Sidecar Collector Not Being Started on Windows Reboot

jwblant · January 6, 2022, 6:40pm

I’ve run into an issue on two different Windows servers running 2016 and 2019 where the sidecar service will start, but the collectors won’t. The logs just state that a configuration change was detected and rewrites the file, but times out when trying to validate the configuration. If I start the collector from within Graylog, it starts without any issues. I’m running Sidecar 1.1.0 with Graylog 4.2.4 on Windows Server 2016 and 2019.

Has anyone else seen anything like this?

time=“2022-01-06T12:16:55-05:00” level=info msg=“Starting signal distributor”
time=“2022-01-06T12:17:05-05:00” level=info msg=“Adding process runner for: winlogbeat”
time=“2022-01-06T12:17:05-05:00” level=info msg=“[winlogbeat] Configuration change detected, rewriting configuration file.”
time=“2022-01-06T12:17:35-05:00” level=error msg=“[winlogbeat] Unable to validate configuration, timeout reached.”

tmacgbay · January 6, 2022, 8:17pm

Anything else interesting in the sidecar logs at C:\Program Files\Graylog\sidecar\logs ? Are there differences in the log based on a restart ont he windows side vs a restart from the Graylog GUI? Make sure to use the forum tool </> if you post logs for examination. You can also post your sidecar.yml for examination if you like (with </> tool)

jwblant · January 12, 2022, 1:47pm

This is on another server, also running Windows 2019. These are the only entries in that log. After the server rebooted last night, the sidecar collectors started failing. There are no configuration changes or anything. The only change is a reboot. Besides the server URL and token, the rest of the sidecar.yml file is default. And to be clear, the sidecar itself is up and connected. The issue is purely with the collector services.

time="2022-01-11T17:37:20-05:00" level=info msg="Starting signal distributor" 
time="2022-01-11T17:37:30-05:00" level=info msg="Adding process runner for: winlogbeat" 
time="2022-01-11T17:37:30-05:00" level=info msg="[winlogbeat] Configuration change detected, rewriting configuration file." 
time="2022-01-11T17:38:02-05:00" level=error msg="[winlogbeat] Unable to validate configuration, timeout reached."

tmacgbay · January 12, 2022, 4:18pm

I found this post - What version of winlogbeat are you using? I Imagine the default that comes with sidecar 1.1.0… The solution posted there was to update beats to 7.11.1 (or perhaps newer) If you had an older sidecar on the server, it may not have updated winlogbeat

system · January 26, 2022, 4:19pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Filebeat sidecar needs to be restarted on Windows reboot Graylog Central (peer support) sidecar , filebeat-windows , winlogbeat	2	656	November 18, 2020
Sidecar not starting wrappers Graylog Central (peer support)	27	1623	October 24, 2022
New Graylog Sidecar Running But Not Sending Data Graylog Central (peer support) sidecar , winlogbeat	2	1526	July 29, 2019
Filebeat sidecar needs to be restarted on Windows reboot (reopen) Graylog Central (peer support) sidecar , filebeat-windows , winlogbeat	6	831	December 11, 2020
Error Starting Sidecar Service on Windows Graylog Central (peer support) sidecar , filebeat-windows , winlogbeat	29	7194	September 7, 2020

Sidecar Collector Not Being Started on Windows Reboot

Related topics