Hello! I am having an issue with writing the sidecar configuration for auditbeat and journalbeat.
I want to test out filebeat, auditbeat and journalbeat and for that I need all of these to work.
Now I have filebeat pretty much figured out, as there’s tons of official documentation about it.
However I cannot figure out how to configure sidecars for auditbeat and journalbeat nor do I know how to install and configure them on the host from which the data will be collected.
I am aware of the documentation available from elasticsearch, but I am unable to use it to my advantage, as there’s no mention of graylog in there whatsoever and everything that I’ve found is related to Windows hosts.
I have already configured the Beats Input. My graylog version is 4.3.7
Yeah, I also have not found much on those log shippers as for configuring it on Graylog.
I have install Packetbeat perhaps it can give you an Idea what to look for. I took some documentations from Graylog and from Elasticsearch for the beats log shipper configuration.
Example below I user Graylog Sidecar with Packet Beat.
Created Input Beat port 5066
Installed packet beat from here on remote Linux node
Adjusted Graylog sidecar configuration file to pick up Packetbeat
# A list of binaries which are allowed to be executed by the Sidecar. An empty list disables the whitelist feature.
# Wildcards can be used, for a full pattern description see https://golang.org/pkg/path/filepath/#Match
# - "/usr/bin/filebeat"
# - "/opt/collectors/*"
# Example disable whitelisting:
# collector_binaries_whitelist: 
# - "/usr/bin/metricbeat"
# - "/usr/bin/heartbeat"
# - "/usr/bin/auditbeat"
# - "/usr/bin/journalbeat"
# - "/usr/share/metricbeat/bin/metricbeat"
# - "/usr/share/heartbeat/bin/heartbeat"
# - "/usr/share/auditbeat/bin/auditbeat"
# - "/usr/share/journalbeat/bin/journalbeat"
# - "/usr/bin/nxlog"
# - "/opt/nxlog/bin/nxlog"
On Graylog GUI, i made the template and attached to the remote node.
Got it working myself! The configuration file was fine. The thing that was missing was execute parameters.
For anyone who comes here with a similliar problem, make sure that your execute params are this:
As for journalbeat, I haven’t gotten to that yet. But I can sense a pattern here, these log collectors are pretty much the same (configuration wise), so you really don’t need to fiddle with them for hours, you can just look at the default config and deduce what should be changed.
For anyone interested:
Working configs for auditbeat and journalbeat:
# Needed for Graylog
- module: file_integrity
- module: system
- host # General host information, e.g. uptime, IPs
- process # Started and stopped processes
user.detect_password_changes: true #added
#processors: #Commented out
# - add_host_metadata: ~
# - add_cloud_metadata: ~