Graylog Sidecar

Hi Guys
I finally installed Graylog on my Centos my concern is after installing sidecar on my windows10
still not getting any message or event. Can you help me what are the things I need to check?

fyi I did follow this youtube instruction 22. Graylog 3.0 Sidecar Windows Configuration by Bits Byte Hard


The default sidecar install doesn’t know where your Graylog server is. Did you modify the sidecar.yml on Win10 to point to your Graylog server? Post code (using format tools and removing personal stuff) so we can see what you did. Also, there is a logs folder (C:\Program Files\Graylog\sidecar\logs) that has info about what happened … or didn’t.

# The URL to the Graylog server API.
# Default: ""
server_url: ""  

# The API token to use to authenticate against the Graylog server API.
# Default: none
server_api_token: "1c2bb33od8ovle7u50or5579en15dn4o9o8c4dqopcac2b0pd275"

# The node ID of the sidecar. This can be a path to a file or an ID string.
# If set to a file and the file doesn't exist, the sidecar will generate an
# unique ID and writes it to the configured path.
# Example file path: "file:C:\\Program Files\\Graylog\\sidecar\\node-id"
# Example ID string: "6033137e-d56b-47fc-9762-cd699c11a5a9"
# ATTENTION: Every sidecar instance needs a unique ID!
# Default: "file:C:\\Program Files\\Graylog\\sidecar\\node-id"
node_id: "file:C:\\Program Files\\Graylog\\sidecar\\node-id"

# The node name of the sidecar. If this is empty, the sidecar will use the
# hostname of the host it is running on.
# Default: ""
node_name: ""

# The update interval in secods. This configures how often the sidecar will
# contact the Graylog server for keep-alive and configuration update requests.
# Default: 10
update_interval: 10

# This configures if the sidecar should skip the verification of TLS connections.
# Default: false
tls_skip_verify: true

# This enables/disables the transmission of detailed sidecar information like
# collector statues, metrics and log file lists. It can be disabled to reduce
# load on the Graylog server if needed. (disables some features in the server UI)
# Default: true
send_status: true

# A list of directories to scan for log files. The sidecar will scan each
# directory for log files and submits them to the server on each update.
# Example:
#     list_log_files:
#       - "/var/log/nginx"
#       - "/opt/app/logs"
# Default: empty list
#list_log_files: []

# Directory where the sidecar stores internal data.
#cache_path: "C:\\Program Files\\Graylog\\sidecar\\cache"

# Directory where the sidecar stores logs for collectors and the sidecar itself.
#log_path: "C:\\Program Files\\Graylog\\sidecar\\logs"

# The maximum size of the log file before it gets rotated.
#log_rotate_max_file_size: "10MiB"

# The maximum number of old log files to retain.
#log_rotate_keep_files: 10

# Directory where the sidecar generates configurations for collectors.
#collector_configuration_directory: "C:\\Program Files\\Graylog\\sidecar\\generated"

# A list of binaries which are allowed to be executed by the Sidecar. An empty list disables the whitelist feature.
# Wildcards can be used, for a full pattern description see
# Example:
#     collector_binaries_whitelist:
#       - "C:\\Program Files\\Graylog\\sidecar\\winlogbeat.exe"
#       - "C:\\Program Files\\Filebeat\\filebeat.exe"
# Example disable whitelisting:
#     collector_binaries_whitelist: []
# Default:
# collector_binaries_whitelist:
#  - "C:\\Program Files\\Graylog\\sidecar\\filebeat.exe"
#  - "C:\\Program Files\\Graylog\\sidecar\\winlogbeat.exe"
#  - "C:\\Program Files\\Filebeat\\filebeat.exe"
#  - "C:\\Program Files\\Packetbeat\\packetbeat.exe"
#  - "C:\\Program Files\\Metricbeat\\metricbeat.exe"
#  - "C:\\Program Files\\Heartbeat\\heartbeat.exe"
#  - "C:\\Program Files\\Auditbeat\\auditbeat.exe"
#  - "C:\\Program Files (x86)\\nxlog\\nxlog.exe"

please see my sidecar config :slight_smile:
then see also my logs in win10

time=“2020-05-06T18:43:15+08:00” level=info msg=“Starting signal distributor”
time=“2020-05-06T18:43:25+08:00” level=info msg=“No configurations assigned to this instance. Skipping configuration request.”
time=“2020-05-06T18:45:45+08:00” level=info msg=“Adding process runner for: winlogbeat”
time=“2020-05-06T18:45:45+08:00” level=info msg="[winlogbeat] Configuration change detected, rewriting configuration file."
time=“2020-05-06T18:45:46+08:00” level=info msg="[winlogbeat] Starting (svc driver)"
time=“2020-05-06T18:45:56+08:00” level=info msg=“Collector [winlogbeat] is already running, skipping start action.”
time=“2020-05-06T19:37:44+08:00” level=error msg="[UpdateRegistration] Failed to report collector status to server: Put dial tcp connectex: No connection could be made because the target machine actively refused it."
time=“2020-05-06T19:37:56+08:00” level=error msg="[UpdateRegistration] Failed to report collector status to server: Put dial tcp connectex: No connection could be made because the target machine actively refused it."
time=“2020-05-06T19:38:08+08:00” level=error msg="[UpdateRegistration] Failed to report collector status to server: Put dial tcp connectex: No connection could be made because the target machine actively refused it."
time=“2020-05-06T23:17:42+08:00” level=info msg="[winlogbeat] Got remote restart command"
time=“2020-05-06T23:17:42+08:00” level=info msg="[winlogbeat] Stopping"
time=“2020-05-06T23:17:43+08:00” level=info msg="[winlogbeat] Starting (svc driver)"
time=“2020-05-06T23:18:02+08:00” level=info msg=“Collector [winlogbeat] is already running, skipping start action.”

No connection could be made because the target machine actively refused it
… anything that would block connections? IPTables?

Also the default sidecar.yml never seems to work… here is my working sidecar.yml (genericised) from my win10 test machine.

server_url: http://G-LOG:9000/api/
server_api_token: "gibberish" 
update_interval: 10
tls_skip_verify: true
send_status: true
collector_id: file:C:\Program Files\Graylog\sidecar\collector-id
cache_path: C:\Program Files\Graylog\sidecar\cache
log_path: C:\Program Files\Graylog\sidecar\logs
log_rotation_time: 86400
log_max_age: 604800
tags: [windows]
collector_binaries_whitelist: []
    - name: nxlog
      enabled: false
      binary_path: C:\Program Files (x86)\nxlog\nxlog.exe
      configuration_path: C:\Program Files\Graylog\sidecar\generated\nxlog.conf
    - name: winlogbeat
      enabled: true
      binary_path: C:\Program Files\Graylog\sidecar\winlogbeat.exe
      configuration_path: C:\Program Files\Graylog\sidecar\generated\winlogbeat.yml
    - name: filebeat
      enabled: true
      binary_path: C:\Program Files\Graylog\sidecar\filebeat.exe
      configuration_path: C:\Program Files\Graylog\sidecar\generated\filebeat.yml
    - name: auditbeat
      enabled: true
      binary_path: C:\Program Files\Graylog\sidecar\auditbeat.exe
      configuration_path: C:\Program Files\Graylog\sidecar\generated\auditbeat.yml
1 Like

I’ll try to use your yml then i’ll edit it with the infor for my server …
But the i guess i should address first the connection issue from the client to the graylog server.
Question should i open the port 5044 in the graylog server ?

Thanks for the reply :+1:

If you have any FW running, you will need to open up any ports you are using for inputs. :slight_smile:

1 Like


its already working now. I just open the ports in my graylog server. I thought it was open
in the first place. and also on all the tutorials that I watch they didnt even open the ports , It has to do manually

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.