I can't see winlogbeat logs

resp.edp · June 22, 2021, 8:37am

I don’t know if I did something wrong during the installation, here is the procedure I followed, can you see if I did everything right?
Install a vm with RHEL 8.3

yum update
yum -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
yum -y install wget pwgen yum-utils dpkg java-1.8.0-openjdk-headless
nano /etc/yum.repos.d/mongodb-org.repo

[mongodb-org-4.2]
name=MongoDB Repository
baseurl=https://repo.mongodb.org/yum/redhat/$releasever/mongodb-org/4.2/x86_64/
gpgcheck=1
enabled=1
gpgkey=https://www.mongodb.org/static/pgp/server-4.2.asc

yum install -y mongodb-org
systemctl daemon-reload
systemctl enable mongod
systemctl start mongod

rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch
nano /etc/yum.repos.d/elasticsearch.repo

[elasticsearch-7.x]
name=Elasticsearch repository for 7.x packages
baseurl=https://artifacts.elastic.co/packages/7.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md

yum install -y elasticsearch
nano /etc/elasticsearch/elasticsearch.yml

cluster.name: graylog
action.auto_create_index: false

systemctl daemon-reload
systemctl enable elasticsearch
systemctl restart elasticsearch
rpm -Uvh https://packages.graylog2.org/repo/packages/graylog-4.0-repository_latest.rpm
yum install -y graylog-server
pwgen -N 1 -s 96
echo -n yourpassword | sha256sum
nano /etc/graylog/server/server.conf

password_secret = firstkeygenerated (pwgen -N 1 -s 96)
root_password_sha2 = secondkeygenerated (echo -n yourpassword | sha256sum)
root_email = mymail
root_timezone = Europe/Rome
http_bind_address = 172.19.1.125:9000
is_master = true
elasticsearch_shards = 1
elasticsearch_replicas = 0

systemctl daemon-reload
systemctl enable graylog-server
systemctl start graylog-server

firewall-cmd --add-port=9000/tcp --permanent
firewall-cmd --add-port=1514/udp --permanent
firewall-cmd --reload

For install sidecar I follow these steps:

wget https://github.com/Graylog2/collector-sidecar/releases/download/1.1.0/graylog-sidecar-1.1.0-1.x86_64.rpm
rpm -i graylog-sidecar...rpm
graylog-sidecar -service install
systemctl enable graylog-sidecar
systemctl start graylog-sidecar

web interface: System-->Sidecars-->"Create or reuse a token for the graylog-sidecar use"
Token name: Windows-->Create token
nano /etc/graylog/sidecar/sidecar.yml

server_url: "http://172.19.1.125:9000/api/"
server_api_token: "createdtoken"
tls_skip_verify: true

systemctl start graylog-sidecar
firewall-cmd --add-port=5044/udp --permanent
firewall-cmd --reload

web interface: System-->Input-->Beats-->Launch new input-->Title: Sidecar-->Save
web interface: System-->Sidecars-->Configuration-->Edit winlogbeat-->Default Template-->hosts: ["172.19.1.125:5044"]
web interface: System-->Sidecars-->Create Configuration

Name:windows_sidecar
Change color
Collector: winlogbeat on Windows
Create

Install the agent on pc windows:

1.1.0-1.exe /S -SERVERURL=http://172.19.1.125:9000/api -APITOKEN=createdtoken
"C:\Program Files\graylog\sidecar\graylog-sidecar.exe" -service install
"C:\Program Files\graylog\sidecar\graylog-sidecar.exe" -service start

web interface: System-->Sidecars-->Administration
Select winlogbeat for each pc windows
Configure-->windows_sidecar-->Confirm
Process-->Start-->Confirm

Topic		Replies	Views
Sidecars won't work after setting up https Graylog Central (peer support) sidecar , winlogbeat	4	1109	July 21, 2021
Pointing Graylog to Log files Graylog Central (peer support) sidecar , winlogbeat	10	911	August 9, 2019
Beats insecure TLS Graylog Central (peer support) sidecar , winlogbeat	3	1194	March 28, 2019
TLS with Winlogbeats sidecar? Graylog Central (peer support) sidecar , winlogbeat	1	586	August 18, 2020
Windows 10 Log Fetching Graylog Central (peer support) sidecar , winlogbeat	14	3142	January 27, 2020

I can't see winlogbeat logs

Related topics