1. Describe your incident:
I am setting up a sidecar to get logs from a windows machine to graylog using filebeat. This is the first time I have done this, but other people at my workplace have set up similar sidecars successfully, and I mirrored a lot of their work.
There is a beats input that is successfully inputting messages from other sidecars.
Most of it is going fine. The sidecar generated the filebeats config files, and when I click into the sidecar I see the folder with the log I’m interested in, and it highlights the log as it updates.
Unfortunately, it’s not getting the messages from the log, nor is anything reporting errors.
The configuration looks nearly identical to the functioning sidecars we have on other machines, so I’m not sure where the error is.
2. Describe your environment:
-
OS Information:
- The sidecar is running on Windows Server 2022 Datacenter
-
Package Version:
- Graylog 6.1.7
- Sidecar 1.5.0
-
Service logs, configurations, and environment variables:
sidecar.yml:
server_url: "server.url"
server_api_token: "nope"
node_id: "file:C:\\Program Files\\Graylog\\sidecar\\node-id"
node_name: ""
update_interval: 10
tls_skip_verify: false
send_status: true
list_log_files:
- "C:\\JBoss\\jboss-eap-7.4\\standalone\\log"
tags:
- jboss_access
collector_binaries_accesslist:
- "C:\\Program Files\\Graylog\\sidecar\\filebeat.exe"
Collector Configuration:
# Needed for Graylog
fields_under_root: true
fields.collector_node_id: ${sidecar.nodeName}
fields.gl2_source_collector: ${sidecar.nodeId}
output.logstash:
hosts: ["${user.graylog_host}:5044"]
path:
data: ${sidecar.spoolDir!"C:\\Program Files\\Graylog\\sidecar\\cache\\filebeat"}\data
logs: ${sidecar.spoolDir!"C:\\Program Files\\Graylog\\sidecar"}\logs
tags:
- windows
filebeat.inputs:
- type: log
enabled: true
paths:
- C:\JBoss\jboss-eap-7.4\standalone\log\access_log.log
Sidecar logs:
time="2025-02-28T10:29:05-06:00" level=info msg="Starting signal distributor"
time="2025-02-28T10:29:05-06:00" level=info msg="Adding process runner for: filebeat-67bf8069dc4a8e53617956cd"
time="2025-02-28T10:29:05-06:00" level=info msg="[filebeat-67bf8069dc4a8e53617956cd] Configuration change detected, rewriting configuration file."
time="2025-02-28T10:29:06-06:00" level=info msg="[filebeat-67bf8069dc4a8e53617956cd] Starting (svc driver)"
3. What steps have you already taken to try and solve the problem?
I have:
- Checked so many times that the log file is located at the right spot (
C:\JBoss\jboss-eap-7.4\standalone\log\access_log.log) - Made sure that the user running the graylog sidecar service had full privileges on the log folder
- Validated that the other sidecars using the beats input are creating messages
4. How can the community help?
If anyone could find anything wrong with my configuration or alert me to any gatchas that might apply I would really appreciate it, a coworker and I have been scratching our heads about this for a solid day now.