Solved: Windows Sidecar Throws Error pointing to non-existent line

cinemafunk · February 26, 2021, 1:18am

Hello,

I’ve installed graylog_sidecar_installer_1.0.2-1.exe on my Windows 10 machine. When I attempt to start the service, I’ve been getting failed to start. When I run the below configtest, it says that line 111 didn’t find the expected key. That’s odd because my sidecar.yaml only goes to 86 lines.

C:\Program Files\Graylog\sidecar>graylog-sidecar.exe -configtest
[ConfigFile] YAML config parsing failed on C:\Program Files\graylog\sidecar\sidecar.yml: yaml: line 111: did not find expected key. Exiting.

So I’m very stumped here. I’ve confirmed I’ve been editing the same sidecar.yml that’s in the C:\Program Files\graylog\sidecar\ directory.

Any thoughts on how to debug?

aaronsachs · February 26, 2021, 2:25am

Can you provide a redacted version of the config?

cinemafunk · February 26, 2021, 10:53am

# The URL to the Graylog server API.
# Default: "http://127.0.0.1:9000/api/"
server_url: "http://192.168.X.XX:9000/api"

# The API token to use to authenticate against the Graylog server API.
# Default: none
server_api_token: "super_secret_api_token"

# The node ID of the sidecar. This can be a path to a file or an ID string.
# If set to a file and the file doesn't exist, the sidecar will generate an
# unique ID and writes it to the configured path.
#
# Example file path: "file:C:\\Program Files\\Graylog\\sidecar\\node-id"
# Example ID string: "6033137e-d56b-47fc-9762-cd699c11a5a9"
#
# ATTENTION: Every sidecar instance needs a unique ID!
#
# Default: "file:C:\\Program Files\\Graylog\\sidecar\\node-id"
node_id: "file:C:\\Program Files\\Graylog\\sidecar\\node-id"

# The node name of the sidecar. If this is empty, the sidecar will use the
# hostname of the host it is running on.
# Default: ""
node_name: ""

# The update interval in secods. This configures how often the sidecar will
# contact the Graylog server for keep-alive and configuration update requests.
# Default: 10
update_interval: 10

# This configures if the sidecar should skip the verification of TLS connections.
# Default: false
tls_skip_verify: false

# This enables/disables the transmission of detailed sidecar information like
# collector statues, metrics and log file lists. It can be disabled to reduce
# load on the Graylog server if needed. (disables some features in the server UI)
# Default: true
send_status: true

# A list of directories to scan for log files. The sidecar will scan each
# directory for log files and submits them to the server on each update.
#
# Example:
#     list_log_files:
#       - "/var/log/nginx"
#       - "/opt/app/logs"
#
# Default: empty list
#list_log_files: []

# Directory where the sidecar stores internal data.
cache_path: "C:\\Program Files\\Graylog\\sidecar\\cache"

# Directory where the sidecar stores logs for collectors and the sidecar itself.
log_path: "C:\\Program Files\\Graylog\\sidecar\\logs"

# The maximum size of the log file before it gets rotated.
#log_rotate_max_file_size: "10MiB"

# The maximum number of old log files to retain.
#log_rotate_keep_files: 10

# Directory where the sidecar generates configurations for collectors.
collector_configuration_directory: "C:\\Program Files\\Graylog\\sidecar\\generated"

# A list of binaries which are allowed to be executed by the Sidecar. An empty list disables the whitelist feature.
# Wildcards can be used, for a full pattern description see https://golang.org/pkg/path/filepath/#Match
# Example:
     collector_binaries_whitelist:
       - "C:\\Program Files\\Graylog\\sidecar\\winlogbeat.exe"
#       - "C:\\Program Files\\Filebeat\\filebeat.exe"
#
# Example disable whitelisting:
#     collector_binaries_whitelist: []
#
# Default:
# collector_binaries_whitelist:
#  - "C:\\Program Files\\Graylog\\sidecar\\filebeat.exe"
#  - "C:\\Program Files\\Graylog\\sidecar\\winlogbeat.exe"
#  - "C:\\Program Files\\Filebeat\\filebeat.exe"
#  - "C:\\Program Files\\Packetbeat\\packetbeat.exe"
#  - "C:\\Program Files\\Metricbeat\\metricbeat.exe"
#  - "C:\\Program Files\\Heartbeat\\heartbeat.exe"
#  - "C:\\Program Files\\Auditbeat\\auditbeat.exe"
#  - "C:\\Program Files (x86)\\nxlog\\nxlog.exe"

reimlima · February 26, 2021, 10:58am

@cinemafunk I passed your file through a yamllint and find these errors:

 yamllint sidecar.yml 
sidecar.yml
  3:1       warning  missing document start "---"  (document-start)
  31:81     error    line too long (81 > 80 characters)  (line-length)
  37:81     error    line too long (81 > 80 characters)  (line-length)
  50:2      warning  missing starting space in comment  (comments)
  59:2      warning  missing starting space in comment  (comments)
  62:2      warning  missing starting space in comment  (comments)
  65:81     error    line too long (83 > 80 characters)  (line-length)
  67:1      warning  comment not indented like content  (comments-indentation)
  67:81     error    line too long (115 > 80 characters)  (line-length)
  68:81     error    line too long (103 > 80 characters)  (line-length)
  70:6      error    syntax error: expected <block end>, but found '<block mapping start>' (syntax)

Edit your file fixing these errors and give it another try.

tmacgbay · February 26, 2021, 12:29pm

Yaml is strict on indentation - you have a line at the end that is indented but should not be:

 collector_binaries_whitelist:
   - "C:\\Program Files\\Graylog\\sidecar\\winlogbeat.exe"

Here is a working sidecar.yml from one of our windows systems:

server_url: http://Glog-thing:9000/api/
server_api_token: "super_secret_thing" 
update_interval: 10
tls_skip_verify: true
send_status: true
list_log_files:
collector_id: file:C:\Program Files\Graylog\sidecar\collector-id
cache_path: C:\Program Files\Graylog\sidecar\cache
log_path: C:\Program Files\Graylog\sidecar\logs
log_rotation_time: 86400
log_max_age: 604800
tags: [windows]
collector_binaries_whitelist: []
backends:
    - name: nxlog
      enabled: false
      binary_path: C:\Program Files (x86)\nxlog\nxlog.exe
      configuration_path: C:\Program Files\Graylog\sidecar\generated\nxlog.conf
    - name: winlogbeat
      enabled: true
      binary_path: C:\Program Files\Graylog\sidecar\winlogbeat.exe
      configuration_path: C:\Program Files\Graylog\sidecar\generated\winlogbeat.yml
    - name: filebeat
      enabled: true
      binary_path: C:\Program Files\Graylog\sidecar\filebeat.exe
      configuration_path: C:\Program Files\Graylog\sidecar\generated\filebeat.yml
    - name: auditbeat
      enabled: false
      binary_path: C:\Program Files\Graylog\sidecar\auditbeat.exe
      configuration_path: C:\Program Files\Graylog\sidecar\generated\auditbeat.yml

aaronsachs · February 26, 2021, 4:42pm

I was going to say, yamllint is your friend, and it’s absolutely particular, as @tmacgbay mentioned. Both of the replies should get you in a good spot.

cinemafunk · February 27, 2021, 12:22am

Oy vey. That was it. I used to original YAML file provided in the software. But yes, that worked.

system · March 13, 2021, 12:23am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Sidecar issue on Win 2008R2 Graylog Central (peer support) sidecar	2	565	June 3, 2019
Graylog Sidecar Graylog Central (peer support) sidecar , nxlog , filebeat-windows , winlogbeat , nodatanx	7	2308	May 21, 2020
Config file: yaml: line 15: could not find expected ':'\n" Graylog Central (peer support)	7	2034	November 18, 2022
Graylog SIDECAR API key Graylog Central (peer support)	3	1167	October 31, 2022
Sidecar returns 404 Graylog Central (peer support) sidecar	4	1649	October 22, 2019

Solved: Windows Sidecar Throws Error pointing to non-existent line

Related topics