I am experimenting with Sidecars to send Windows logs via beats. I have it working fine on one Windows server that is on the same subnet as my Graylog server, but a Windows server on a different subnet is not able to send in logs.
There is a firewall between the two subnets. I have ports 5044 and 9000 open between the two subnets. Running a packet trace on my firewall, as well as Wireshark/tcpdump on the Windows host and Graylog, shows me that packets over port 9000 are making it round trip between the Windows host in one subnet and the Graylog host in the other subnet, so at first glance it looks like my firewall rules are allowing traffic properly between the two subnets.
However, 1) I get no logs loaded via the sidecar, 2) the sidecar status page in Graylog shows a node IP address of 168.254.89.202 (which is obviously not correct), and 3) while the graylog-collector-winlogbeat service is running on the Windows server that is sending logs successfully, the server that is not sending logs does not have that service running.
I was able to get the messages flowing into Graylog, but the IP still looks incorrect on the sidecar status screen.
Apparently I had to apply the configuration that I had set up for my winlogbeat to this particular node before it would send the configuration back to the node… I think. I’m still learning.
A 169.254.x.x IP is apparently a self-assigned IP address that a device can self-apply if it is configured for DHCP but can’t find a DHCP server. I’m really not sure where the specific address of 169.254.89.202 is coming from in this case. None of the network interfaces on my firewall have IP addresses in this range.
@jack-MS When I run ipconfig on the Windows host, I do see one interface (a “virtual” adapter for Npcap) with a 169.254.x.x IP address, but it does not match the IP address I see in my Graylog sidecar status.