No Collectors or sidecar devices are showing

I have winlogbeat as the collector and sidecar configuration
No collectors or sidecar is not showing in both Administration and side
Cares overview
Sidecar on the client is configured to the server’s IP and port 5044 with a token configured.

Collector template configuration. It does have the right IP in it.

# Needed for Graylog
fields_under_root: true
fields.collector_node_id: ${sidecar.nodeName}
fields.gl2_source_collector: ${sidecar.nodeId}
output.logstash:
  hosts: ["127.0.0.1:5044"]
path:
  data: C:\Program Files\Graylog\sidecar\cache\winlogbeat\data
  logs: C:\Program Files\Graylog\sidecar\logs
tags:
  - windows
winlogbeat:
  event_logs:
    - name: Application
    - name: System
    - name: Security

It is the sidecar.yml configuration file on the client that makes the initial connection to the Graylog server, once that is correct, you can apply the configuration that tells where to send the messages.

Here is a sample windows sidecar.yml from one of our machines:

(NOTE: I used the forum tool </> to make your code nice in your post and in mine - you can use it for future posts with code/logs for readability)

server_url: https://<GraylogServer>:9876/api/
server_api_token: "gibberish" 
update_interval: 10
tls_skip_verify: false
send_status: true
list_log_files:
collector_id: file:C:\Program Files\Graylog\sidecar\collector-id
cache_path: C:\Program Files\Graylog\sidecar\cache
log_path: C:\Program Files\Graylog\sidecar\logs
log_rotation_time: 86400
log_max_age: 604800
tags: [windows]
collector_binaries_accesslist: []
backends:
    - name: nxlog
      enabled: false
      binary_path: C:\Program Files (x86)\nxlog\nxlog.exe
      configuration_path: C:\Program Files\Graylog\sidecar\generated\nxlog.conf
    - name: winlogbeat
      enabled: true
      binary_path: C:\Program Files\Graylog\sidecar\winlogbeat.exe
      configuration_path: C:\Program Files\Graylog\sidecar\generated\winlogbeat.yml
    - name: filebeat
      enabled: true
      binary_path: C:\Program Files\Graylog\sidecar\filebeat.exe
      configuration_path: C:\Program Files\Graylog\sidecar\generated\filebeat.yml
    - name: auditbeat
      enabled: false
      binary_path: C:\Program Files\Graylog\sidecar\auditbeat.exe
      configuration_path: C:\Program Files\Graylog\sidecar\generated\auditbeat.yml

Hello
I know I haven’t response, but busy with other IT work. How are the winlogbeat collector configured

Hello @studioman5150

Here is my Winbeat collector config. It’s simple but you can configure it to your needs.

# Needed for Graylog
fields_under_root: true
fields.collector_node_id: ${sidecar.nodeName}
fields.gl2_source_collector: ${sidecar.nodeId}

output.logstash:
   hosts: ["graylog_server:5044"]
path:
  data: C:\Program Files\Graylog\sidecar\cache\winlogbeat\data
  logs: C:\Program Files\Graylog\sidecar\logs
tags:
 - windows
winlogbeat:
  event_logs:
   - name: Application
   - name: System
   - name: Security

This collector config would only work on the local Graylog server.

Okay Same as mine I got from the documentation. Still nothing shows

Check Firewalls/Selinux and @tmacgbay post. Make sure the IP address, if this is a remote device , is reachable over the network.

everything has been tested network wise

Examine the sidecar.log located here - it is usually good about complaining…

I examine for logs, logs is empty.

What I might do is configure a couple more windows server and see if any of them show.

By chance have you tried a TCPDUMP on you Graylog server?

No I have not tried tcpdump, but I will.

Check to see if the sidecar service is installed and running on the client windows machine.

yes sidecar is running on the windows client.

wait min take that back I only see winlogbeat and nxlog service no sidecar. Let me try something.

By chance did you execute this here?

oh I missed that part, but Graylog sidecar is failing to start
time=“2022-08-19T16:57:31-07:00” level=fatal msg=“Failed service action: Failed to start Graylog Sidecar: The service did not respond to the start or control request in a timely fashion.”

Ok riddle me this, How is that Winlogbeat is started but Graylog-Sidecar is not?

To be honest I would reinstall the sidecar and go back over the documentation to ensure nothing was missed, Just a thought.

You could post your sidecar.yml, obfuscated of course and using the </> tool to make it readable, and removing all the comments we don’t need to read…

On a windows machine where I am using winlogbeat and filebeat, I only have to start Graylog Sidecar and it handles starting the other services because of the configuration in the sidecar.yml - posted above. visually it looks like this: