I am currently setting up my first installation of Graylog. I setup Graylog-collector-sidecar on a windows machine as most of the machines I will need to monitor are windows machines. I installed and started the service and when I click the executable on the windows machine I get the following:
I tried listening on port 5044 and on port 9000. I believe I configured the tags correctly. I put WSUS in the tags in the yml file and on the web browser portion of graylog I updated the tags for the configuration with both “windows” and “wsus” but I also get a similar message in the web browser when I look at the collectors.
I am getting “Status: No configuration found for configured tags!” under the sidecar info and under Backends I am getting “Winlogbeat: unable to start collector after 3 tries, giving up!”
So it looks like the machines are communicating but something is wrong with the tags.
I am running graylog version 2.4.6 and sidecar version 0.1.6.
Any help is greatly appreciated. I am happy to supply any additional information for troubleshooting.
so is the server_url in the sidecar configuration the rest_listen_uri of your Graylog? (what you use to connect with your browser to Graylog with /api attached to it.
Yes the server_url is the same as the rest_listen_uri of my Graylog. I was not doing the tags correctly so I fixed that, but I am still getting the same messages. Do I need to refresh somewhere?
Does elasticsearch need to be installed on all the machines I wish to monitor or does the winlogbeat handle this and then communicate with the elastic search I have installed on the graylog machine?
Elasticsearch holds all data so it should be running only on the nodes you want to have your data stored. Winlogbeat is a software that runs on windows, reads the windows event log and push that via the beats protocoll (in this setup) to a beats input on Graylog. Graylog then processes the messages and save it to elasticsearch.
So we just should check your Graylog components and setup first before fixing any other.
How did you install Graylog and all components?
did you have them running on the same server?
do all three run? (MongoDB, Elasticsearch, Graylog) without issues?
