I am trying to ship Windows logs to my Graylog server using the Sidecar and after following the documentation (multiple times to be sure), I am ending up the error:
ERROR Couldn't open nxlog service; The specified service does not exist as an installed service.
Any ideas what could be causing this? I am using the latest version of Graylog with the correct sidecar version.
I installed nxlog-ce-2.10.2150.msion this page and deactivated the system service as the document suggests. Is there anything else that needs to be installed?
Need more information. Post your C:\Program Files\Graylog\sidecar\sidecar.yml. here is mine… Make sure yours it pointed at your Graylog Server and the paths the the nxlog executables are correct. The restart the windows sidecar service.
Interesting. A lot is of the configuration is still commented. Graylog sidecar documentation states nothing else needs configuring besides host and api token.
# The URL to the Graylog server API.
# Default: "http://127.0.0.1:9000/api/"
server_url: "http://192.168.139.11:9000/api"
# The API token to use to authenticate against the Graylog server API.
# Default: none
server_api_token: "TOEN"
# The node ID of the sidecar. This can be a path to a file or an ID string.
# If set to a file and the file doesn't exist, the sidecar will generate an
# unique ID and writes it to the configured path.
#
# Example file path: "file:C:\\Program Files\\Graylog\\sidecar\\node-id"
# Example ID string: "6033137e-d56b-47fc-9762-cd699c11a5a9"
#
# ATTENTION: Every sidecar instance needs a unique ID!
#
# Default: "file:C:\\Program Files\\Graylog\\sidecar\\node-id"
node_id: "file:C:\\Program Files\\Graylog\\sidecar\\node-id"
# The node name of the sidecar. If this is empty, the sidecar will use the
# hostname of the host it is running on.
# Default: ""
node_name: ""
# The update interval in secods. This configures how often the sidecar will
# contact the Graylog server for keep-alive and configuration update requests.
# Default: 10
update_interval: 10
# This configures if the sidecar should skip the verification of TLS connections.
# Default: false
tls_skip_verify: false
# This enables/disables the transmission of detailed sidecar information like
# collector statues, metrics and log file lists. It can be disabled to reduce
# load on the Graylog server if needed. (disables some features in the server UI)
# Default: true
send_status: true
# A list of directories to scan for log files. The sidecar will scan each
# directory for log files and submits them to the server on each update.
#
# Example:
# list_log_files:
# - "/var/log/nginx"
# - "/opt/app/logs"
#
# Default: empty list
#list_log_files: []
# Directory where the sidecar stores internal data.
#cache_path: "C:\\Program Files\\Graylog\\sidecar\\cache"
# Directory where the sidecar stores logs for collectors and the sidecar itself.
#log_path: "C:\\Program Files\\Graylog\\sidecar\\logs"
# The maximum size of the log file before it gets rotated.
#log_rotate_max_file_size: "10MiB"
# The maximum number of old log files to retain.
#log_rotate_keep_files: 10
# Directory where the sidecar generates configurations for collectors.
#collector_configuration_directory: "C:\\Program Files\\Graylog\\sidecar\\generated"
# A list of binaries which are allowed to be executed by the Sidecar. An empty list disables the whitelist feature.
# Wildcards can be used, for a full pattern description see https://golang.org/pkg/path/filepath/#Match
# Example:
# collector_binaries_whitelist:
# - "C:\\Program Files\\Graylog\\sidecar\\winlogbeat.exe"
# - "C:\\Program Files\\Filebeat\\filebeat.exe"
#
# Example disable whitelisting:
# collector_binaries_whitelist: []
#
# Default:
# collector_binaries_whitelist:
# - "C:\\Program Files\\Graylog\\sidecar\\filebeat.exe"
# - "C:\\Program Files\\Graylog\\sidecar\\winlogbeat.exe"
# - "C:\\Program Files\\Filebeat\\filebeat.exe"
# - "C:\\Program Files\\Packetbeat\\packetbeat.exe"
# - "C:\\Program Files\\Metricbeat\\metricbeat.exe"
# - "C:\\Program Files\\Heartbeat\\heartbeat.exe"
# - "C:\\Program Files\\Auditbeat\\auditbeat.exe"
# - "C:\\Program Files (x86)\\nxlog\\nxlog.exe"
Are there other log files on the client ? What are the surrounding lines look like? Hard to guess what is going on with only one line… is the nexlog.exe on the path you have specified?
Everything points to the exact same error. The path is also correct. I just decided to switch to beats but when trying to configure that, I also received an error:
Exiting: no modules or inputs enabled and configuration reloading disabled. What files do you want me to watch?
Found a reply by you on a quick search suggesting to change the default line from the configuration to this:
filebeat:
inputs:
- type: log
enabled: true
When using the default configuration for filebeat on Windows in Graylog, it loads this:
This tells me that there are issues with the default configurations in the Sidecar that have yet to be fixed. The same may apply for nxlog but fixing that is way over my skill level.
Beats I can help with more - here is a working graylog sidecar log collector configuration - filebeat for windows iis - has some extra config from default.
Is it possible to create a stream with these messages? I tried doing so but messages don’t load. I went to Streams, create a stream, selected the default index set and created a rule with the field gl2_source_collector and the ID as value.
So I created a stream with a rule Field gl2_source_collector must match exactly d99efffe-14f1-40f6-9fb....... and while it works okay, I noticed that it only shows recent messages (last 24 hours) but if I do a search using gl2_source_collector:d99efffe-14f1-40f6-9fb...... I see all messages received ever since configuring it. Is this normal behavior?