Graylog sidecar error

Graylog Add-ons
,
1

Hi,

I am trying setup graylog sidecar. When i try to start sidecar service i encountered “connection refused” error. Not sure what i did wrong. Can anyone please help me fix this.

16160590847774336783583309779847
161605908477743367835833097798474032×3024 2.43 MB

Thanks,
Ipsita Dash

2

Hi @dash_sahu

There’s an address error in your log.

http://10.19.113.199/:9000

Should be:

http://10.19.113.199:9000 # without a slash after 199

Can you review the content of the option server_url of your sidecar.yml?

4

Does your “paths” option inside filebeat.yml configured to look for logs where your application is writing them?

5

Hi,

No, not really. That is where i am confused. I have a linux box where gray log is installed. In the same box i installed sidecar and filebeat. Now my application is running in a different box. I am not sure where should i add the hostname(my application server ip) and log path(where my application is generating logs)
Please help me to understand the configuration.

Thanks,
Ipsita Dash

6

I added the log path in filebeat.yml and restarted filebeat. But still i didn’t receive any logs in Graylog.
Not sure what did i miss.

7

Sidecar has to be installed in the same box as your application is.

Normally Graylog works in passive mode, in other words it waits to receive data from many sources.

The diagram in this page explains it pretty well:
https://docs.graylog.org/en/4.0/pages/sidecar.html

8

Thank you so much for the clarification and the documentation. Will try and fix it tomorrow.

9

Hi,

I installed sidecar and Filebeat in the application Linux box, i am receiving a 401 error while starting side car. Not sure why unauthorization error happened.
For filebeat i am receiving a connection refused error.
Can you please guide me to fix?

Thanks,
Ipsita Dash

11

Hi @dash_sahu

filebeat normally is a child process spawned by sidecar.

  • “Connection Refused” for port 5044 must be related to the “localhost” address in you log, it should be you Graylog Server IP. You change that in “filebeat.yml” but not the file in “/etc/filebeat/”. You probably have another filebeat process running in your server, confirm that with:
ps -ef | grep filebeat | grep -v grep

The path for the right file you can find with:

ps -ef | grep sidecar | grep -v grep
root      9398 30380  0  2020 ?        06:43:26 /usr/share/filebeat/bin/filebeat -c /var/lib/graylog-sidecar/generated/filebeat.yml
root     30380     1  0  2020 ?        02:56:31 /usr/bin/graylog-sidecar

in my case: /var/lib/graylog-sidecar/generated/filebeat.yml

  • 401 error can be related to access granted to sidecar so it can send data to graylog via API. Take a look if the option “server_api_token” in sidecar.yml file is the same that was generetad in the “Access Token” step.
    In case you miss how to generate a token you can find it here: Graylog REST API — Graylog 4.0.0 documentation
1 Like
12

Hi,

I verified the API key configuration, the API key is same even after that i received 401 error.
Will it be possible for you to join a webex for few minutes and guide me to resolve it?
I am in a POC phase so I won’t get any enterprise support. I would really appreciate if you can help me fix it.

Awaiting for a hear back.

Thanks,
Ipsita Dash

13

Side car error fixed. I passed the API Key as a string(with double quote).
For filebeat i changed the local host and tried to restart but the error persist.
(PFA)

17

Hi,

glad to hear from you that you solved filebeat problem.

Related to sidecar, “connection reset by peer” means that your server is refusing connection by some reason.

Take a look if you have some firewall rules aplied in the server, maybe selinux activated.

Run a tcpdump in both ends would be a good idea too, to check how is the traffic between nodes.

18

Hi,

I checked all possibilities to run Filebeat but still receiving the connection refused error. Any suggestions to fix it will be a great help.

Thanks,
Ipsita Dash

20

Tcpdump host host1 and host2

16166813874187289339649440634863
161668138741872893396494406348634032×3024 2.29 MB

21

Hi,

can you provide the content of your “filebeat.yml” file?

22

Hi,

Unable to post it here, hence forwarded the yml file to your gmail. Please have a look and let me know if any changes required.

Thanks,
Ipsita Dash

23

Hi,

just saw it.

Question:
Is your Graylog Server listen in port 9600? Normally the right port is 5044. If not, you must change this setting in your filebeat.yml, from:

 hosts: 10.119.113.199:9600

to:

hosts: 10.119.113.199:5044

You can confirm the running port with:

netstat -tanp | grep $(ps -ef | grep graylog-server | grep -v grep | awk '{print $2}') | grep LISTEN
24

Hi,

I tried 5044 port, unfortunately encountered the same error. So i tried 9200 where Graylog is running.still no luck. So changed the logstash port to 9600 , and tried. As the host config is in the output section i thought filebeat out put is going to be input for logstash. Still no luck.

Thanks,.
Ipsita Dash

25

16167443881083624784279358536987
161674438810836247842793585369874032×3024 2.45 MB

If you see the last statement it says “successfully started Logstash API end …t=>9600” hence mentioned the same in config.
Now i changed the config to 5044, still the same error

26

FYI:

Curl http://10.119.113.199:5044 and 9600 shows connection refused.
10.119.113.199 - Graylog Server

I checked the security group and the port is open. Not sure why connection error is happening in the same box.