HI,
I followed the step by step guide: https://docs.graylog.org/en/3.0/pages/sidecar.html#sidecar-step-by-step but in the “collectors administrator” section I don’t see the configuration just created (“There are no collectors to display”).
The configuration is for winlogbeat.
Thanks,
Greetings.
could you please a little more verbose. Did you do not see the configuration you had created or did you do not see the sidecars?
I see the configurations but I can’t assign it to the sidecar (I don’t see it on the “administration” page).
so you had a sidecar running on the server you want to collect the messages?
I follow this step-by-step guide but at this point:
I don’t see the configuration I just created.
Yes, what I want to do is use the sidecar to collect logs from a windows machine.
As Jan said, do you have the sidecar installed and configured on the Windows server you want to send logs from? Is it specifically configured to send to your Graylog server? You can post the configuration if you think there might be errors in it (formatted properly)
For example - below is the configuration in the sidecar installation on my Windows Servers. It sets up the communication to the Graylog server when the sidecar starts and allows it to receive configuration information from Graylog for the settings and logs to watch. Once the sidecar starts with a configuration that points to Graylog, it should start showing up in your Collectors Administration
server_url: http://<ServerIP>:9000/api/
server_api_token: "<RandomStuff>"
update_interval: 10
tls_skip_verify: true
send_status: true
list_log_files:
collector_id: file:C:\Program Files\Graylog\sidecar\collector-id
cache_path: C:\Program Files\Graylog\sidecar\cache
log_path: C:\Program Files\Graylog\sidecar\logs
log_rotation_time: 86400
log_max_age: 604800
tags: [windows]
backends:
- name: nxlog
enabled: false
binary_path: C:\Program Files (x86)\nxlog\nxlog.exe
configuration_path: C:\Program Files\Graylog\sidecar\generated\nxlog.conf
- name: winlogbeat
enabled: true
binary_path: C:\Program Files\Graylog\sidecar\winlogbeat.exe
configuration_path: C:\Program Files\Graylog\sidecar\generated\winlogbeat.yml
- name: filebeat
enabled: true
binary_path: C:\Program Files\Graylog\sidecar\filebeat.exe
configuration_path: C:\Program Files\Graylog\sidecar\generated\filebeat.ymlI summarize what I want to do (being new on graylog I probably did something wrong):
Collecting logs from a windows 10 machine that is outside the network, to do this I thought of using a sidecar (nxlog).
The graylog server is located behind a reverse proxy (nginx).
How should nginx (in this case reverse proxy) be configured so that graylog receives messages from the sidecar installed on the windows machine (nxlog in this case)?
Error:
time="2019-06-25T08:50:18+02:00" level=error msg="[UpdateRegistration] Failed to report collector status to server: Put https://myurl.com:9000/api/sidecars/f85f88b9-03ed-48c8-8d75-dc547ea074e1: dial tcp [ip_address]:9000: connectex: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond."
Sidecar configuration:
server_url: "http://myurl.com:9000/api"
Beats Input configuration:
bind_address: 0.0.0.0 no_beats_prefix: false number_worker_threads: 4 override_source: <empty> port: 5044 recv_buffer_size: 1048576 tcp_keepalive: false tls_cert_file: <empty> tls_client_auth: disabled tls_client_auth_cert_file: <empty> tls_enable: false tls_key_file: <empty> tls_key_password: ********
Thanks for support
you should draw a better picture how you want to connect what from where.
It sounds like you want to proxy nxlog (what kind of transport?) to your internal network … sidecar does not cover or tunnel traffic, it is only the ability to manage collectors not tunnel traffic or similar.
When you give a better picture you might get some better help from someone in this community currently it is hard to understand what your goal is and what you have done so far and what your actually problem is.
On the windows 10 machine I installed the sidecar and nxlog as described here (Step-by-step guide): https://docs.graylog.org/en/3.0/pages/sidecar.html#sidecar-step-by-step
the nginx configuration is the one described here: https://docs.graylog.org/en/3.0/pages/configuration/web_interface.html?highlight=nginx
Well, I’d check the network first. Does your workstation (win 10) connect to Nginx via some tunnel (VPN)? Or perhaps simple port forwarding on the router? Can it reach Nginx at all?
The next thing is understanding of how Nginx works. If you use it as a reverse proxy, then the address for the sidecar should be https://myurl.com/api as the forwarding to 9000 port (Graylog) will be performed by Nginx itself.
Again, if Nginx and Graylog aren’t on the same machine you might want to make sure that they can connect to each other…
I changed the configuration url (nxlog on windows 10) to: http://myurl.com/api and now I get the following error:
time = "2019-06-25T12: 06: 03 + 02: 00" level = error msg = "[UpdateRegistration] Bad response from Graylog server: 401 Unauthorized"
Nginx and graylog communicate correctly (I can reach the web interface via nginx).
Check the logs of Nginx. What’s your config, by the way?
the nginx log shows multiple of these lines:
[ip_address_win10] - -[25/Jun/2019:14:42:44 +0200] “GET /api/sidecars/xxx HTTP/1.1” 401 0 “http://myurl.com/api/sidecars/xxx” “Graylog Collector v1.0.1”
nginx configuration:
server{
listen [nginx_ip]:80;
server_name myurl.com;
return 301 https://myurl.com$request_uri;
}
server
{
listen [nginx_ip]:443;
server_name myurl.com;
ssl on;
ssl_certificate /path_to_.crt;
ssl_certificate_key /path_to_.key;
ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_verify_client off;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers RC4:HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location /
{
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Graylog-Server-URL https://$server_name/;
proxy_pass http://[graylog-server-ip]:9000/;
proxy_redirect http://[graylog-server-ip]:9000/ https://myurl.com/;
proxy_ssl_session_reuse off;
proxy_set_header X-Real-IP $remote_addr;
client_max_body_size 10m;
client_body_buffer_size 128k;
proxy_connect_timeout 90;
proxy_send_timeout 90;
proxy_read_timeout 90;
proxy_buffers 4 32k;
proxy_busy_buffers_size 64k;
proxy_temp_file_write_size 64k;
}
}Let’s try to make it a bit simplier:
-
Change http to https in myurl.com/api/ adress as to avoid the redirecting;
-
Comment out the current location section and use that:
location / { proxy_set_header Host $http_host; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Graylog-Server-URL https://$server_name/; proxy_pass http://Graylog-IP:9100; }
Also I’d suggest checking:
- If 9000 port is open;
- If Nginx has all necesary rights to the folder with certificate and the key.
The cause of the errrors clearly lies in the configuration of Nginx.
Ok,
With “https” i get the following error:
level=info msg="No configurations assigned to this instance. Skipping configuration request."
instead with “http”:
level=error msg="[UpdateRegistration] Bad response from Graylog server: 401 Unauthorized"
I don’t think it’s a problem with port 9000 as I easily reach the graylog web interface from anywhere.
Nginx has the permissions to access both the certificate and the key (it works and not from errors of that type).
level=info msg=“No configurations assigned to this instance. Skipping configuration request.”
That sounds just like a Graylog error. That means, that Nginx is probably fine now. Check the sidecars settings. Did the machine appear on the page? Does it have a configuration assigned to it?
Ok, it works!
I was wrong to set the “host” parameter in the sidecar configuration.
define ROOT C:\Program Files (x86)\nxlog
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
LogLevel INFO
<Extension logrotate>
Module xm_fileop
<Schedule>
When @daily
Exec file_cycle('%ROOT%\data\nxlog.log', 7);
</Schedule>
</Extension>
<Extension gelfExt>
Module xm_gelf
# Avoid truncation of the short_message field to 64 characters.
ShortMessageLength 65536
</Extension>
<Input eventlog>
Module im_msvistalog
PollInterval 1
SavePos True
ReadFromLast True
Channel System
<QueryXML>
<QueryList>
<Query Id='1'>
<Select Path='Security'>*[System/Level=4]</Select>
</Query>
</QueryList>
</QueryXML>
</Input>
<Input file>
Module im_file
File 'C:\Windows\MyLogDir\\*.log'
PollInterval 1
SavePos True
ReadFromLast True
Recursive False
RenameCheck False
Exec $FileName = file_name(); # Send file name with each message
</Input>
<Output gelf>
Module om_tcp
Host 0.0.0.0
Port 12201
OutputType GELF_TCP
<Exec>
# These fields are needed for Graylog
$gl2_source_collector = '${sidecar.nodeId}';
$collector_node_id = '${sidecar.nodeName}';
</Exec>
</Output>
<Route route-1>
Path eventlog => gelf
</Route>
<Route route-2>
Path file => gelf
</Route>
At this point I should get all the security logs, correct?
Theoretically yes. Check, if an input is configured in Graylog.
UPD:
Host 0.0.0.0
Port 12201
Maybe you’ll need to change them, as they look like the destination settings, though I’m not sure.
UPD: Oops, it seems you’ve already done that.