I have not found any documentation on a specific question I have reference Graylog Sidecar/winlogbeat. I am trying to understand how the Sidecar/winlogbeat behaves in the following failure scenarios:
Graylog server is reachable on the network, but not processing logs sent by the Sidecar
Graylog server is not reachable on the network because it is down for upgrades or due to other failure
My main concern is if the Graylog server is offline for some reason, is there a potential for a “log storm” on the network in general because the sidecar keeps attempting to send and resend logs that are pending.
watchin the log files at C:\Program Files\Graylog\sidecar\logs to see what sidecar is doing and set up some test scenarios. They are pretty descriptive so you should have better understanding of how the sidecar handles it. You can also define in your configuration something like
I just want to clarify - sidecar is not sending any logs. It just controls message collectors (like winlogbeat). This might enable you to find the answers better.
Winlogbeat, if the target for the logs is not reachable it will try to send the messages unless it is reachable again and send all not yet send messages to Graylog. Taking account of the maybe given configuration (as mentioned by @tmacgbay). As the behaviour can be made to fit your needs no “rules” are given.
Flexibility is the feature that enables you to fit nearly any local needs, but might be confusing in the beginning.
