1. Describe your incident:
I’m having issues with the Winlogbeat sidecar and no messages ever showing in the web console.

2. Describe your environment:
Single node running on a Ubuntu 22.04 LTS
Graylog 5.2
MongoDB 6
Opensearch 2.13
sidecar is 1.5.0.1
winlogbeat is 8.9 as well as 8.13
(Winlogbeat.conf)
output.logstash:
hosts: [“192.168.0.127:5044”]
path:
data: C:\Program Files\Graylog\sidecar\generated\6622d69439fc515d2219e98d\data
logs: C:\Program Files\Graylog\sidecar\generated\6622d69439fc515d2219e98d\logs
tags:

• windows
  winlogbeat.event_logs:
  • name: Application
  • name: System
  • name: Security
  • name: Setup
  • name: ForwardedEvents
    (sidecar.yml)

The URL to the Graylog server API.

Default: “http://127.0.0.1:9000/api/”

server_url: “http://192.168.0.127:9000/api”

The API token to use to authenticate against the Graylog server API.

Default: none

server_api_token: “token was generated”

The node ID of the sidecar. This can be a path to a file or an ID string.

If set to a file and the file doesn’t exist, the sidecar will generate an

unique ID and writes it to the configured path.

Example file path: “file:C:\Program Files\Graylog\sidecar\node-id”

Example ID string: “6033137e-d56b-47fc-9762-cd699c11a5a9”

ATTENTION: Every sidecar instance needs a unique ID!

Default: “file:C:\Program Files\Graylog\sidecar\node-id”

node_id: “file:C:\Program Files\Graylog\sidecar\node-id”

The node name of the sidecar. If this is empty, the sidecar will use the

hostname of the host it is running on.

Default: “”

node_name: “”

The update interval in secods. This configures how often the sidecar will

contact the Graylog server for keep-alive and configuration update requests.

Default: 10

update_interval: 10

This configures if the sidecar should skip the verification of TLS connections.

Default: false

tls_skip_verify: false

This enables/disables the transmission of detailed sidecar information like

collector statues, metrics and log file lists. It can be disabled to reduce

load on the Graylog server if needed. (disables some features in the server UI)

Default: true

send_status: true

A list of directories to scan for log files. The sidecar will scan each

directory for log files and submits them to the server on each update.

Example:

list_log_files:

- “/var/log/nginx”

- “/opt/app/logs”

Default: empty list

#list_log_files:

Directory where the sidecar stores internal data.

#cache_path: “C:\Program Files\Graylog\sidecar\cache”

Directory where the sidecar stores logs for collectors and the sidecar itself.

#log_path: “C:\Program Files\Graylog\sidecar\logs”

The maximum size of the log file before it gets rotated.

#log_rotate_max_file_size: “10MiB”

The maximum number of old log files to retain.

#log_rotate_keep_files: 10

How long to wait for the config validation command.

#collector_validation_timeout: “1m”

Directory where the sidecar generates configurations for collectors.

#collector_configuration_directory: “C:\Program Files\Graylog\sidecar\generated”

Range of windows drives which are checked for disk usage. If their usage extends 75% they will be reported

in the sidecar’s status report to the Graylog server. Set to “” to disable disk scanning.

Default:

windows_drive_range: “CDEFGHIJKLMNOPQRSTUVWXYZ”

A list of tags to assign to this sidecar. Collector configuration matching any of these tags will automatically be

applied to the sidecar.

Default:

tags: [ default ]

Example:

tags:

- apache-logs

- dns-logs

A list of binaries which are allowed to be executed by the Sidecar. An empty list disables the access list feature.

Wildcards can be used, for a full pattern description see filepath package - path/filepath - Go Packages

Example:

collector_binaries_accesslist:

- “C:\Program Files\Graylog\sidecar\winlogbeat.exe”

- “C:\Program Files\Filebeat\filebeat.exe”

Example disable access listing:

collector_binaries_accesslist:

Default:

collector_binaries_accesslist:

- “C:\Program Files\Graylog\sidecar\filebeat.exe”

- “C:\Program Files\Graylog\sidecar\winlogbeat.exe”

- “C:\Program Files\Filebeat\filebeat.exe”

- “C:\Program Files\Packetbeat\packetbeat.exe”

- “C:\Program Files\Metricbeat\metricbeat.exe”

- “C:\Program Files\Heartbeat\heartbeat.exe”

- “C:\Program Files\Auditbeat\auditbeat.exe”

- “C:\Program Files (x86)\nxlog\nxlog.exe”

- “C:\Program Files\nxlog\nxlog.exe”

(sidecar.log)
time=“2024-04-22T11:24:00-07:00” level=info msg=“Starting signal distributor”
time=“2024-04-22T11:24:00-07:00” level=info msg=“Adding process runner for: winlogbeat-6622d69439fc515d2219e98d”
time=“2024-04-22T11:24:00-07:00” level=info msg=“[winlogbeat-6622d69439fc515d2219e98d] Configuration change detected, rewriting configuration file.”
time=“2024-04-22T11:24:00-07:00” level=info msg=“Trying to create directory for: C:\Program Files\Graylog\sidecar\generated\6622d69439fc515d2219e98d\winlogbeat.conf”
time=“2024-04-22T11:24:02-07:00” level=info msg=“[winlogbeat-6622d69439fc515d2219e98d] Starting (svc driver)”
time=“2024-04-22T11:58:20-07:00” level=info msg=“[winlogbeat-6622d69439fc515d2219e98d] Configuration change detected, rewriting configuration file.”
time=“2024-04-22T11:58:22-07:00” level=info msg=“[winlogbeat-6622d69439fc515d2219e98d] Stopping”
time=“2024-04-22T11:58:24-07:00” level=info msg=“[winlogbeat-6622d69439fc515d2219e98d] Starting (svc driver)”
(Beats input config)
bind_address: 0.0.0.0
charset_name: UTF-8
no_beats_prefix: false
number_worker_threads: 6
override_source:
port: 5044
recv_buffer_size: 1048576
tcp_keepalive: false
tls_cert_file:
tls_client_auth: disabled
tls_client_auth_cert_file:
tls_enable: false
tls_key_file:
tls_key_password:********
(TCPDUMP)

3. What steps have you already taken to try and solve the problem?
I’ve tried looking through the posts and found a lot of really good info but nothing that seemed to stick. I’ve tried following this post and adding event.id to the winlogbeat config.
Ingest Windows Event Logs…
Universal-Winlogbeat-configuration/assets/winlogbeat.yml at main · jhochwald/Universal-Winlogbeat-configuration · GitHub
Still no go. Even though I have this feeling this might still be the issue.
NXLog is working. The sidecar is connecting to the server as I can modify the config in the console and the machines pickup the changes right away

4. How can the community help?
I have a feeling it is something simple I’m missing in a config file I’m just not seeing it yet. Any help would be appreciated.

Hey @sandycrab

Your configuration is hard to read, but from what I can see. Only thing I can think of is the sidecar configuration for Winlogbeat.

Try something simple like this below.

Example:

# Needed for Graylog
fields_under_root: true
fields.collector_node_id: ${sidecar.nodeName}
fields.gl2_source_collector: ${sidecar.nodeId}

output.logstash:
   hosts: ["192.168.0.127:5044"]
path:
  data: ${sidecar.spoolDir!"C:\\Program Files\\Graylog\\sidecar\\cache\\winlogbeat"}\data
  logs: ${sidecar.spoolDir!"C:\\Program Files\\Graylog\\sidecar"}\logs
tags:
 - windows
winlogbeat:
  event_logs:
   - name: Application

Double check firewalls for port 5044 is opened.

You can restart Graylog-sidecar on the remote device and check logs.

C:\Program Files\Graylog\sidecar\logs

For troubleshooting set this to true

tls_skip_verify: true

Make sure you restart services needed.

Thanks for the reply. Sorry about the formatting in the post still trying to learn and was just trying to cram as much info in as I could.

My sidecar config was almost identical to the one you posted. I did go ahead and cut and pasted yours in and restarted the service still no go. I’ve been reading from here and trying different options, format, syntax etc with no luck Configure Winlogbeat | Winlogbeat Reference [8.13] | Elastic
I’ve also tried downgrading the winlogbeat executable to 7.2.
It looks like I’m getting messages if from the input. I’ve seen that as high as 800.

But I still see this error when clicking on show messages.

I also tried the TLS setting and a restart as well with no luck.

I keep thinking I’m missing something simple as the NXLogging is working like a charm. I just have been using winlogbeat with other siems for sometime now and prefer it.

I have been trying to read up on the graylog-sidecar -debug as well.

oh and port is opened

.

Again thanks for any help!

Hey,

I did a quick test on my Linux server. Fresh install followed the documentation and I understand now.

Hey @sandycrab

I figured it out.

Here are some things to check. Even thou this is FileBeat you can use this as reference for Winlogbeat.

Beats INPUT configuration.
NOTE: I checked the Do not add Beats type as prefix tic box on the bottom.

bind_address: 0.0.0.0
charset_name: UTF-8
no_beats_prefix: true
number_worker_threads: 4
override_source: <empty>
port: 5044
recv_buffer_size: 1048576
tcp_keepalive: false
tls_cert_file: <empty>
tls_client_auth: disabled
tls_client_auth_cert_file: <empty>
tls_enable: false
tls_key_file: <empty>
tls_key_password:********

I believe you know how to get your Sidecar token.

Installed Sidecar && FileBeat-8.12.x Binary files
Sidecar:

wget https://packages.graylog2.org/repo/packages/graylog-sidecar-repository_1-5_all.deb
sudo dpkg -i graylog-sidecar-repository_1-5_all.deb
sudo apt update && sudo apt install graylog-sidecar   

curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-8.12.2-amd64.deb
sudo dpkg -i filebeat-8.12.2-amd64.deb
sudo filebeat modules list
sudo filebeat modules enable system

Configured Graylog-Sidecar

server_url: "http://graylog.domain.com/api/"
server_api_token: "qrjv1bpve6fcv8d4p3og2fc4h8lh47eoassq87mcv4e1mt4fofs"
node_id: "file:/etc/graylog/sidecar/node-id"
node_name: "zitadel"
tls_skip_verify: true
send_status: true
log_path: "/var/log/graylog-sidecar"
tags:
  - default
collector_binaries_accesslist:
   - "/usr/bin/filebeat"
   - "/usr/lib/graylog-sidecar/filebeat"
   - "/usr/share/filebeat/bin/filebeat"

Add FileBeat Configurations set as…

# Needed for Graylog
fields_under_root: true
fields.collector_node_id: ${sidecar.nodeName}
fields.gl2_source_collector: ${sidecar.nodeId}

filebeat.inputs:
- input_type: log
  paths:
    - /var/log/*.log
  type: log
output.logstash:
   hosts: ["graylog.domain.com:5044"]
path:
  data: ${sidecar.spoolDir!"/var/lib/graylog-sidecar/collectors/filebeat"}/data
  logs: ${sidecar.spoolDir!"/var/lib/graylog-sidecar/collectors/filebeat"}/log

I did restart graylog-sidecar service and check my journal for errors/warnings. This was very useful in finding out what was going on with my remote installation, (On Windows, check your Event Viewer and/or Sidecar logs) for example it showed

journalctl -xeu graylog-sidecar

Needed Binary’s

level=error msg="[filebeat-6629842d39277c0a45c53dc2] Couldn't start validation command: fork/exec /usr/share/filebeat/bin/filebeat: no such file or directory"

Needed to configure Access list

level=error msg="[filebeat-6629842d39277c0a45c53dc2] Couldn't execute collector /usr/share/filebeat/bin/filebeat, binary path is not included in `collector_binaries_accesslist' config option."

Needed to attach configurations to Sidecar

 msg="No configurations assigned to this instance. Skipping configuration request.

Just an FYI, Graylog server port 5044 opened.

Results:

The clue was even thou I seen Beats INPUT showing messages the field called gl2_source_collector was not generated. So there was a connection/configuration issue that I resolved, hope that helps.