Newbie - no logs showing

I followed the guide online, tried to read through example after example of how to setup inputs and I have managed to start an input on port 5140 but not 514 (for firewall/switches that give me no port sending options).

I have 1 windows server running a SolarWinds Syslog forwarder set to port 5140 and a second Windows sever using the sidecar program, which defaults to the port 9000 api.

I am missing something as I am getting no messages at all.

See http://docs.graylog.org/en/2.2/pages/faq.html#how-can-i-start-an-input-on-a-port-below-1024.

Please post your Graylog Collector Sidecar configuration, and the configuration of your Graylog inputs.

Thank you!

I have now made change in the iptable, created a new input for 1514. Still no logs on that end.

I did not previously add the sidecar as a service, so that is completed now.
I am not sure what to edit in the collector_sidecar.yml file.

My server_URL: http://serverip:9000/api

  • should this be different?

I have now added the beats input and the apache collector within graylog. Still no logs either.

sidecar yml file:

server_url: http://graylogip:9000/api
update_interval: 10
tls_skip_verify: false
send_status: true
list_log_files:
node_id: graylog-collector-sidecar
collector_id: file:C:\Program Files\graylog\collector-sidecar\collector-id
cache_path: C:\Program Files\graylog\collector-sidecar\cache
log_path: C:\Program Files\graylog\collector-sidecar\logs
log_rotation_time: 86400
log_max_age: 604800
tags: [windows, iis]
backends:
- name: nxlog
enabled: false
binary_path: C:\Program Files (x86)\nxlog\nxlog.exe
configuration_path: C:\Program Files\graylog\collector-sidecar\generated\nxlog.conf
- name: winlogbeat
enabled: true
binary_path: C:\Program Files\graylog\collector-sidecar\winlogbeat.exe
configuration_path: C:\Program Files\graylog\collector-sidecar\generated\winlogbeat.yml
- name: filebeat
enabled: true
binary_path: C:\Program Files\graylog\collector-sidecar\filebeat.exe
configuration_path: C:\Program Files\graylog\collector-sidecar\generated\filebeat.yml

Beats input:

bind_address:
 0.0.0.0
override_source:
 <empty>
port:
 5044
recv_buffer_size:
 1048576
tcp_keepalive:
 false
tls_cert_file:
 <empty>
tls_client_auth:
 disabled
tls_client_auth_cert_file:
 <empty>
tls_enable:
 false
tls_key_file:
 <empty>
tls_key_password:
 ********

I am now trying the NXLog agnet on a Windows 2012 server.

The NXlog is stating:
2017-04-07 08:06:24 ERROR couldn’t connect to tcp socket on 134.11.1.19:5140; No connection could be made because the target machine actively refused it.

I do have the 5140 tcp input enabled and running on graylog

Check the firewall configuration of the relevant machines and make sure that your Windows machines are able to send their messages to 134.11.1.19 on port 5140/tcp.

NXlog shows:

2017-04-07 15:03:19 ERROR module 'internal' is not declared at C:\Program Files (x86)\nxlog\conf\nxlog.conf:35
2017-04-07 15:03:19 ERROR module 'eventlog' is not declared at C:\Program Files (x86)\nxlog\conf\nxlog.conf:35
2017-04-07 15:03:19 ERROR route 1 is not functional without input modules, ignored at C:\Program Files (x86)\nxlog\conf\nxlog.conf:35
2017-04-07 15:03:19 WARNING no routes defined!
2017-04-07 15:03:19 WARNING not starting unused module in
2017-04-07 15:03:19 WARNING not starting unused module out
2017-04-07 15:03:19 INFO nxlog-ce-2.9.1716 started

nxlg config:

## This is a sample configuration file. See the nxlog reference manual about the
## configuration options. It should be installed locally and is also available
## online at http://nxlog.org/docs/

## Please set the ROOT to the folder your nxlog was installed into,
## otherwise it will not start.

#define ROOT C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

<Extension _syslog>
    Module      xm_syslog
</Extension>

<Input in>
    Module      im_msvistalog
# For windows 2003 and earlier use the following:
#   Module      im_mseventlog
</Input>

<Output out>
    Module      om_tcp
    Host        <gralogserverip>
    Port        5140
    Exec        to_syslog_snare();
</Output>

<Route 1>
Path internal, eventlog => out
</Route>

Well, your nxlog configuration is incorrect and it’s even telling you what’s missing (i. e. the definitions of “internal” and “eventlog”).

Please refer to the nxlog documentation for details or use the Graylog Collector Sidecar to configure nxlog for you.

FWIW, you could also use Winlogbeat as an alternative to nxlog.