New system addition documentation

I’m new to Graylog. Our CTO is insisting on using Graylog for our log centralization, so I have to learn it. I have been tasked with documenting the processes for getting each type of system, so I’ve been going through your documentation, but it has been extremely hard to follow. I was able to build a Graylog server as a VM on my workstation, and then build Ubuntu VM for a client to send it logs, but I’m not able to follow all the processes to get that set up because everything is spread all over the place, and it doesn’t seem to be in any particular order. I see all the sections on streams and extractors and rules and dashboards, but they give a basic rundown without any mention of where their interdependencies are. I’m not able to really follow any of it because I don’t see any frame of reference for each piece.

It would be nice to have some sort of documentation on what ALL needs to be done, and in what order, to be able to get logs to the Graylog server and be able to parse and follow them and search them.

Then there’s the little matter that it seems just installing Ubuntu Server 16.04.2 and then installing the Sidecar client and installing it doesn’t seem to work right. I get a “[filebeat] Backend finished unexpectedly, trying to restart” error upon starting. It’s a fully clean VM, so there shouldn’t be anything interfering. I’ll probably start a different thread on that, though.

We’re always looking for opportunities to improve the Graylog documentation, so please post an issue to Issues · Graylog2/documentation · GitHub and try to describe as detailed as possible what you were missing and what you found hard to understand.

We tried to give a (basic) introduction to Graylog and its components in the Getting Started Guide:
Did you see that? Didn’t it make sense to you at that point?

Yes, I’ve been through those thoroughly. All they gave me was an operational Graylog server that I can’t configure to receive anything. I now have 2 VMs that I can confirm are sending data to the greylog server, but I have no idea how to configure it to do anything with the data. It just sits there saying it is receiving nothing.

The opening page on the Graylog server says something about creating inputs, but no details on what to actually set up. I have inputs set up for Syslog UDP and Syslog TCP at port 5140, and I can prove my Ubuntu VM is using rsyslog to send data at the Graylog server at that port, but the server just sits there saying it is receiving nothing. I have a Windows 2008r2 VM with sidecar installed and running, and TCP view shows it has an active connection to the Graylog server at port 9000, and I configured an input for GELF TCP at port 12201, but the server says it is not receiving anything and the Win2008r2 VM doesn’t seem to even know it needs to open a connection to 12201.

There’s no documentation on how to set any of this up, the documentation is mostly just saying "set it up, with any specifics on HOW. So I’m running on mostly guesses based on little crumbs of info I can gather. It’s maddening.

There are multiple problems with the documentation on this product:

  1. many aspects of the configuration are spread out across several places, and there is no flow from one to others. It is very difficult to piece things together when done this way. It would work better if you showed how the different pieces work together.
  2. A lot of the documentation is very long winded, making it difficult to read through and pick the pieces needed. The marketing talk needs to be in marketing documents, not in the instructions. The instructions need to be clean, concise, and complete. I’m falling asleep reading much of this, literally, because it is so long winded. I’m actually nodding off at my desk. It’s annoying, and it is going to get me in trouble if it happens while I’m at work. I’d rather NOT use my personal time for this, but as long as it keeps making me this sleepy, I’m not going to be able to read it at work.
  3. There are still a LOT of things missing. As much as is said about extractors, streams, and pipelines, I can’t figure out how to actually do anything with it. Maybe it’s because I keep falling asleep while trying to get through it, but I don’t see any actual instructions or explained examples.

Here’s an example of how instructions should read:
Linux instructions:

  1. get the installers for nxlog (nxlog pkg name) and sidecar (sidecar pkg name) onto the target system
  2. “dpkg -i (nxlog pkg name)”
  3. “apt-get -f install”
  4. “service nxlog stop”
  5. “systemctl nxlog remove”
  6. “gpasswd -a nxlog adm”
  7. “dpkg -i (sidecar pkg name)”
  8. “chown -R nxlog.nxlog /var/spool/collector-sidecar/nxlog”
  9. “graylog-collector-sidecar -service install”
  10. edit /etc/graylog/collector-sidecar/collector_sidecar.yml to change the following:
    a. server url: http://(local collection server IP):9000/api/
    b. node id: (system name)
    c. tags: include all applicable services, one per line starting with the next line below the “tags:” entry, preceeded by 4 spaces, a dash, and one space
    d. under the nxlog section, change enabled to "true"
    e. under the filebeat section, change enabled to “false”
  11. “service collector-sidecar start”
  12. check status on the collction server “collectors” page

Now, I’d like to get something like this for the server side, as I have not figured out how to do anything beyond inputs and collector configs with it.

Hej @dgingerich

thank you for the feedback. As logging is very different on all places we think it is more important to provide answers with background information that people understand what and why you need todo different steps.

If possible we provide step-by-step guides. As @jochen already said - we and the community - would be pleased if you provide the feedback in a way that everyone who likes to contribute to the documentation can review and work with it.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.