Graylog Sidecar configuration problem

simust · July 8, 2019, 3:40pm

Hi all!

After updating Graylog to version 3.0.2 I got problems with Sidecar + Nxlog combination. Exec blocks does not work anymore

There is a simple example from Sidecar nxlog on Windows:

	<Exec>
        # These fields are needed for Graylog
        $gl2_source_collector = '${sidecar.nodeId}';
        $collector_node_id = '${sidecar.nodeName}';
	</Exec>

I’m sure this code worked before updating Graylog.

Error text:

2019-07-08 18:14:28 ERROR Couldn't parse Exec block at C:\Program Files\Graylog\sidecar\generated\nxlog.conf:41; couldn't parse statement at line 42, character 33 in C:\Program Files\Graylog\sidecar\generated\nxlog.conf; invalid character: ';' (0xd)

Is it possible that the problem is in the generated file nxlog.conf from C:\Program Files\Graylog\sidecar\generated directory? I see extra empty lines in this file… maybe its encoding issue.

(pic from Notepad++)

What am I doing wrong?

P.S. The following code also stopped working when I updated the Sidecar nxlog collector configuration:

Query <QueryList> \
    <Query Id="0" Path="DNS Server">  \
        <Select Path="DNS Server"> \
        *[System[(Level=1  or Level=2 or Level=3)]] \
        </Select> \
    </Query> \
</QueryList>

simust · July 9, 2019, 11:39am

Stupid solution…

Use Exec before each command instead of <Exec> block:

Exec gl2_source_collector = '{sidecar.nodeId}’;
Exec collector_node_id = '{sidecar.nodeName}’;
Write the event log query command in one line:

Query <QueryList> <Query Id="0" Path="DNS Server"> <Select Path="DNS Server"> *[System[(Level=1 or Level=2 or Level=3)]] </Select> </Query> </QueryList>

Hope that in the future Graylog versions this problem will be fixed.

system · July 23, 2019, 10:12am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.