Hi
After re-installing graylog on a new server, I cannot get the previously working config to work again. This is driving me crazy because I’m sure it’s some minor detail but I could not figure it out for days now.
The setup is very simple:
one GELF UDP input on port 12201, no extractors.
one windows server, nxlog and sidecar installed - shows up under sidecars as running
assigned to the windows server is one sidecar config:
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
<Extension gelf>
Module xm_gelf
</Extension>
<Input in_Eventlog>
Module im_msvistalog
Exec $logsource = hostname_fqdn();
Exec $logtype = 'windowseventlog';
<QueryXML>
<QueryList>
<Query Id="0">
<Select Path="Application">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
<Select Path="Security">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
<Select Path="Setup">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
<Select Path="System">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
<Select Path="ForwardedEvents">*[System[(Level=1 or Level=2 or Level=3)]]</Select>
</Query>
</QueryList>
</QueryXML>
</Input>
<Output out>
Module om_udp
Host serverX.domain.local
Port 12201
OutputType GELF
</Output>
<Route oute_Eventlog>
Path in_Eventlog => out
</Route>
But I just do not receive any messages on the specified input. What bugs me is that I don’t see any errors, the nxlog log contains just the stop/start actions initiated by the sidecar config update.
running Graylog 3.2.3, graylog_sidecar_installer_1.0.2-1 and nxlog-ce-2.10.2150
i have not changed anything on the global sidecar config
I have another (syslog) input which works. There is also a pipeline configured but even if it would interfere the messages should still be visible on directly on the input or the sidecar.
any ideas would be greatly appreciated