Single collector multiple servers [windows]


(Nav) #1

Hi Folks,
I am running the latest version of graylog 2.4.0. I have performed a custom install for graylog on AWS using Centos image.
I have successfully ingested specific windows security events from server 2012 DC into graylog. The collector status is green and running.
The collector configuration [nxlog] is pushed via graylog.

I have tried to add another windows domain controller and doing basic configuration however, it’s failing. The new collector node isn’t appearing.
The errors logged for nxlog

2018-02-01 08:51:02 ERROR couldn’t connect to tcp socket on ServerIP:5044; A connection attempt failed because the connected party did not properly respond after a period of time or established connection failed because connected host has failed to respond.

The error logged in side-car-collector log

time=“2018-02-01T08:57:31Z” level=error msg="[RequestConfiguration] Fetching configuration failed: Get http://ServerIP:9000/api/plugins/org.graylog.plugins.collector/e6e5e646-e79c-4b46-8422-29503febae7b?tags=[“dc”]: dial tcp ServerIP:9000: connectex: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond."

time=“2018-02-01T08:57:31Z” level=error msg="[UpdateRegistration] Failed to report collector status to server: Put http://ServerIP:9000/api/plugins/org.graylog.plugins.collector/collectors/e6e5e646-e79c-4b46-8422-29503febae7b: dial tcp ServerIP:9000: connectex: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond."

The local firewall is turned off and remote firewall allows connection to port TCP 5044 and 9000

the nxlog.conf
idefine ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

Module xm_syslog Module xm_gelf Module im_msvistalog Module om_tcp Host ServerIP Port 5044 OutputType GELF_TCP

<Route 1>
Path in => out

I am not sure what is wrong here.
do i need to create a separate collector configuration for each server? or 1 collector configuration will be able to manage multiple nodes

I have already uninstalled and reinstalled nxlog and sidecar but this doesn’t seem to be working.

Appreciate if someone can help me address this issue.

regards,
Nav


(Jan Doberstein) #2

did you checked if you are able to connect to port 9000 on the graylog server ip?

the error suggest that this is not possible.


(Nav) #3

I am able to connect from working server but not from the other server. hmm what could be the issue? the firewall ports on greylog server is open.


(Nav) #4

The iptables on centos machine

Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Is there any connection limit i.e. how many machies can connect simultaneously?


(Jan Doberstein) #5

I am able to connect from working server but not from the other server. hmm what could be the issue? the firewall ports on greylog server is open.

the answer is somewhere in your network.


(Nav) #6

Thanks Jan, i figured out the issue. There was asymmetric routing issue due to multiple gateways on the server. It’s now sorted out.


(system) #7

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.