We’ve setup a Graylog 3 server and a single Windows 2016 sidecar running Winlogbeat.
Everything looks good, in the GUI the sidecar shows as running (last reported 1 second ago), under Manage Sidecar I see Winlogbeat as ‘running’ so all is good.
Messages in/out at top-right of GUI show zero, if I do an action on the client server (eg. restart a Windows service) I see the counter briefly change to 1 in/1 out, the log on the client machine shows “successfully published 1 message”, and on the Graylog server itself I can edit the log file in /var/lib/graylog-server/journal/messagejournal-0 and see it update with the event (it shows the server name, and the service entering stopped/start states).
So everything I’m seeing suggests that this is working, but if I view the ‘all messages’ stream, it’s empty. Everywhere I look in the GUI I see no messages received ever, and it’s been running for about a week now.
I feel like there’s something wrong with the way we’re trying to view the logs, OR the Graylog server is receiving, but dropping the messages into a black hole.
I hope I’ve provided enough detail for someone to hopefully help me.
Thanks in advance