I am currently setting up my first installation of Graylog. I setup Graylog-collector-sidecar on a windows machine as most of the machines I will need to monitor are windows machines. I installed and started the service and when I click the executable on the windows machine I get the following:
I tried listening on port 5044 and on port 9000. I believe I configured the tags correctly. I put WSUS in the tags in the yml file and on the web browser portion of graylog I updated the tags for the configuration with both “windows” and “wsus” but I also get a similar message in the web browser when I look at the collectors.
I am getting “Status: No configuration found for configured tags!” under the sidecar info and under Backends I am getting “Winlogbeat: unable to start collector after 3 tries, giving up!”
So it looks like the machines are communicating but something is wrong with the tags.
I am running graylog version 2.4.6 and sidecar version 0.1.6.
Any help is greatly appreciated. I am happy to supply any additional information for troubleshooting.
so is the
server_url in the sidecar configuration the
rest_listen_uri of your Graylog? (what you use to connect with your browser to Graylog with
/api attached to it.
In addition check the step-by-step guide: http://docs.graylog.org/en/2.4/pages/collector_sidecar.html#step-by-step-guide
with a special eye on the following image:
Yes the server_url is the same as the rest_listen_uri of my Graylog. I was not doing the tags correctly so I fixed that, but I am still getting the same messages. Do I need to refresh somewhere?
I am also getting the following warning:
Thanks so much for your help
the second error you show might because your elasticsearch is not reachable - just as an idea.
Does elasticsearch need to be installed on all the machines I wish to monitor or does the winlogbeat handle this and then communicate with the elastic search I have installed on the graylog machine?
Here is my elasticsearch yml:
It looks like a lot of settings mentioned in the graylog documentation are not even here to be configured.
Did you read http://docs.graylog.org/en/2.4/pages/getting_started.html ? Just to be sure that you got a complete picture.
Elasticsearch holds all data so it should be running only on the nodes you want to have your data stored. Winlogbeat is a software that runs on windows, reads the windows event log and push that via the beats protocoll (in this setup) to a beats input on Graylog. Graylog then processes the messages and save it to elasticsearch.
So we just should check your Graylog components and setup first before fixing any other.
- How did you install Graylog and all components?
- did you have them running on the same server?
- do all three run? (MongoDB, Elasticsearch, Graylog) without issues?
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.