I can't see winlogbeat logs

I’ve launched a new Beats input:

bind_address: 0.0.0.0
no_beats_prefix: false
number_worker_threads: 4
override_source:
port: 5044
recv_buffer_size: 1048576
tcp_keepalive: false
tls_cert_file:
tls_client_auth: disabled
tls_client_auth_cert_file:
tls_enable: false
tls_key_file:
tls_key_password:********

I’ve installed/enabled/started graylog-sidecar-1.1.0-1.x86_64.rpm on rhel 8.3
I’ve created a new token
I’ve edited sidecar.yml:

server_url: “http://ipgraylog:9000/api/
server_api_token: “tokencreated”
tls_skip_verify: true

I’ve open port udp 5044: firewall-cmd --add-port=5044/udp --permanent
I’ve created a new sidecar configuration:

Needed for Graylog

fields_under_root: true
fields.collector_node_id: ${sidecar.nodeName}
fields.gl2_source_collector: ${sidecar.nodeId}

output.logstash:
hosts: [“ipgraylog:5044”]
path:
data: C:\Program Files\Graylog\sidecar\cache\winlogbeat\data
logs: C:\Program Files\Graylog\sidecar\logs
tags:

  • windows
    winlogbeat:
    event_logs:
    • name: Application
    • name: System
    • name: Security

I’ve installed graylog_sidecar_installer_1.1.0-1.exe on my pc windows 10 with command:
“\share\Sidecar_1.1.0-1.exe” /S -SERVERURL=http://ipgraylog:9000/api -APITOKEN=tokencreated
“C:\Program Files\graylog\sidecar\graylog-sidecar.exe” -service install
“C:\Program Files\graylog\sidecar\graylog-sidecar.exe” -service start

I’ve selected winlogbeat of my pc w10 on sidecar/administrator and linked it with collector created previously and started it.
But in sidecars/overview if I click on show messages of my pc W10, its empty.

What am I doing wrong?

Thank you

If you use the forum tools like </> for formatting your code in posts will be much easier to read. The sidecar configuration is particular about spacing so that will help people reviewing your post to see possible errors. There are log on the sidecar client windows machine, you can start there and see if it is trying to connect but can’t? C:\Program Files\Graylog\sidecar\logs

Sorry for formatting code wrong.
I tried to install the sidecar on other pc w10, this is the log:

time="2021-06-11T16:14:48+02:00" level=info msg="Starting signal distributor" 
time="2021-06-11T16:14:58+02:00" level=info msg="No configurations assigned to this instance. Skipping configuration request." 
time="2021-06-11T16:15:58+02:00" level=info msg="Adding process runner for: winlogbeat" 
time="2021-06-11T16:15:58+02:00" level=info msg="[winlogbeat] Configuration change detected, rewriting configuration file." 
time="2021-06-11T16:15:59+02:00" level=info msg="[winlogbeat] Starting (svc driver)" 
time="2021-06-11T16:16:09+02:00" level=info msg="Collector [winlogbeat] is already running, skipping start action." 

Other configuration with correct formatting:
Input Beats:

bind_address: 0.0.0.0
no_beats_prefix: false
number_worker_threads: 4
override_source: <empty>
port: 5044
recv_buffer_size: 1048576
tcp_keepalive: false
tls_cert_file: <empty>
tls_client_auth: disabled
tls_client_auth_cert_file: <empty>
tls_enable: false
tls_key_file: <empty>
tls_key_password:********

/etc/graylog/sidecar/sidecar.yml
``
server_url: “http://172.19.1.125:9000/api/
server_api_token: “1cgb1j8j0jekoresst92nnsu0rkgfiujslm99a6c7rgejqdfrqvo”
tls_skip_verify: true

Sidecar configuration:

Needed for Graylog

fields_under_root: true
fields.collector_node_id: ${sidecar.nodeName}
fields.gl2_source_collector: ${sidecar.nodeId}

output.logstash:
hosts: [“172.19.1.125:5044”]
path:
data: C:\Program Files\Graylog\sidecar\cache\winlogbeat\data
logs: C:\Program Files\Graylog\sidecar\logs
tags:

  • windows
    winlogbeat:
    event_logs:
    • name: Application
    • name: System
    • name: Security
      event_id: -4662

Also on the second test pc I don't see any recorded logs

I have only now seen that a configuration is entered as text, the Sidecar configuration:

# Needed for Graylog
fields_under_root: true
fields.collector_node_id: ${sidecar.nodeName}
fields.gl2_source_collector: ${sidecar.nodeId}

output.logstash:
   hosts: ["172.19.1.125:5044"]
path:
  data: C:\Program Files\Graylog\sidecar\cache\winlogbeat\data
  logs: C:\Program Files\Graylog\sidecar\logs
tags:
 - windows
winlogbeat:
  event_logs:
   - name: Application
   - name: System
   - name: Security

On the win10 machine your initial C:\Program Files\Graylog\sidecar\sidecar.yml needs to point back to the Graylog server. For instance, this is what mine looks like:

server_url: http://GraylogServer:9000/api/
server_api_token: "<<SuperSecretCode>>>" 
update_interval: 10
tls_skip_verify: true
send_status: true
list_log_files:
collector_id: file:C:\Program Files\Graylog\sidecar\collector-id
cache_path: C:\Program Files\Graylog\sidecar\cache
log_path: C:\Program Files\Graylog\sidecar\logs
log_rotation_time: 86400
log_max_age: 604800
tags: [windows]
collector_binaries_whitelist: []
backends:
    - name: winlogbeat
      enabled: true
      binary_path: C:\Program Files\Graylog\sidecar\winlogbeat.exe
      configuration_path: C:\Program Files\Graylog\sidecar\generated\winlogbeat.yml
    - name: filebeat
      enabled: true
      binary_path: C:\Program Files\Graylog\sidecar\filebeat.exe
      configuration_path: C:\Program Files\Graylog\sidecar\generated\filebeat.yml
    - name: auditbeat
      enabled: false
      binary_path: C:\Program Files\Graylog\sidecar\auditbeat.exe
      configuration_path: C:\Program Files\Graylog\sidecar\generated\auditbeat.yml

If you change it, restart the Windows service. That should have the Win10 machine show up in Graylog for you to apply your configuration to it. When all that is happening, the Win10 machine should update it’s logs saying it changed the configuration.

This is my sidecar configuration on W10

server_url: "http://172.19.1.125:9000/api"
server_api_token: "1cgb1j8j0jekoresst92nnsu0rkgfiujslm99a6c7rgejqdfrqvo"
node_id: "file:C:\\Program Files\\Graylog\\sidecar\\node-id"
node_name: ""
update_interval: 10
tls_skip_verify: false
send_status: true

On graylog I already see the computer w10

But if I click on “Show messages”, I don’t see log

It is my guess that you need to (at least) add in the winlogbeat backends section to your configuration so the client can tell the server that it is using beats (rather than nxlog or something else…) - match what mine has listed… you don’t need the auditbeats or filebeat sections unless you plan to use them in the future… you can set them to enabled:false until such time.

There are a few other lines you ought to add such as telling it where to put log files etc. You could even copy mine and just put in your unique server_url and server_api_token

I copied and edited your configuration.

server_url: http://172.19.1.125:9000/api/
server_api_token: "1cgb1j8j0jekoresst92nnsu0rkgfiujslm99a6c7rgejqdfrqvo" 
update_interval: 10
tls_skip_verify: true
send_status: true
list_log_files:
collector_id: file:C:\Program Files\Graylog\sidecar\collector-id
cache_path: C:\Program Files\Graylog\sidecar\cache
log_path: C:\Program Files\Graylog\sidecar\logs
log_rotation_time: 86400
log_max_age: 604800
tags: [windows]
collector_binaries_whitelist: []
backends:
    - name: winlogbeat
      enabled: true
      binary_path: C:\Program Files\Graylog\sidecar\winlogbeat.exe
      configuration_path: C:\Program Files\Graylog\sidecar\generated\winlogbeat.yml

I restart the service:

"C:\Program Files\graylog\sidecar\graylog-sidecar.exe" -service stop
"C:\Program Files\graylog\sidecar\graylog-sidecar.exe" -service start

I tried to restart the sidecar
But the log its empty

Are there any files C:\Program Files\Graylog\sidecar\logs? That is where the client will put information about what it is doing.

Yes, there are winlogbeat e winlogbeat.1.
This is the first part of winlogbeat:

2021-06-15T09:55:19.638+0200	INFO	instance/beat.go:660	Home path: [C:\Program Files\Graylog\sidecar] Config path: [C:\Program Files\Graylog\sidecar] Data path: [C:\Program Files\Graylog\sidecar\cache\winlogbeat\data] Logs path: [C:\Program Files\Graylog\sidecar\logs]
2021-06-15T09:55:19.643+0200	INFO	instance/beat.go:668	Beat ID: 52a46660-9a8e-4239-851b-89030593cd38
2021-06-15T09:55:19.645+0200	INFO	[beat]	instance/beat.go:996	Beat info	{"system_info": {"beat": {"path": {"config": "C:\\Program Files\\Graylog\\sidecar", "data": "C:\\Program Files\\Graylog\\sidecar\\cache\\winlogbeat\\data", "home": "C:\\Program Files\\Graylog\\sidecar", "logs": "C:\\Program Files\\Graylog\\sidecar\\logs"}, "type": "winlogbeat", "uuid": "52a46660-9a8e-4239-851b-89030593cd38"}}}
2021-06-15T09:55:19.645+0200	INFO	[beat]	instance/beat.go:1005	Build info	{"system_info": {"build": {"commit": "9b2fecb327a29fe8d0477074d8a2e42a3fabbc4b", "libbeat": "7.11.1", "time": "2021-02-15T13:07:49.000Z", "version": "7.11.1"}}}
2021-06-15T09:55:19.645+0200	INFO	[beat]	instance/beat.go:1008	Go runtime info	{"system_info": {"go": {"os":"windows","arch":"amd64","max_procs":8,"version":"go1.14.14"}}}
2021-06-15T09:55:19.758+0200	INFO	[beat]	instance/beat.go:1012	Host info	{"system_info": {"host": {"architecture":"x86_64","boot_time":"2021-06-10T22:31:29.06+02:00","name":"NOMEPC","ip":["fe80::8525:4020:f8f3:558/64","172.19.5.71/21","fe80::c566:3699:5157:f351/64","169.254.243.81/16","fe80::46f:a03f:f677:856e/64","172.24.16.1/20","172.19.4.97/21","fe80::ccd2:d277:fd0f:9947/64","169.254.153.71/16","fe80::6b:abe9:d1ea:7b7d/64","169.254.123.125/16","::1/128","127.0.0.1/8","fe80::f902:62d8:e744:6214/64","172.22.48.1/20","fe80::cd2f:cda3:5c38:b428/64","172.25.240.1/20"],"kernel_version":"10.0.19041.906 (WinBuild.160101.0800)","os":{"family":"windows","platform":"windows","name":"Windows 10 Pro","version":"10.0","major":10,"minor":0,"patch":0,"build":"19042.906"},"timezone":"CEST","timezone_offset_sec":7200,"id":"9f804622-dfa9-4ad4-b3c8-b988c1517bb0"}}}

Today I saw also winlogbeat.2 e .3 and I saw in sidecar.log this error:

time="2021-06-16T08:31:38+02:00" level=error msg="[UpdateRegistration] Failed to report collector status to server: Put \"http://172.19.1.125:9000/api/sidecars/7887d881-62d7-468e-ac26-874eb7d2e41b\": dial tcp 172.19.1.125:9000: i/o timeout" 
time="2021-06-16T08:31:58+02:00" level=info msg="Adding process runner for: winlogbeat" 
time="2021-06-16T08:31:58+02:00" level=info msg="[winlogbeat] Configuration change detected, rewriting configuration file." 
time="2021-06-16T08:32:01+02:00" level=info msg="[winlogbeat] Starting (svc driver)" 

Sidecar can’t connect to the server (timeout) - is the IP correct? Double check configuration details… Do you have any firewalls or the like in the way? Can you ping 172.19.1.125 from the Win10 machine

This is what you should see in your sidecar.log:

time="2021-06-11T10:14:33-04:00" level=info msg="Starting signal distributor" 
time="2021-06-11T10:14:43-04:00" level=info msg="Adding process runner for: winlogbeat" 
time="2021-06-11T10:14:43-04:00" level=info msg="[winlogbeat] Configuration change detected, rewriting configuration file." 
time="2021-06-11T10:14:44-04:00" level=info msg="[winlogbeat] Starting (svc driver)"

It’s correct, the error “Failed to report” there is only when I’m disconnected from the network.
I tried with the other Windows 10 always on network (vm).
I edit the sidecar.yml:

server_url: http://172.19.1.125:9000/api/
server_api_token: "1cgb1j8j0jekoresst92nnsu0rkgfiujslm99a6c7rgejqdfrqvo" 
update_interval: 10
tls_skip_verify: true
send_status: true
list_log_files:
collector_id: file:C:\Program Files\Graylog\sidecar\collector-id
cache_path: C:\Program Files\Graylog\sidecar\cache
log_path: C:\Program Files\Graylog\sidecar\logs
log_rotation_time: 86400
log_max_age: 604800
tags: [windows]
collector_binaries_whitelist: []
backends:
    - name: winlogbeat
      enabled: true
      binary_path: C:\Program Files\Graylog\sidecar\winlogbeat.exe
      configuration_path: C:\Program Files\Graylog\sidecar\generated\winlogbeat.yml

I restarted the service graylog-sidecar:

"C:\Program Files\graylog\sidecar\graylog-sidecar.exe" -service stop
"C:\Program Files\graylog\sidecar\graylog-sidecar.exe" -service start

This is the log:

time="2021-06-11T16:14:48+02:00" level=info msg="Starting signal distributor" 
time="2021-06-11T16:14:58+02:00" level=info msg="No configurations assigned to this instance. Skipping configuration request." 
time="2021-06-11T16:15:58+02:00" level=info msg="Adding process runner for: winlogbeat" 
time="2021-06-11T16:15:58+02:00" level=info msg="[winlogbeat] Configuration change detected, rewriting configuration file." 
time="2021-06-11T16:15:59+02:00" level=info msg="[winlogbeat] Starting (svc driver)" 
time="2021-06-11T16:16:09+02:00" level=info msg="Collector [winlogbeat] is already running, skipping start action." 
time="2021-06-11T16:30:21+02:00" level=info msg="[winlogbeat] Configuration change detected, rewriting configuration file." 
time="2021-06-11T16:30:22+02:00" level=info msg="[winlogbeat] Stopping" 
time="2021-06-11T16:30:22+02:00" level=info msg="[winlogbeat] Starting (svc driver)" 
time="2021-06-17T08:50:59+02:00" level=info msg="Stopping signal distributor" 
time="2021-06-17T08:50:59+02:00" level=info msg="[winlogbeat] Stopping" 
time="2021-06-17T08:51:02+02:00" level=info msg="Starting signal distributor" 
time="2021-06-17T08:51:13+02:00" level=info msg="Adding process runner for: winlogbeat" 
time="2021-06-17T08:51:13+02:00" level=info msg="[winlogbeat] Configuration change detected, rewriting configuration file." 
time="2021-06-17T08:51:15+02:00" level=info msg="[winlogbeat] Starting (svc driver)" 

I’ve the files winlogbeat in “C:\Program Files\Graylog\sidecar\logs” but on graylog the log its empty.

I checked the last log on graylog server (/var/log/graylog-server/server.log) because the graylog-sidecar is empty (there is only 2 old record)

2021-06-17T09:00:16.564+02:00 WARN  [RestClient] request [GET http://127.0.0.1:9200/graylog_0/_mapping] returned 1 warnings: [299 Elasticsearch-7.13.1-9a7758028e4ea59bcab41c12004603c5a7dd84a9 "Elasticsearch built-in security features are not enabled. Without authentication, your cluster could be accessible to anyone. See https://www.elastic.co/guide/en/elasticsearch/reference/7.13/security-minimal-setup.html to enable security."]

If you are disconnected from the network, you aren’t going to get logs… :crazy_face:

In the next log instance you are showing… where you are connected … you are getting this:

... "No configurations assigned to this instance. Skipping configuration request." ...

Which means you have not assigned a configuration to that win10 machine under Sidecars Administration. It is there you have to manually tell Graylog to apply a configuration to the client - it is then sent to the client and it starts reporting per what the configuration says.

Under Sidecars/Collectors/Administration, find the Win10 machine. Click the check mark to the left of Winlogbeat (or whichever you want to assign a configuration to) then on the right side pull down the Configure Menu and assign the configuration.

Everything is already like this

And the collector it’s running
sidecar