Graylog Sidecar doesn´t send logs

Graylog Central (peer support)
1

Hi,
I´ve installed the latest Graylog server on debian and have installed sidecar agent on my windows machine. They are connected, running and the default configuration from setup is assigned:
2024-10-18_10h14_02

Collector is running.

Log at the windows vm says:

time="2024-10-18T10:01:08+02:00" level=info msg="Starting signal distributor"
time="2024-10-18T10:01:08+02:00" level=info msg="Adding process runner for: winlogbeat-66dee561f5af2c5aa89a6006"
time="2024-10-18T10:01:08+02:00" level=info msg="[winlogbeat-66dee561f5af2c5aa89a6006] Configuration change detected, rewriting configuration file."
time="2024-10-18T10:01:13+02:00" level=info msg="[winlogbeat-66dee561f5af2c5aa89a6006] Starting (svc driver)"

But there are no input messages. I´ve firewall port policies, but telnet succeeds on 5044 and 9000 from the machine to the log vm.

The default input for beats is also defined.

Has anyone a hint, why no windows event logs are received / sent out? It seems that all is setup and running…

2

If you click on winlogbeat-default it will open the configuration in an editor. You mayneed to change the value specified in hosts to match your graylog node and port, for example port 5044 for beats.

Can you also confirm you do have a Beat input funning and listening on TCP 5044 on your graylog node? It should appear on the inputs page via System / Inputs and should indicate a RUNNING status.

3

Thank you - I thougt this variable would fit the correct host:

This is set by default at winlogbeat-default at sidecar configuration:

output.logstash:
   hosts: ["${user.graylog_host}:5044"]

This is set by default at winlogbeat at log collector config:

output.logstash:
   hosts: ["${user.graylog_host}:5044"]

So I have to use an array of hosts here? Can you please show me an example?

4

You can use ${user.graylog_host} if you’ve set the variable. I forget what it defaults to but you can configure it via:

  1. System / Sidecars
  2. Configuration
    image
  3. Click edit on any config (does not matter which)
    image
    image1144×452 113 KB
  4. Click on the variables Tab
    image
    image1145×258 65.3 KB
  5. Edit the variable
    image
    image588×328 51.6 KB

I always forget i can use variable and tend to just put the hostname:

For example

output.logstash:
   hosts: ["graylog.domain.tld:5044"]

But you can also do it like you have in your example. Hope that helps!

5

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.