Problems with NXLog with sidecar 1.0.1 on 32bit Windows

I’m having a problem with sidecar 1.0.1 and a windows 32bit machine. NXLog is installed in the c:\program files\nxlog but sidecar keeps looking for it in the c:\program files (x86) directory. When I change the patch to be c:\program files\nxlog, it returns the following error:
" could not execute c:\program files\nxlog\nxlog.exe, binary path not in the collector_binaries_whitelist config option"

below is my Collector Binaries Whitelist.

Default:
collector_binaries_whitelist:

• “C:\Program Files\Graylog\sidecar\filebeat.exe”
• “C:\Program Files\Graylog\sidecar\winlogbeat.exe”
• “C:\Program Files\Filebeat\filebeat.exe”
• “C:\Program Files\Packetbeat\packetbeat.exe”
• “C:\Program Files\Metricbeat\metricbeat.exe”
• “C:\Program Files\Heartbeat\heartbeat.exe”
• “C:\Program Files\Auditbeat\auditbeat.exe”
• “C:\Program Files\nxlog\nxlog.exe”

(bullet points are actually “-”)

I don’t use nxlog but taking a random guess… you may need to \ your \ like this example…

collector_binaries_whitelist:
  - "/usr/lib/graylog-sidecar/filebeat"
  - "/usr/bin/filebeat"
  - "/usr/bin/packetbeat"
  - "/usr/bin/nxlog"
  - "C:\\Program Files\\Sysmon\\Sysmon64.exe"

Another complete guess to experiment with would be single quotes rather than double.

Thanks for the suggestion. I typed in my Collectors_binaries_whitelist incorrectly. It actually has the following:

• “C:\Program Files\Graylog\sidecar\filebeat.exe”
• “C:\Program Files\Graylog\sidecar\winlogbeat.exe”
• “C:\Program Files\Filebeat\filebeat.exe”
• “C:\Program Files\Packetbeat\packetbeat.exe”
• “C:\Program Files\Metricbeat\metricbeat.exe”
• “C:\Program Files\Heartbeat\heartbeat.exe”
• “C:\Program Files\Auditbeat\auditbeat.exe”
• “C:\Program Files\nxlog\nxlog.exe”

(bullet points are actually “-”)

The ones above the nxlog line are from the examples, but it does not seem to take…

Sorry, each line has double '\", but the editor is takening them out…

you can use the </> formatting button to maintain preformatted text. Did you try using single rather than double quotes?

Yes, tried it with the \\ and \ and with double quotes and single quotes. Error message is the same both ways.

Post up more surrounding information - The whole config (not just the whitelist) , any related nxlog config or log files… again, I don’t use nxlog, so it’s harder to guess from minimal information…

Here is the whole sidecar.yml

# The URL to the Graylog server API.
# Default: "http://127.0.0.1:9000/api/"
server_url: "http://172.16.x.xx:9000/api"

# The API token to use to authenticate against the Graylog server API.
# Default: none
server_api_token: "xxxxxxxxxxxxxxxxxxxxxx"

# The node ID of the sidecar. This can be a path to a file or an ID string.
# If set to a file and the file doesn't exist, the sidecar will generate an
# unique ID and writes it to the configured path.
#
# Example file path: "file:C:\\Program Files\\Graylog\\sidecar\\node-id"
# Example ID string: "6033137e-d56b-47fc-9762-cd699c11a5a9"
#
# ATTENTION: Every sidecar instance needs a unique ID!
#
# Default: "file:C:\\Program Files\\Graylog\\sidecar\\node-id"
node_id: "file:C:\\Program Files\\Graylog\\sidecar\\node-id"

# The node name of the sidecar. If this is empty, the sidecar will use the
# hostname of the host it is running on.
# Default: ""
node_name: "VOPvoice"

# The update interval in secods. This configures how often the sidecar will
# contact the Graylog server for keep-alive and configuration update requests.
# Default: 10
update_interval: 10

# This configures if the sidecar should skip the verification of TLS connections.
# Default: false
tls_skip_verify: false

# This enables/disables the transmission of detailed sidecar information like
# collector statues, metrics and log file lists. It can be disabled to reduce
# load on the Graylog server if needed. (disables some features in the server UI)
# Default: true
send_status: true

# A list of directories to scan for log files. The sidecar will scan each
# directory for log files and submits them to the server on each update.
#
# Example:
#     list_log_files:
#       - "/var/log/nginx"
#       - "/opt/app/logs"
#
# Default: empty list
#list_log_files: []

# Directory where the sidecar stores internal data.
#cache_path: "C:\\Program Files\\Graylog\\sidecar\\cache"

# Directory where the sidecar stores logs for collectors and the sidecar itself.
#log_path: "C:\\Program Files\\Graylog\\sidecar\\logs"

# The maximum size of the log file before it gets rotated.
#log_rotate_max_file_size: "10MiB"

# The maximum number of old log files to retain.
#log_rotate_keep_files: 10

# Directory where the sidecar generates configurations for collectors.
#collector_configuration_directory: "C:\\Program Files\\Graylog\\sidecar\\generated"

# A list of binaries which are allowed to be executed by the Sidecar. An empty list disables the whitelist feature.
# Wildcards can be used, for a full pattern description see https://golang.org/pkg/path/filepath/#Match
# Example:
#   collector_binaries_whitelist:
#        "C:\\Program Files\\Graylog\\sidecar\\winlogbeat.exe"
#        "C:\\Program Files\\Filebeat\\filebeat.exe"
#	"C:\\Program Files\\nxlog\\nxlog.exe"

# Example disable whitelisting:
#  collector_binaries_whitelist: "c:\\Program Files\\nxlog\\nxlog.exe"
#

#Default:
Collector_binaries_whitelist:
- "c:\\Program Files\\nxlog\\nxlog.exe"
#  - "C:\\Program Files\\Graylog\\sidecar\\filebeat.exe"
#  - "C:\\Program Files\\Graylog\\sidecar\\winlogbeat.exe"
#  - "C:\\Program Files\\Filebeat\\filebeat.exe"
#  - "C:\\Program Files\\Packetbeat\\packetbeat.exe"
#  - "C:\\Program Files\\Metricbeat\\metricbeat.exe"
#  - "C:\\Program Files\\Heartbeat\\heartbeat.exe"
#  - "C:\\Program Files\\Auditbeat\\auditbeat.exe"
#  - "C:\\Program Files\\nxlog\\nxlog.exe"

here is the output from debug output of sidecar:

C:\Program Files\Graylog\sidecar>graylog-sidecar.exe -debug -c “c:\Program Files
\Graylog\sidecar\sidecar.yml”
time=“2019-04-28T18:21:25-05:00” level=info msg=“Using node-id: xxxxxxxxxxxx”
time=“2019-04-28T18:21:25-05:00” level=debug msg=“Creating rotated log writer (1
0/10) for: C:\Program Files\Graylog\sidecar\logs\sidecar.log”
time=“2019-04-28T18:21:25-05:00” level=info msg=“Starting signal distributor”
time=“2019-04-28T18:21:35-05:00” level=info msg=“Adding process runner for: nxlo
g_32bit”
time=“2019-04-28T18:21:35-05:00” level=info msg="[nxlog_32bit] Configuration cha
nge detected, rewriting configuration file."
time=“2019-04-28T18:21:35-05:00” level=error msg="[nxlog_32bit] Couldn’t execute
collector C:\Program Files\nxlog\nxlog.exe, binary path is not included in `
collector_binaries_whitelist’ config option."
time=“2019-04-28T18:21:45-05:00” level=debug msg="[RequestBackendList] No update
available."
time=“2019-04-28T18:21:45-05:00” level=debug msg="[RequestConfiguration] No upda
te available, skipping update."
time=“2019-04-28T18:21:51-05:00” level=info msg=“Stopping signal distributor”
time=“2019-04-28T18:21:51-05:00” level=debug msg="[signal-processor] (seq=1) han
dling cmd: shutdown"
time=“2019-04-28T18:21:51-05:00” level=info msg="[nxlog_32bit] Stopping"

you should use the code block around your configuration. that makes it reable.

  ```
  Your text here
  ```

Please edit your post and use the code block as Jan suggested. Highlight the code and click on the </> button above your edit. The results show on the right side panel before you post.

Updated the code block to be in the correct format

What does your nxlog.conf configuration look like? I defaults to install at

C:\Program Files (x86)\nxlog\conf

but yours might be at

C:\Program Files\nxlog\conf

More specifically is the ROOT path defined properly in there? I am not sure if sidecar is aware of the NXLOG configuration file (still in guess mode)

Are you defining the installation path specifically during install?

> msiexec /i nxlog-4.3.4308_windows_x64.msi /q INSTALLDIR="C:\program files\nxlog"

What other troubleshooting steps have you taken??

The nxlog.conf looks correct:

---
define ROOT C:\Program Files\nxlog

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
LogLevel INFO

<Extension logrotate>
    Module  xm_fileop
    <Schedule>
        When    @daily
        Exec    file_cycle('%ROOT%\data\nxlog.log', 7);
     </Schedule>
</Extension>


<Extension gelfExt>
  Module xm_gelf
  # Avoid truncation of the short_message field to 64 characters.
  ShortMessageLength 65536
</Extension>

<Input eventlog>
        Module im_msvistalog
        PollInterval 1
        SavePos True
        ReadFromLast True
        
        #Channel System
        #<QueryXML>
        #  <QueryList>
        #   <Query Id='1'>
        #    <Select Path='Security'>*[System/Level=4]</Select>
        #    </Query>
        #  </QueryList>
        #</QueryXML>
</Input>


<Input file>
	Module im_file
	File 'C:\Windows\MyLogDir\\*.log'
	PollInterval 1
	SavePos	True
	ReadFromLast True
	Recursive False
	RenameCheck False
	Exec $FileName = file_name(); # Send file name with each message
</Input>


<Output gelf>
	Module om_tcp
	Host 172.16.0.87
	Port 22222
	OutputType  GELF_TCP
	<Exec>
	  # These fields are needed for Graylog
	  $gl2_source_collector = 'a0227add-290d-49a8-aad3-f4f54ff29683';
	  $collector_node_id = 'VOPvoice';
	</Exec>
</Output>


<Route route-1>
  Path eventlog => gelf
</Route>
<Route route-2>
  Path file => gelf
</Route>
----

This is an installation on a 32 bit os. The default path for all installations on 32 bit is “c:\program files”. I have tried all different types of path variations, but nothing seems to work.

I will put in a bug to github and see what the developers come back with…

Probably best. Another thought… create a C:\Program Files (x86)\nxlog directory anyway and just work from it there.

I agree, I can make it work that way.

Ended making it work with the addition to the sidecar.yml on the machine. The line is very case sensitive…

collector_binaries_whitelist: [ “C:\Program Files\nxlog\nxlog.exe” ]

Interesting! Case Sensitive and Windows rarely go together other than passwords. Thanks for following up on that!!

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.