Missing log titles in Graylog from Debian VM with Graylog Sidecar

Hi everyone,

I’m currently setting up Graylog on a Debian VM, where I’ve installed the Graylog Sidecar along with Auditbeat and Filebeat to collect and forward system logs to the Graylog server. The setup appears to be working since I’m receiving logs, but there’s an issue with the log titles missing in Graylog.

As you can see from the screenshots (attached), the logs show up without proper titles in the message list. I’ve checked that both Filebeat and Auditbeat are running without issues, and Graylog Sidecar seems to be functioning normally.

Has anyone encountered a similar issue? Any guidance on how to resolve the missing log titles in Graylog would be greatly appreciated. Thank you!

P/s: I’m using Debian 12 for client with the latest agent, also running Graylog 6.1.1+9bd27f8 on Debian 12 as a log server.

Screenshot 1 Screenshot 2

Hello @tuanson84uk

What does the message body look like if you expand one of those messages?

The message field is currently displaying “-,” which is identical to the log title.

Thanks for your help.

{
  "auditd_data_socket_saddr": "100000000000000000000000",
  "user_saved_name": "root",
  "agent_id": "ac600681-6fec-41d6-b825-8b296e38b015",
  "agent_name": "vpn-lan",
  "auditd_data_socket_family": "netlink",
  "auditd_summary_how": "/usr/bin/graylog-sidecar",
  "gl2_remote_ip": "",
  "@metadata_version": "8.9.0",
  "gl2_remote_port": 47052,
  "source": "vpn-lan",
  "gl2_source_input": "671756894a2dff54323e9d70",
  "@metadata_beat": "auditbeat",
  "auditd_data_tty": "(none)",
  "gl2_processing_timestamp": "2024-10-29 09:28:01.283",
  "event_type": [
    "start"
  ],
  "@metadata_type": "_doc",
  "event_module": "auditd",
  "process_name": "graylog-sidecar",
  "gl2_source_node": "ca699252-a6d3-4231-80a3-0a38c4a522b3",
  "gl2_processing_duration_ms": 6558390,
  "user_selinux_user": "unconfined",
  "gl2_accounted_message_size": 1443,
  "gl2_source_collector": "03542320-1a89-4abd-aac0-720e40ef52a1",
  "auditd_data_arch": "x86_64",
  "agent_ephemeral_id": "d0de3c45-43e7-4969-a7d9-f8d89ba55bb3",
  "process_executable": "/usr/bin/graylog-sidecar",
  "streams": [
    "671757054a2dff54323e9fd1"
  ],
  "gl2_message_id": "01JBBKCVTV001W1K0M2R21QFQG",
  "process_pid": 571,
  "tags": [
    "external-access"
  ],
  "agent_type": "auditbeat",
  "event_kind": "event",
  "auditd_result": "success",
  "user_id": "0",
  "user_filesystem_name": "root",
  "_id": "17941532-95d8-11ef-8b4a-0050562a00ad",
  "user_group_name": "root",
  "gl2_receive_timestamp": "2024-10-29 07:38:42.893",
  "user_name": "root",
  "collector_node_id": "vpn-lan",
  "user_saved_id": "0",
  "auditd_summary_object_type": "socket",
  "event_original": [
    "type=SYSCALL msg=audit(1730187521.883:27324): arch=c000003e syscall=49 success=yes exit=0 a0=3 a1=c00001ab1c a2=c a3=0 items=0 ppid=1 pid=571 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=\"graylog-sidecar\" exe=\"/usr/bin/graylog-sidecar\" subj=unconfined key=\"external-access\"",
    "type=SOCKADDR msg=audit(1730187521.883:27324): saddr=100000000000000000000000",
    "type=PROCTITLE msg=audit(1730187521.883:27324): proctitle=\"/usr/bin/graylog-sidecar\""
  ],
  "process_title": "/usr/bin/graylog-sidecar",
  "beats_type": "auditbeat",
  "ecs_version": "8.0.0",
  "process_parent_pid": 1,
  "log_type": "vpn-lan",
  "user_filesystem_group_id": "0",
  "event_outcome": "success",
  "timestamp": "2024-10-29T07:38:41.883Z",
  "event_source_product": "linux_auditbeat",
  "auditd_data_a2": "c",
  "user_filesystem_group_name": "root",
  "user_filesystem_id": "0",
  "auditd_sequence": 27324,
  "auditd_data_a3": "0",
  "auditd_summary_actor_primary": "unset",
  "message": "-",
  "user_saved_group_name": "root",
  "event_category": [
    "network"
  ],
  "auditd_data_exit": "0",
  "agent_version": "8.9.0",
  "event_action": "bound-socket",
  "service_type": "auditd",
  "@timestamp": "2024-10-29T07:38:41.883Z",
  "user_saved_group_id": "0",
  "auditd_summary_actor_secondary": "root",
  "auditd_message_type": "syscall",
  "auditd_data_a0": "3",
  "auditd_data_a1": "c00001ab1c",
  "user_group_id": "0",
  "host_name": "vpn-lan",
  "auditd_data_syscall": "bind"
}

Out of interest, are you using the auditD Open Illuminate pack to parse these messages?

I don’t, it’s not available for Graylog Open, is it?

Thank you.

@tuanson84uk

As of 6.1, the below should be available.

Graylog Open users may access select content packs for use with Illuminate. These packs provide parsing for specific logs based on the GIM schema. The following content packs are available for use with Graylog Open:

• Apache Web Server
• Linux Auditbeat
• NGINX
• pfSense

Oh that’s great. I’ve followed the guide to get the Free Enterprise License but unable to download the Illuminate bundle (don’t know where to download), and I can’t find the way to download these plugins also.

Could you please spare sometimes to guide me how to obtain them?

Thanks.

@tuanson84uk I just ran through the setup, I upgraded to Graylog 6.1 ensuring the install is graylog-enterprise and not graylog-server.

Once installed you will find the bundle under Enterprise/Illuminate, I noted that if you have a free 2GB license installed then the bundle is not available. In this case remove the license, head to the illuminate page and it will be available. Once installed reapply the license.

Screenshot 2024-11-01 at 13.06.463432×1550 454 KB

Woah it works. Thank you so much!

It’s great to see it used!

Also the message and “title” are the same thing, its actually a message preview it shows, not some special thing. So the other way to fix this is to just use a pipeline rule to write some other data into the message field from some other fields or something.

Thank you, roger that!

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.