Problems with NXLog with sidecar 1.0.1 on 32bit Windows

(Larry Schroth) #1

I’m having a problem with sidecar 1.0.1 and a windows 32bit machine. NXLog is installed in the c:\program files\nxlog but sidecar keeps looking for it in the c:\program files (x86) directory. When I change the patch to be c:\program files\nxlog, it returns the following error:
" could not execute c:\program files\nxlog\nxlog.exe, binary path not in the collector_binaries_whitelist config option"

below is my Collector Binaries Whitelist.


  • “C:\Program Files\Graylog\sidecar\filebeat.exe”
  • “C:\Program Files\Graylog\sidecar\winlogbeat.exe”
  • “C:\Program Files\Filebeat\filebeat.exe”
  • “C:\Program Files\Packetbeat\packetbeat.exe”
  • “C:\Program Files\Metricbeat\metricbeat.exe”
  • “C:\Program Files\Heartbeat\heartbeat.exe”
  • “C:\Program Files\Auditbeat\auditbeat.exe”
  • “C:\Program Files\nxlog\nxlog.exe”

(bullet points are actually “-”)

(Tmacgbay) #2

I don’t use nxlog but taking a random guess… you may need to \ your \ like this example…

  - "/usr/lib/graylog-sidecar/filebeat"
  - "/usr/bin/filebeat"
  - "/usr/bin/packetbeat"
  - "/usr/bin/nxlog"
  - "C:\\Program Files\\Sysmon\\Sysmon64.exe"

Another complete guess to experiment with would be single quotes rather than double.

(Larry Schroth) #3

Thanks for the suggestion. I typed in my Collectors_binaries_whitelist incorrectly. It actually has the following:

  • “C:\Program Files\Graylog\sidecar\filebeat.exe”
  • “C:\Program Files\Graylog\sidecar\winlogbeat.exe”
  • “C:\Program Files\Filebeat\filebeat.exe”
  • “C:\Program Files\Packetbeat\packetbeat.exe”
  • “C:\Program Files\Metricbeat\metricbeat.exe”
  • “C:\Program Files\Heartbeat\heartbeat.exe”
  • “C:\Program Files\Auditbeat\auditbeat.exe”
  • “C:\Program Files\nxlog\nxlog.exe”

(bullet points are actually “-”)

The ones above the nxlog line are from the examples, but it does not seem to take…

(Larry Schroth) #4

Sorry, each line has double '\", but the editor is takening them out…

(Tmacgbay) #5

you can use the </> formatting button to maintain preformatted text. Did you try using single rather than double quotes?

(Larry Schroth) #6

Yes, tried it with the \\ and \ and with double quotes and single quotes. Error message is the same both ways.

(Tmacgbay) #7

Post up more surrounding information - The whole config (not just the whitelist) , any related nxlog config or log files… again, I don’t use nxlog, so it’s harder to guess from minimal information… :wink:

(Larry Schroth) #8

Here is the whole sidecar.yml

# The URL to the Graylog server API.
# Default: ""
server_url: "http://172.16.x.xx:9000/api"

# The API token to use to authenticate against the Graylog server API.
# Default: none
server_api_token: "xxxxxxxxxxxxxxxxxxxxxx"

# The node ID of the sidecar. This can be a path to a file or an ID string.
# If set to a file and the file doesn't exist, the sidecar will generate an
# unique ID and writes it to the configured path.
# Example file path: "file:C:\\Program Files\\Graylog\\sidecar\\node-id"
# Example ID string: "6033137e-d56b-47fc-9762-cd699c11a5a9"
# ATTENTION: Every sidecar instance needs a unique ID!
# Default: "file:C:\\Program Files\\Graylog\\sidecar\\node-id"
node_id: "file:C:\\Program Files\\Graylog\\sidecar\\node-id"

# The node name of the sidecar. If this is empty, the sidecar will use the
# hostname of the host it is running on.
# Default: ""
node_name: "VOPvoice"

# The update interval in secods. This configures how often the sidecar will
# contact the Graylog server for keep-alive and configuration update requests.
# Default: 10
update_interval: 10

# This configures if the sidecar should skip the verification of TLS connections.
# Default: false
tls_skip_verify: false

# This enables/disables the transmission of detailed sidecar information like
# collector statues, metrics and log file lists. It can be disabled to reduce
# load on the Graylog server if needed. (disables some features in the server UI)
# Default: true
send_status: true

# A list of directories to scan for log files. The sidecar will scan each
# directory for log files and submits them to the server on each update.
# Example:
#     list_log_files:
#       - "/var/log/nginx"
#       - "/opt/app/logs"
# Default: empty list
#list_log_files: []

# Directory where the sidecar stores internal data.
#cache_path: "C:\\Program Files\\Graylog\\sidecar\\cache"

# Directory where the sidecar stores logs for collectors and the sidecar itself.
#log_path: "C:\\Program Files\\Graylog\\sidecar\\logs"

# The maximum size of the log file before it gets rotated.
#log_rotate_max_file_size: "10MiB"

# The maximum number of old log files to retain.
#log_rotate_keep_files: 10

# Directory where the sidecar generates configurations for collectors.
#collector_configuration_directory: "C:\\Program Files\\Graylog\\sidecar\\generated"

# A list of binaries which are allowed to be executed by the Sidecar. An empty list disables the whitelist feature.
# Wildcards can be used, for a full pattern description see
# Example:
#   collector_binaries_whitelist:
#        "C:\\Program Files\\Graylog\\sidecar\\winlogbeat.exe"
#        "C:\\Program Files\\Filebeat\\filebeat.exe"
#	"C:\\Program Files\\nxlog\\nxlog.exe"

# Example disable whitelisting:
#  collector_binaries_whitelist: "c:\\Program Files\\nxlog\\nxlog.exe"

- "c:\\Program Files\\nxlog\\nxlog.exe"
#  - "C:\\Program Files\\Graylog\\sidecar\\filebeat.exe"
#  - "C:\\Program Files\\Graylog\\sidecar\\winlogbeat.exe"
#  - "C:\\Program Files\\Filebeat\\filebeat.exe"
#  - "C:\\Program Files\\Packetbeat\\packetbeat.exe"
#  - "C:\\Program Files\\Metricbeat\\metricbeat.exe"
#  - "C:\\Program Files\\Heartbeat\\heartbeat.exe"
#  - "C:\\Program Files\\Auditbeat\\auditbeat.exe"
#  - "C:\\Program Files\\nxlog\\nxlog.exe"

here is the output from debug output of sidecar:

C:\Program Files\Graylog\sidecar>graylog-sidecar.exe -debug -c “c:\Program Files
time=“2019-04-28T18:21:25-05:00” level=info msg=“Using node-id: xxxxxxxxxxxx”
time=“2019-04-28T18:21:25-05:00” level=debug msg=“Creating rotated log writer (1
0/10) for: C:\Program Files\Graylog\sidecar\logs\sidecar.log”
time=“2019-04-28T18:21:25-05:00” level=info msg=“Starting signal distributor”
time=“2019-04-28T18:21:35-05:00” level=info msg=“Adding process runner for: nxlo
time=“2019-04-28T18:21:35-05:00” level=info msg="[nxlog_32bit] Configuration cha
nge detected, rewriting configuration file."
time=“2019-04-28T18:21:35-05:00” level=error msg="[nxlog_32bit] Couldn’t execute
collector C:\Program Files\nxlog\nxlog.exe, binary path is not included in `
collector_binaries_whitelist’ config option."
time=“2019-04-28T18:21:45-05:00” level=debug msg="[RequestBackendList] No update
time=“2019-04-28T18:21:45-05:00” level=debug msg="[RequestConfiguration] No upda
te available, skipping update."
time=“2019-04-28T18:21:51-05:00” level=info msg=“Stopping signal distributor”
time=“2019-04-28T18:21:51-05:00” level=debug msg="[signal-processor] (seq=1) han
dling cmd: shutdown"
time=“2019-04-28T18:21:51-05:00” level=info msg="[nxlog_32bit] Stopping"

(Jan Doberstein) #9

you should use the code block around your configuration. that makes it reable.

  Your text here
(Tmacgbay) #10

Please edit your post and use the code block as Jan suggested. Highlight the code and click on the </> button above your edit. The results show on the right side panel before you post.

(Larry Schroth) #11

Updated the code block to be in the correct format

(Tmacgbay) #12

What does your nxlog.conf configuration look like? I defaults to install at

C:\Program Files (x86)\nxlog\conf

but yours might be at

C:\Program Files\nxlog\conf

More specifically is the ROOT path defined properly in there? I am not sure if sidecar is aware of the NXLOG configuration file (still in guess mode)

Are you defining the installation path specifically during install?

> msiexec /i nxlog-4.3.4308_windows_x64.msi /q INSTALLDIR="C:\program files\nxlog"

What other troubleshooting steps have you taken??

(Larry Schroth) #13

The nxlog.conf looks correct:

define ROOT C:\Program Files\nxlog

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
LogLevel INFO

<Extension logrotate>
    Module  xm_fileop
        When    @daily
        Exec    file_cycle('%ROOT%\data\nxlog.log', 7);

<Extension gelfExt>
  Module xm_gelf
  # Avoid truncation of the short_message field to 64 characters.
  ShortMessageLength 65536

<Input eventlog>
        Module im_msvistalog
        PollInterval 1
        SavePos True
        ReadFromLast True
        #Channel System
        #  <QueryList>
        #   <Query Id='1'>
        #    <Select Path='Security'>*[System/Level=4]</Select>
        #    </Query>
        #  </QueryList>

<Input file>
	Module im_file
	File 'C:\Windows\MyLogDir\\*.log'
	PollInterval 1
	SavePos	True
	ReadFromLast True
	Recursive False
	RenameCheck False
	Exec $FileName = file_name(); # Send file name with each message

<Output gelf>
	Module om_tcp
	Port 22222
	OutputType  GELF_TCP
	  # These fields are needed for Graylog
	  $gl2_source_collector = 'a0227add-290d-49a8-aad3-f4f54ff29683';
	  $collector_node_id = 'VOPvoice';

<Route route-1>
  Path eventlog => gelf
<Route route-2>
  Path file => gelf

This is an installation on a 32 bit os. The default path for all installations on 32 bit is “c:\program files”. I have tried all different types of path variations, but nothing seems to work.

I will put in a bug to github and see what the developers come back with…

(Tmacgbay) #14

Probably best. Another thought… create a C:\Program Files (x86)\nxlog directory anyway and just work from it there.

(Larry Schroth) #15

I agree, I can make it work that way.

1 Like
(Larry Schroth) #16

Ended making it work with the addition to the sidecar.yml on the machine. The line is very case sensitive…

collector_binaries_whitelist: [ “C:\Program Files\nxlog\nxlog.exe” ]

1 Like
(Tmacgbay) #17

Interesting! Case Sensitive and Windows rarely go together other than passwords. Thanks for following up on that!!