Sidecar Showing Incorrect Node IP Address

Graylog 3.0.1

I am experimenting with Sidecars to send Windows logs via beats. I have it working fine on one Windows server that is on the same subnet as my Graylog server, but a Windows server on a different subnet is not able to send in logs.

There is a firewall between the two subnets. I have ports 5044 and 9000 open between the two subnets. Running a packet trace on my firewall, as well as Wireshark/tcpdump on the Windows host and Graylog, shows me that packets over port 9000 are making it round trip between the Windows host in one subnet and the Graylog host in the other subnet, so at first glance it looks like my firewall rules are allowing traffic properly between the two subnets.

However, 1) I get no logs loaded via the sidecar, 2) the sidecar status page in Graylog shows a node IP address of 168.254.89.202 (which is obviously not correct), and 3) while the graylog-collector-winlogbeat service is running on the Windows server that is sending logs successfully, the server that is not sending logs does not have that service running.

Any ideas what could cause this?

I was able to get the messages flowing into Graylog, but the IP still looks incorrect on the sidecar status screen.

Apparently I had to apply the configuration that I had set up for my winlogbeat to this particular node before it would send the configuration back to the node… I think. I’m still learning.

I was able to get the messages flowing into Graylog, but the IP still looks incorrect on the sidecar status screen.

Could you describe what IP that might be? Like the Firewall IP between the both or an additional IP the Server where Sidecar runs has or similar?

Just want to find if that is an issue that we need to work on or if that is something specific to your Setup.

Can you do an ipconfig /all on the Windows machine that is sending the logs? I usually find there is another adapter that has that IP address

A 169.254.x.x IP is apparently a self-assigned IP address that a device can self-apply if it is configured for DHCP but can’t find a DHCP server. I’m really not sure where the specific address of 169.254.89.202 is coming from in this case. None of the network interfaces on my firewall have IP addresses in this range.

@jack-MS When I run ipconfig on the Windows host, I do see one interface (a “virtual” adapter for Npcap) with a 169.254.x.x IP address, but it does not match the IP address I see in my Graylog sidecar status.