I am setting up a Graylog sidecar on windows server 2016. I have tried using NXLog or Winlogbeat, but with either one I am unsure where to input the path to the actual Log files to send them to graylog. I know I am missing something simple, but I cannot figure out what.
what did you tried and what is not working?
please describe briefly the points you have issues with and where you are lost. without that nobody can help you to walk …
I have set up inputs for the beats:
- bind_address:
0.0.0.0
- no_beats_prefix:
false
- number_worker_threads:
2
- override_source:
- port:
5044
- recv_buffer_size:
1048576
- tcp_keepalive:
false
- tls_cert_file:
- tls_client_auth:
disabled
- tls_client_auth_cert_file:
- tls_enable:
false
Configured a collector:
Needed for Graylog
fields_under_root: true
fields.collector_node_id: {sidecar.nodeName}
fields.gl2_source_collector: {sidecar.nodeId}
output.logstash:
hosts: [“0.0.0.0:5044”]
path:
data: C:\Program Files\Graylog\sidecar\cache\winlogbeat\data
logs: C:\Program Files\Graylog\sidecar\logs
tags:
- windows
winlogbeat:
event_logs:- name: Application
- name: System
- name: Security
I have a sidecar configured on my server and connected to the graylog webUI but no messages have been returned to graylog. I think I am supposed to put the path to the log files in graylog somwhere but I have not been able to find out how.
hosts: [“0.0.0.0:5044”]
your target in the collector (output.logstash) needs to the IP where your collector can reach the Graylog input. Having 0.0.0.0 is not a reachable IP - on Graylog this specifies that this Input will listen on every available Interface/IP
so should this be the IP of the graylog server? or just some other IP on the same network?the target where filebeat should send the logs to can be a random number …
… wait did you believe that? think about the sentence and what you configure at this point.
You configure the target where the filebeat should send the logfiles to, fucking yes - that needs to be the IP where your Graylog beats input is listening on.
Ok I changed that and it seems to be working. I a m having a different issue now. I have connected several servers now with sidecars and the correct IP address. They show that they are connected in the inputs tab. It shows messages coming in on the top right of the menu bar, but if I click on show messages on any of the sidecars they show nothing found. If I go to inputs and click show received messages next to my input it shows some of the messages but I am certain it is not all of them. Some of the servers do not show any thing. Why would this be?
multiple reasons
- check each host if it submit logs
- find why it does not send logs
- debug why they are not shown
if you use the search with the admin accound - does that show the messages?
The winlogbeat logs appear to show that files are being to sent out from the servers. Something that I found a bit weird however is that our Graylog node is showing something like 800,000 unprocessed messages, is this normal?
you need to find out why Graylog has unprocessed messages - because those are in the journal.
The server.log will discover that might be the reason for that.
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.