================================== General ===================================

# The name of the shipper that publishes the network data. It can be used to group
# all the transactions sent by a single shipper in the web interface.
#name:

# A list of tags to include in every event. In the default configuration file
# the forwarded tag causes Packetbeat to not add any host fields. If you are
# monitoring a network tap or mirror port then add the forwarded tag.
#tags: [forwarded]

# Optional fields that you can specify to add additional information to the
# output.
#fields:
#  env: staging

# ================================= Dashboards =================================
# These settings control loading the sample dashboards to the Kibana index. Loading
# the dashboards is disabled by default and can be enabled either by setting the
# options here or by using the `setup` command.
setup.dashboards.enabled: true

# The URL from where to download the dashboards archive. By default this URL
# has a value which is computed based on the Beat name and version. For released
# versions, this URL points to the dashboard archive on the artifacts.elastic.co
# website.
#setup.dashboards.url:

# =================================== Kibana ===================================

# Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API.
# This requires a Kibana endpoint configuration.
setup.kibana:

  # Kibana Host
  # Scheme and port can be left out and will be set to the default (http and 5601)
  # In case you specify and additional path, the scheme is required: http://localhost:5601/path
  # IPv6 addresses should always be defined as: https://[2001:db8::1]:5601
  #host: "localhost:5601"

  # Kibana Space ID
  # ID of the Kibana Space into which the dashboards should be loaded. By default,
  # the Default Space will be used.
  #space.id:

# =============================== Elastic Cloud ================================

# These settings simplify using Packetbeat with the Elastic Cloud (https://cloud.elastic.co/).

# The cloud.id setting overwrites the `output.elasticsearch.hosts` and
# `setup.kibana.host` options.
# You can find the `cloud.id` in the Elastic Cloud web UI.
#cloud.id:

# The cloud.auth setting overwrites the `output.elasticsearch.username` and
# `output.elasticsearch.password` settings. The format is `<user>:<pass>`.
#cloud.auth:

# ================================== Outputs ===================================

# Configure what output to use when sending the data collected by the beat.

# ---------------------------- Elasticsearch Output ----------------------------
#output.elasticsearch:
  # Array of hosts to connect to.
  hosts: ["192.168.110.131:9200"]

  # Protocol - either `http` (default) or `https`.
  #protocol: "https"

  # Authentication credentials - either API key or username/password.
  #api_key: "id:api_key"
  #username: "elastic"
  #password: "changeme"

# ------------------------------ Logstash Output -------------------------------
output.logstash:
  # The Logstash hosts
  hosts: ["192.168.110.131:5050"]

  # Optional SSL. By default is off.
  # List of root certificates for HTTPS server verifications
  #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]

  # Certificate for SSL client authentication
  #ssl.certificate: "/etc/pki/client/cert.pem"

  # Client Certificate Key
  #ssl.key: "/etc/pki/client/cert.key"

# ================================= Processors =================================

processors:
  - # Add forwarded to tags when processing data from a network tap or mirror.
    if.contains.tags: forwarded
    then:
      - drop_fields:
          fields: [host]
    else:
      - add_host_metadata: ~
  - add_cloud_metadata: ~
  - add_docker_metadata: ~

# ================================== Logging ===================================

# Sets log level. The default log level is info.
# Available log levels are: error, warning, info, debug
#logging.level: debug

# At debug level, you can selectively enable logging only for some components.
# To enable all selectors use ["*"]. Examples of other selectors are "beat",
# "publish", "service".
#logging.selectors: ["*"]

# ============================= X-Pack Monitoring ==============================
# Packetbeat can export internal metrics to a central Elasticsearch monitoring
# cluster.  This requires xpack monitoring to be enabled in Elasticsearch.  The
# reporting is disabled by default.

# Set to true to enable the monitoring reporter.
#monitoring.enabled: false

# Sets the UUID of the Elasticsearch cluster under which monitoring data for this
# Packetbeat instance will appear in the Stack Monitoring UI. If output.elasticsearch
# is enabled, the UUID is derived from the Elasticsearch cluster referenced by output.elasticsearch.
#monitoring.cluster_uuid:

# Uncomment to send the metrics to Elasticsearch. Most settings from the
# Elasticsearch output are accepted here as well.
# Note that the settings should point to your Elasticsearch *monitoring* cluster.
# Any setting that is not set is automatically inherited from the Elasticsearch
# output configuration, so if you have the Elasticsearch output configured such
# that it is pointing to your Elasticsearch monitoring cluster, you can simply
# uncomment the following line.
#monitoring.elasticsearch:

# ============================== Instrumentation ===============================

# Instrumentation support for the packetbeat.
#instrumentation:
    # Set to true to enable instrumentation of packetbeat.
    #enabled: false

    # Environment in which packetbeat is running on (eg: staging, production, etc.)
    #environment: ""

    # APM Server hosts to report instrumentation results to.
    #hosts:
    #  - http://localhost:8200

    # API Key for the APM Server(s).
    # If api_key is set then secret_token will be ignored.
    #api_key:

    # Secret token for the APM Server(s).
    #secret_token:


# ================================= Migration ==================================

# This allows to enable 6.7 migration aliases
#migration.6_to_7.enabled: true

My bad - I said Elasticsearch logs when you want to tail the SIDECAR logs on the client - I will correct that post. You can likely find them here (the path is in your collector):

/var/lib/graylog-sidecar/collectors/packetbeat/log

That is usually a great way to find out if there is anything wrong with your collector config

Also of note, use egrep before posting yml code, it makes it easier to read the important stuff

i.e:

cat /etc/graylog/sidecar/sidecar.yml | egrep -v "^\s*(#|$)"

Hi,
It was very useful and valuable .
Thanks a lot

What was the correction that fixed it?

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.