Sidecar and NXlog - Couldn't open nxlog service;

I am trying to ship Windows logs to my Graylog server using the Sidecar and after following the documentation (multiple times to be sure), I am ending up the error:

ERROR Couldn't open nxlog service; The specified service does not exist as an installed service.  

Any ideas what could be causing this? I am using the latest version of Graylog with the correct sidecar version.

You downloaded the nxlog binaries, installed nxlog and deactivated the system service?

https://docs.graylog.org/en/3.2/pages/sidecar.html#nxlog-on-windows

I installed nxlog-ce-2.10.2150.msion this page and deactivated the system service as the document suggests. Is there anything else that needs to be installed?

Need more information. Post your C:\Program Files\Graylog\sidecar\sidecar.yml. here is mine… Make sure yours it pointed at your Graylog Server and the paths the the nxlog executables are correct. The restart the windows sidecar service.

server_url: http://honker:9000/api/
server_api_token: " <generated gobble-d-gook>" 
update_interval: 10
tls_skip_verify: true
send_status: true
list_log_files:
collector_id: file:C:\Program Files\Graylog\sidecar\collector-id
cache_path: C:\Program Files\Graylog\sidecar\cache
log_path: C:\Program Files\Graylog\sidecar\logs
log_rotation_time: 86400
log_max_age: 604800
tags: [windows]
collector_binaries_whitelist: []
backends:
    - name: nxlog
      enabled: true
      binary_path: C:\Program Files (x86)\nxlog\nxlog.exe
      configuration_path: C:\Program Files\Graylog\sidecar\generated\nxlog.conf
    - name: winlogbeat
      enabled: false
      binary_path: C:\Program Files\Graylog\sidecar\winlogbeat.exe
      configuration_path: C:\Program Files\Graylog\sidecar\generated\winlogbeat.yml
    - name: filebeat
      enabled: false
      binary_path: C:\Program Files\Graylog\sidecar\filebeat.exe
      configuration_path: C:\Program Files\Graylog\sidecar\generated\filebeat.yml
    - name: auditbeat
      enabled: false
      binary_path: C:\Program Files\Graylog\sidecar\auditbeat.exe
      configuration_path: C:\Program Files\Graylog\sidecar\generated\auditbeat.yml

Interesting. A lot is of the configuration is still commented. Graylog sidecar documentation states nothing else needs configuring besides host and api token.

    # The URL to the Graylog server API.
    # Default: "http://127.0.0.1:9000/api/"
    server_url: "http://192.168.139.11:9000/api"

    # The API token to use to authenticate against the Graylog server API.
    # Default: none
    server_api_token: "TOEN"

    # The node ID of the sidecar. This can be a path to a file or an ID string.
    # If set to a file and the file doesn't exist, the sidecar will generate an
    # unique ID and writes it to the configured path.
    #
    # Example file path: "file:C:\\Program Files\\Graylog\\sidecar\\node-id"
    # Example ID string: "6033137e-d56b-47fc-9762-cd699c11a5a9"
    #
    # ATTENTION: Every sidecar instance needs a unique ID!
    #
    # Default: "file:C:\\Program Files\\Graylog\\sidecar\\node-id"
    node_id: "file:C:\\Program Files\\Graylog\\sidecar\\node-id"

    # The node name of the sidecar. If this is empty, the sidecar will use the
    # hostname of the host it is running on.
    # Default: ""
    node_name: ""

    # The update interval in secods. This configures how often the sidecar will
    # contact the Graylog server for keep-alive and configuration update requests.
    # Default: 10
    update_interval: 10

    # This configures if the sidecar should skip the verification of TLS connections.
    # Default: false
    tls_skip_verify: false

    # This enables/disables the transmission of detailed sidecar information like
    # collector statues, metrics and log file lists. It can be disabled to reduce
    # load on the Graylog server if needed. (disables some features in the server UI)
    # Default: true
    send_status: true

    # A list of directories to scan for log files. The sidecar will scan each
    # directory for log files and submits them to the server on each update.
    #
    # Example:
    #     list_log_files:
    #       - "/var/log/nginx"
    #       - "/opt/app/logs"
    #
    # Default: empty list
    #list_log_files: []

    # Directory where the sidecar stores internal data.
    #cache_path: "C:\\Program Files\\Graylog\\sidecar\\cache"

    # Directory where the sidecar stores logs for collectors and the sidecar itself.
    #log_path: "C:\\Program Files\\Graylog\\sidecar\\logs"

    # The maximum size of the log file before it gets rotated.
    #log_rotate_max_file_size: "10MiB"

    # The maximum number of old log files to retain.
    #log_rotate_keep_files: 10

    # Directory where the sidecar generates configurations for collectors.
    #collector_configuration_directory: "C:\\Program Files\\Graylog\\sidecar\\generated"

    # A list of binaries which are allowed to be executed by the Sidecar. An empty list disables the whitelist feature.
    # Wildcards can be used, for a full pattern description see https://golang.org/pkg/path/filepath/#Match
    # Example:
    #     collector_binaries_whitelist:
    #       - "C:\\Program Files\\Graylog\\sidecar\\winlogbeat.exe"
    #       - "C:\\Program Files\\Filebeat\\filebeat.exe"
    #
    # Example disable whitelisting:
    #     collector_binaries_whitelist: []
    #
    # Default:
    # collector_binaries_whitelist:
    #  - "C:\\Program Files\\Graylog\\sidecar\\filebeat.exe"
    #  - "C:\\Program Files\\Graylog\\sidecar\\winlogbeat.exe"
    #  - "C:\\Program Files\\Filebeat\\filebeat.exe"
    #  - "C:\\Program Files\\Packetbeat\\packetbeat.exe"
    #  - "C:\\Program Files\\Metricbeat\\metricbeat.exe"
    #  - "C:\\Program Files\\Heartbeat\\heartbeat.exe"
    #  - "C:\\Program Files\\Auditbeat\\auditbeat.exe"
    #  - "C:\\Program Files (x86)\\nxlog\\nxlog.exe"

I just tried your configuration but it gives me the same message:

Here’s my issue on github https://github.com/Graylog2/collector-sidecar/issues/390

I have tried every different way to get this working for about a week now and no luck. Always the same message.

there are sidecar logs on the windows machine that might give you more information

C:\Program Files\Graylog\sidecar\logs

I use beats rather than nxlog so I am limited in testing on my side. :frowning:

The same error is displayed inside of that log file:

ERROR Couldn't open nxlog service; The specified service does not exist as an installed service.

Are there other log files on the client ? What are the surrounding lines look like? Hard to guess what is going on with only one line… is the nexlog.exe on the path you have specified?

Everything points to the exact same error. The path is also correct. I just decided to switch to beats but when trying to configure that, I also received an error:

Exiting: no modules or inputs enabled and configuration reloading disabled. What files do you want me to watch?

Found a reply by you on a quick search suggesting to change the default line from the configuration to this:

filebeat:
  inputs:
    - type: log
      enabled: true

When using the default configuration for filebeat on Windows in Graylog, it loads this:

filebeat.inputs:
  type: log
  enabled: true
  paths:
    - C:\logs\log.log

This tells me that there are issues with the default configurations in the Sidecar that have yet to be fixed. The same may apply for nxlog but fixing that is way over my skill level.

Thanks for your help.

Beats I can help with more - here is a working graylog sidecar log collector configuration - filebeat for windows iis - has some extra config from default.

# Needed for Graylog
fields_under_root: true
fields.collector_node_id: ${sidecar.nodeName}
fields.gl2_source_collector: ${sidecar.nodeId}
output.logstash:
   hosts: 
   - ${"192.168.1.1:5044"}
   ssl:
   verification_mode: none
path:
  data: C:\Program Files\Graylog\sidecar\cache\winlogbeat\data
  logs: C:\Program Files\Graylog\sidecar\logs
tags:
 - windows, iis
filebeat:
  inputs:
    - type: log
      enabled: true
      # include_lines: ['example', 'Turf', 'stuff'] #Commented out... for now
      exclude_lines: ['^#'] # --exclude anything that starts with #
      fields:
        tag: tropics_iis
      ignore_older: 72h
      paths:
        - E:\IIS_Logfiles\W3SVC2\*.log
1 Like

Thanks for this configuration.

Is it possible to create a stream with these messages? I tried doing so but messages don’t load. I went to Streams, create a stream, selected the default index set and created a rule with the field gl2_source_collector and the ID as value.

https://docs.graylog.org/en/3.2/pages/streams.html

So I created a stream with a rule Field gl2_source_collector must match exactly d99efffe-14f1-40f6-9fb....... and while it works okay, I noticed that it only shows recent messages (last 24 hours) but if I do a search using gl2_source_collector:d99efffe-14f1-40f6-9fb...... I see all messages received ever since configuring it. Is this normal behavior?

Screen shots might help - What version of graylog are you using?

For reason I can now see all messages. I am on the latest version of Graylog ( 3.2.4+a407287 ).

One last question, I have the tag “veeam” in my configuration like so:

    tags:
     - veeam
    #filebeat.inputs:
    #  type: log
    #  enabled: true
    #  paths:
    #    - C:\logs\log.log
    filebeat:
      inputs:
        - type: log
          enabled: true
          paths:   
            - C:\ProgramData\Veeam\Backup\Lab\Job.Lab.Backup.log

but what I wanted to add another path, how would I properly tag it? By creating another configuration?

Here is an excerpt of me hitting two windows log files… it should convert easily…

filebeat:
  inputs:
##### find owa logon and logoff but not when the HealthMailbox does it.
    - type: log
      enabled: true
      include_lines: ['auth.owa', 'logoff.owa', 'ClientDisconnect']
      exclude_lines: ['HealthMailbox','^#']
      fields:
        unique_log_tag: OWA
      ignore_older: 72h
      paths:
        - C:\Program Files\Microsoft\Exchange Server\V15\Logging\HttpProxy\Owa\*.LOG
#
##### find RPC/HTTP logins but still not the HealthMailbox and not internal
    - type: log
      enabled: true
      include_lines: ['Exchange.asmx']
      exclude_lines: ['HealthMailbox','^#','^DateTime','AnchorMailboxHeader-SMTP','192.168.[0-9]+.[0-9]+']
      fields:
        unique_log_tag: rpc_http
      ignore_older: 72h    
      paths:
        - C:\Program Files\Microsoft\Exchange Server\V15\Logging\HttpProxy\Ews\*.LOG
#
2 Likes

This is perfect. Thank you!

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.