Hello, I am trying to forward IIS logs from azure windows VM to graylog but not working as expected.
Azure Linux VM (Debian):
I installed graylog as containers in the azure Linux VM. All containers are working as expected and able to access the graylog UI without any issues.
- I added beats input in UI and running on port 5044.
- I installed sidecar in azure windows VM and configured. Sidecar service is running without any issues.
- Now I’ve assigned the created input to sidecar in graylogUI and I have noticed that the sidecar status changed to running state and at the same time I have noticed that service with winlogbeats is running in azure windows VM which means graylog sidecar and garylog winlogbeats services are running in windows VM but not able to see any logs flowing from windows azure VM to graylog.
I noticed the following error in winlogbeatlog file. I confused that whether the graylog server rejecting or the azure vm is failing to send. Note that garylog url is accessible in this azure windows VM with 9000 port.
Graylog VM and windows AM both are in same VNET
{“log.level”:“error”,“@timestamp”:“2025-07-17T14:03:34.099+0200”,“log.logger”:“publisher_pipeline_output”,“log.origin”:{“file.name”:“pipeline/client_worker.go”,“file.line”:148},“message”:“Failed to connect to backoff(async(tcp://we-graylog.co.nm:5044)): dial tcp 10.33.6.11:5044: connectex: No connection could be made because the target machine actively refused it.”,“service.name”:“winlogbeat”,“ecs.version”:“1.6.0”}
here is the beats input configuration details:
Global inputs 1 configured
IIS logs from windows server Beats (6878e5b4d0ffecfa8b4e2844)
1 SETUP
bind_address: 0.0.0.0
charset_name: UTF-8
no_beats_prefix: true
number_worker_threads: 4
override_source:
port: 5044
recv_buffer_size: 1048576
tcp_keepalive: false
tls_cert_file:
tls_client_auth: disabled
tls_client_auth_cert_file:
tls_enable: false
tls_key_file:
tls_key_password: ********
Pleas help me to resolve this issue.