Hi,
I got ELK working to search for logs using Kibana and I am attempting to have Graylog working as well. I found that logstash need to have added the logstash-output-gelf to convert the messages to GELF format, so I installed and restarted the service:
[root@dev-graylog bin]# ./logstash-plugin install logstash-output-gelf
Validating logstash-output-gelf
Installing logstash-output-gelf
Installation successful
Then, in the client side where I need to collect the logs, I have installed the graylog-sidecar in this way, filebeat is already installed:
wget https://github.com/Graylog2/collector-sidecar/releases/download/1.0.0/graylog-sidecar-1.0.0-1.x86_64.rpm
tar -vxzf graylog-sidecar-1.0.0-1.x86_64.rpm
sudo rpm -i graylog-sidecar-1.0.0-1.x86_64.rpm
sudo graylog-sidecar -service install
sudo systemctl start graylog-sidecar
I will use the same filebeat and logstash instances used by Kibana to setup graylog. The graylog interface is up and running on the port 9000, but when running the graylog-sidecar I am getting the error “No API token was configured”. I have tried the different solutions given in similar issues related to Collector Sidecar. However, I have been able to spot the problem in Graylog Sidecar (new version).
Which configuration needs to be in place to get rid of this error?
The environment has the following characteristics:
- CentOS Linux 7 (Core)
- Java: 1.8.0_192
- graylog-3.0.0-beta-beta.2.tgz
- mongodb-linux-x86_64-rhel62-4.0.6-rc1.tgz
- logstash-6.6.0.tar.gz
- elasticsearch-6.6.0.tar.gz graylog-sidecar-1.0.0-1.x86_64.rpm
- filebeat-6.6.0-linux-x86_64.tar.gz
When running sudo systemctl start graylog-sidecar, I am getting the following error:
[root@c1 sidecar]# sudo systemctl status graylog-sidecar
● graylog-sidecar.service - Wrapper service for Graylog controlled collector
Loaded: loaded (/etc/systemd/system/graylog-sidecar.service; enabled; vendor preset: disabled)
Active: activating (auto-restart) (Result: exit-code) since Wed 2019-02-20 14:21:46 PST; 1min 29s ago
Process: 21640 ExecStart=/usr/bin/graylog-sidecar (code=exited, status=1/FAILURE)
Main PID: 21640 (code=exited, status=1/FAILURE)
Feb 20 14:21:46 c1.local.com systemd[1]: graylog-sidecar.service: main process exited, code=exited, status=1/FAILURE
Feb 20 14:21:46 c1.local.com systemd[1]: Unit graylog-sidecar.service entered failed state.
Feb 20 14:21:46 c1.local.com systemd[1]: graylog-sidecar.service failed.
In the journal I can see the following:
Feb 20 14:23:46 c1.local.com systemd[1]: graylog-sidecar.service holdoff time over, scheduling restart.
Feb 20 14:23:46 c1.local.com systemd[1]: Stopped Wrapper service for Graylog controlled collector.
Feb 20 14:23:46 c1.local.com systemd[1]: Started Wrapper service for Graylog controlled collector.
Feb 20 14:23:46 c1.local.com graylog-sidecar[21651]: time="2019-02-20T14:23:46-08:00" level=fatal msg="No API token was configured."
Feb 20 14:23:46 c1.local.com systemd[1]: graylog-sidecar.service: main process exited, code=exited, status=1/FAILURE
Feb 20 14:23:46 c1.local.com systemd[1]: Unit graylog-sidecar.service entered failed state.
Feb 20 14:23:46 c1.local.com systemd[1]: graylog-sidecar.service failed.
On server, graylog.conf:
rest_listen_uri = http://172.28.128.3:9000/api/
web_listen_uri = https://172.28.128.3:9000/
On client, sidecar.yml:
# The URL to the Graylog server API.
server_url: "http://172.28.128.3:9000/api/"
# The API token to use to authenticate against the Graylog server API.
# This field is mandatory
server_api_token: ""
# The node ID of the sidecar. This can be a path to a file or an ID string.
# If set to a file and the file doesn't exist, the sidecar will generate an
# unique ID and writes it to the configured path.
#
# Example file path: "file:/etc/graylog/sidecar/node-id"
# Example ID string: "6033137e-d56b-47fc-9762-cd699c11a5a9"
#
# ATTENTION: Every sidecar instance needs a unique ID!
#
node_id: "graylog-collector-sidecar"
# The node name of the sidecar. If this is empty, the sidecar will use the
# hostname of the host it is running on.
#node_name: ""
# The update interval in secods. This configures how often the sidecar will
# contact the Graylog server for keep-alive and configuration update requests.
update_interval: 5
# This configures if the sidecar should skip the verification of TLS connections.
# Default: false
tls_skip_verify: true
# This enables/disables the transmission of detailed sidecar information like
# collector statues, metrics and log file lists. It can be disabled to reduce
# load on the Graylog server if needed. (disables some features in the server UI)
send_status: true
# A list of directories to scan for log files. The sidecar will scan each
# directory for log files and submits them to the server on each update.
#
# Example:
# list_log_files:
# - "/var/log/nginx"
# - "/opt/app/logs"
#
# Default: empty list
list_log_files: []
# Directory where the sidecar stores internal data.
#cache_path: "/var/cache/graylog-sidecar"
# Directory where the sidecar stores logs for collectors and the sidecar itself.
log_path: "/var/log/graylog-sidecar"
# The maximum size of the log file before it gets rotated.
#log_rotate_max_file_size: "10MiB"
# The maximum number of old log files to retain.
#log_rotate_keep_files: 10
# Directory where the sidecar generates configurations for collectors.
#collector_configuration_directory: "/var/lib/graylog-sidecar/generated"
# A list of binaries which are allowed to be executed by the Sidecar. An empty list disables the whitelist feature.
# Wildcards can be used, for a full pattern description see https://golang.org/pkg/path/filepath/#Match
# Example:
# collector_binaries_whitelist:
# - "/usr/bin/filebeat"
# - "/opt/collectors/*"
#
# Example disable whitelisting:
# collector_binaries_whitelist: []
#
# Default:
# collector_binaries_whitelist:
# - "/usr/bin/filebeat"
# - "/usr/bin/packetbeat"
# - "/usr/bin/metricbeat"
# - "/usr/bin/heartbeat"
# - "/usr/bin/auditbeat"
# - "/usr/bin/journalbeat"
# - "/usr/share/filebeat/bin/filebeat"
# - "/usr/share/packetbeat/bin/packetbeat"
# - "/usr/share/metricbeat/bin/metricbeat"
# - "/usr/share/heartbeat/bin/heartbeat"
# - "/usr/share/auditbeat/bin/auditbeat"
# - "/usr/share/journalbeat/bin/journalbeat"
# - "/usr/bin/nxlog"
# - "/opt/nxlog/bin/nxlog"
On the client side, I am able to execute the following successfully:
[root@c1 filebeat]# curl -i -H 'Accept: application/json' 'http://172.28.128.3:9000/api/?pretty=true'
HTTP/1.1 200 OK
X-Graylog-Node-ID: 95c1074c-268c-4996-83ac-8fffeaae901c
X-Runtime-Microseconds: 21775
Content-Type: application/json
Date: Thu, 21 Feb 2019 07:08:08 GMT
Content-Length: 260
{
"cluster_id" : "55dc5eb8-616b-4d37-af4d-572d9cb61a29",
"node_id" : "95c1074c-268c-4996-83ac-8fffeaae901c",
"version" : "3.0.0-beta.2+a5d9cc0",
"tagline" : "Manage your logs in the dark and have lasers going and make it look like you're from space!"
How to solve the error “No API token was configured”?
Is this the best approach to have ELK and graylog working together?
Thanks for your help