Unabble to find the Greylog sidecar node logs

Hi Guys,

I have configured the sidecar node with filebeat and enable one of the Application logs, However, I could not see the logs in the dashboard, did not find any errors in the sidecar,filebeat logs, Could you please help how to find it logs from Graylog dashboard.

Hi, sandhya

Filebeat and sidecar service is Running ?
Please share sidecar config

Hi Bahram,

Thank you for replying. Please find the attached sidecar and filebeat configuration.

Please find the below log file.

###################### Filebeat Configuration Example #########################

This file is an example configuration file highlighting only the most common

options. The filebeat.reference.yml file from the same directory contains all the

supported options with more comments. You can use it as a reference.

You can find the full configuration reference here:

https://www.elastic.co/guide/en/beats/filebeat/index.html

For more available modules and options, please see the filebeat.reference.yml sample

configuration file.

#=========================== Filebeat inputs =============================

filebeat.inputs:

Each - is an input. Most options can be set at the input level, so

you can use different inputs for various configurations.

Below are the input specific configurations.

  • type: log

    Change to true to enable this input configuration.

    enabled: false

    Paths that should be crawled and fetched. Glob based paths.

    paths:

    • /var/log/*.log
      #- c:\programdata\elasticsearch\logs*
    • /opt/stee/project/services/application/logs

    Exclude lines. A list of regular expressions to match. It drops the lines that are

    matching any regular expression from the list.

    #exclude_lines: [’^DBG’]

    Include lines. A list of regular expressions to match. It exports the lines that are

    matching any regular expression from the list.

    #include_lines: [’^ERR’, ‘^WARN’]

    Exclude files. A list of regular expressions to match. Filebeat drops the files that

    are matching any regular expression from the list. By default, no files are dropped.

    #exclude_files: [’.gz$’]

    Optional additional fields. These fields can be freely picked

    to add additional information to the crawled log files for filtering

    #fields:

    level: debug

    review: 1

    Multiline options

    Multiline can be used for log messages spanning multiple lines. This is common

    for Java Stack Traces or C-Line Continuation

    The regexp Pattern that has to be matched. The example pattern matches all lines starting with [

    #multiline.pattern: ^[

    Defines if the pattern set under pattern should be negated or not. Default is false.

    #multiline.negate: false

    Match can be set to “after” or “before”. It is used to define if lines should be append to a pattern

    that was (not) matched before or after or as long as a pattern is not matched based on negate.

    Note: After is the equivalent to previous and before is the equivalent to to next in Logstash

    #multiline.match: after

#============================= Filebeat modules ===============================

filebeat.config.modules:

Glob pattern for configuration loading

path: ${path.config}/modules.d/*.yml

Set to true to enable config reloading

reload.enabled: false

Period on which files under path should be checked for changes

#reload.period: 10s

#==================== Elasticsearch template setting ==========================

setup.template.settings:
index.number_of_shards: 3
#index.codec: best_compression
#_source.enabled: false

#================================ General =====================================

The name of the shipper that publishes the network data. It can be used to group

all the transactions sent by a single shipper in the web interface.

#name:

The tags of the shipper are included in their own field with each

transaction published.

#tags: [“service-X”, “web-tier”]

Optional fields that you can specify to add additional information to the

output.

#fields:

env: staging

#============================== Dashboards =====================================

These settings control loading the sample dashboards to the Kibana index. Loading

the dashboards is disabled by default and can be enabled either by setting the

options here, or by using the -setup CLI flag or the setup command.

#setup.dashboards.enabled: false

The URL from where to download the dashboards archive. By default this URL

has a value which is computed based on the Beat name and version. For released

versions, this URL points to the dashboard archive on the artifacts.elastic.co

website.

#setup.dashboards.url:

#============================== Kibana =====================================

Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API.

This requires a Kibana endpoint configuration.

setup.kibana:

Kibana Host

Scheme and port can be left out and will be set to the default (http and 5601)

In case you specify and additional path, the scheme is required: http://localhost:5601/path

IPv6 addresses should always be defined as: https://[2001:db8::1]:5601

#host: “localhost:5601”

Kibana Space ID

ID of the Kibana Space into which the dashboards should be loaded. By default,

the Default Space will be used.

#space.id:

#============================= Elastic Cloud ==================================

These settings simplify using filebeat with the Elastic Cloud (https://cloud.elastic.co/).

The cloud.id setting overwrites the output.elasticsearch.hosts and

setup.kibana.host options.

You can find the cloud.id in the Elastic Cloud web UI.

#cloud.id:

The cloud.auth setting overwrites the output.elasticsearch.username and

output.elasticsearch.password settings. The format is <user>:<pass>.

#cloud.auth:

#================================ Outputs =====================================

Configure what output to use when sending the data collected by the beat.

#-------------------------- Elasticsearch output ------------------------------
output.elasticsearch:

Array of hosts to connect to.

hosts: [“localhost:9200”]

Enabled ilm (beta) to use index lifecycle management instead daily indices.

#ilm.enabled: false

Optional protocol and basic auth credentials.

#protocol: “https”
#username: “elastic”
#password: “changeme”

#----------------------------- Logstash output --------------------------------
#output.logstash:

The Logstash hosts

#hosts: [“localhost:5044”]

Optional SSL. By default is off.

List of root certificates for HTTPS server verifications

#ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]

Certificate for SSL client authentication

#ssl.certificate: “/etc/pki/client/cert.pem”

Client Certificate Key

#ssl.key: “/etc/pki/client/cert.key”

#================================ Processors =====================================

Configure processors to enhance or manipulate events generated by the beat.

processors:

  • add_host_metadata: ~
  • add_cloud_metadata: ~

#================================ Logging =====================================

Sets log level. The default log level is info.

Available log levels are: error, warning, info, debug

#logging.level: debug

At debug level, you can selectively enable logging only for some components.

To enable all selectors use ["*"]. Examples of other selectors are “beat”,

“publish”, “service”.

#logging.selectors: ["*"]

#============================== Xpack Monitoring ===============================

filebeat can export internal metrics to a central Elasticsearch monitoring

cluster. This requires xpack monitoring to be enabled in Elasticsearch. The

reporting is disabled by default.

Set to true to enable the monitoring reporter.

#xpack.monitoring.enabled: false

Uncomment to send the metrics to Elasticsearch. Most settings from the

Elasticsearch output are accepted here as well. Any setting that is not set is

automatically inherited from the Elasticsearch output configuration, so if you

have the Elasticsearch output configured, you can simply uncomment the

following line.

#xpack.monitoring.elasticsearch:
[root@localhost ~]#

hi
First of all please when you send the configuration file
Tap this button.
graylog001

please check
systemctl status filebeat && systemctl status sidecar
check port for open port 5044 ==> netstat -nltp
check system for talk to server ==> filebeat test config AND filebeat test output
and send Sidecar config file

Hi Bahram,

Please find the below outputs.

server end port is listen state.

[root@graylog-server]# netstat -anpl |grep -i 5044
tcp6 0 0 :::5044 :::* LISTEN 3709/java
udp6 0 0 ipaddress:5044 :::* 3709/java
udp6 0 0 ipaddress:5044 :::* 3709/java
udp6 0 0 ipaddress:5044 :::* 3709/java
udp6 0 0 ipaddress:5044 :::* 3709/java
[root@graylog-server]#

client end filebeat and sidecar services are running.
[root@localhost01 ~]# systemctl status graylog-sidecar && systemctl status filebeat
● graylog-sidecar.service - Wrapper service for Graylog controlled collector
Loaded: loaded (/etc/systemd/system/graylog-sidecar.service; enabled; vendor preset: disabled)
Active: active (running) since Fri 2020-10-09 07:50:42 +04; 1 weeks 5 days ago
Main PID: 9707 (graylog-sidecar)
CGroup: /system.slice/graylog-sidecar.service
├─ 9707 /usr/bin/graylog-sidecar
└─13778 /usr/share/filebeat/bin/filebeat -c /var/lib/graylog-sidecar/generated/filebeat.conf

Oct 15 20:28:29 localhost01.novalocal graylog-sidecar[9707]: time=“2020-10-15T20:28:29+04:00” level=error msg="Can not get file li…
Oct 16 01:09:23 localhost01.novalocal graylog-sidecar[9707]: time=“2020-10-16T01:09:23+04:00” level=error msg=“Can not get fi…tory”
Oct 16 06:44:44 localhost01.novalocal graylog-sidecar[9707]: time=“2020-10-16T06:44:44+04:00” level=error msg="Can not get file li…
Oct 17 04:41:59 localhost01.novalocal graylog-sidecar[9707]: time=“2020-10-17T04:41:59+04:00” level=error msg=“Can not get fi…tory”
Oct 17 07:01:29 localhost01.novalocal graylog-sidecar[9707]: time=“2020-10-17T07:01:29+04:00” level=error msg=“Can not get fi…tory”
Oct 17 15:20:43 localhost01.novalocal graylog-sidecar[9707]: time=“2020-10-17T15:20:43+04:00” level=error msg="Can not get file li…
Oct 18 08:02:41 localhost01.novalocal graylog-sidecar[9707]: time=“2020-10-18T08:02:41+04:00” level=error msg="Can not get file li…
Oct 19 06:06:23 localhost01.novalocal graylog-sidecar[9707]: time=“2020-10-19T06:06:23+04:00” level=error msg=“Can not get fi…tory”
Oct 20 01:41:23 localhost01.novalocal graylog-sidecar[9707]: time=“2020-10-20T01:41:23+04:00” level=error msg=“Can not get fi…tory”
Oct 20 05:41:17 localhost01.novalocal graylog-sidecar[9707]: time=“2020-10-20T05:41:17+04:00” level=error msg=“Can not get fi…tory”
Hint: Some lines were ellipsized, use -l to show in full.
● filebeat.service - Filebeat sends log files to Logstash or directly to Elasticsearch.
Loaded: loaded (/usr/lib/systemd/system/filebeat.service; enabled; vendor preset: disabled)
Active: active (running) since Fri 2020-10-09 08:16:07 +04; 1 weeks 5 days ago
Docs: https://www.elastic.co/products/beats/filebeat
Main PID: 13935 (filebeat)
CGroup: /system.slice/filebeat.service
└─13935 /usr/share/filebeat/bin/filebeat -c /etc/filebeat/filebeat.yml -path.home /usr/share/filebeat -path.config /etc…

Oct 09 08:16:07 localhost01.novalocal systemd[1]: Started Filebeat sends log files to Logstash or directly to Elasticsearch…
[root@localhost01 ~]#

sidecar confid file.

The URL to the Graylog server API.

server_url: “http://ipaddress:9000/api/

The API token to use to authenticate against the Graylog server API.

This field is mandatory

server_api_token: “cdhm6naqm5n7u49l19kseg59849vujs5o2u1fiun2023unml3o2”

The node ID of the sidecar. This can be a path to a file or an ID string.

If set to a file and the file doesn’t exist, the sidecar will generate an

unique ID and writes it to the configured path.

Example file path: “file:/etc/graylog/sidecar/node-id”

Example ID string: “6033137e-d56b-47fc-9762-cd699c11a5a9”

ATTENTION: Every sidecar instance needs a unique ID!

node_id: “file:/etc/graylog/sidecar/node-id”

The node name of the sidecar. If this is empty, the sidecar will use the

hostname of the host it is running on.

node_name: “localhost1”

The update interval in seconds. This configures how often the sidecar will

contact the Graylog server for keep-alive and configuration update requests.

#update_interval: 10

This configures if the sidecar should skip the verification of TLS connections.

Default: false

#tls_skip_verify: false

This enables/disables the transmission of detailed sidecar information like

collector statues, metrics and log file lists. It can be disabled to reduce

load on the Graylog server if needed. (disables some features in the server UI)

send_status: true

A list of directories to scan for log files. The sidecar will scan each

directory for log files and submits them to the server on each update.

Example:

list_log_files:

- “/var/log/nginx”

- “/opt/app/logs”

Default:
list_log_files:

  • “/opt/stee/iTraffic/services/eqt-service/logs”

Directory where the sidecar stores internal data.

cache_path: “/var/cache/graylog-sidecar”

Directory where the sidecar stores logs for collectors and the sidecar itself.

log_path: “/var/log/graylog-sidecar”

The maximum size of the log file before it gets rotated.

#log_rotate_max_file_size: “10MiB”

The maximum number of old log files to retain.

#log_rotate_keep_files: 10

Directory where the sidecar generates configurations for collectors.

collector_configuration_directory: “/var/lib/graylog-sidecar/generated”

A list of binaries which are allowed to be executed by the Sidecar. An empty list disables the whitelist feature.

Wildcards can be used, for a full pattern description see https://golang.org/pkg/path/filepath/#Match

Example:

collector_binaries_whitelist:

- “/usr/bin/filebeat”

- “/opt/collectors/*”

Example disable whitelisting:

collector_binaries_whitelist:

Default:
collector_binaries_whitelist:

  • “/usr/bin/filebeat”

- “/usr/bin/packetbeat”

- “/usr/bin/metricbeat”

- “/usr/bin/heartbeat”

- “/usr/bin/auditbeat”

- “/usr/bin/journalbeat”

- “/usr/share/filebeat/bin/filebeat”

- “/usr/share/packetbeat/bin/packetbeat”

- “/usr/share/metricbeat/bin/metricbeat”

- “/usr/share/heartbeat/bin/heartbeat”

- “/usr/share/auditbeat/bin/auditbeat”

- “/usr/share/journalbeat/bin/journalbeat”

  • “/usr/bin/nxlog”
  • “/opt/nxlog/bin/nxlog”

Please suggest me how to verify the check system for talk to server ==> filebeat test config AND filebeat test output

Thanks
Sandhya

Hi

first check
sudo systemctl enable filebeat
sudo systemctl start filebeat
sudo systemctl status filebeat


sudo filebeat -e -c /etc/filebeat/filebeat.yml
sudo filebeat test config
sudo filebest test output
graylog_filebeat0098

Hi bahram,

Thank you for replying my queries.

Please find the out from client server.

[root@localhost ~]# systemctl status filebeat
● filebeat.service - Filebeat sends log files to Logstash or directly to Elasticsearch.
Loaded: loaded (/usr/lib/systemd/system/filebeat.service; enabled; vendor preset: disabled)
Active: active (running) since Mon 2020-10-26 12:02:49 +04; 6s ago
Docs: https://www.elastic.co/products/beats/filebeat
Main PID: 16559 (filebeat)
CGroup: /system.slice/filebeat.service
└─16559 /usr/share/filebeat/bin/filebeat -c /etc/filebeat/filebeat.yml -path.home /usr/share/filebeat -path.config /etc…

Oct 26 12:02:49 localhost.novalocal systemd[1]: Started Filebeat sends log files to Logstash or directly to Elasticsearch…

indent preformatted text by 4 spaces##########################

#####################################

[root@localhost ~]# filebeat -e -c /etc/filebeat/filebeat.yml
2020-10-26T11:59:33.219+0400 INFO instance/beat.go:611 Home path: [/usr/share/filebeat] Config path: [/etc/filebeat] Data path: [/var/lib/filebeat] Logs path: [/var/log/filebeat]
2020-10-26T11:59:33.219+0400 INFO instance/beat.go:618 Beat UUID: 8e02babe-5460-4350-93b3-ece74242b8ad
2020-10-26T11:59:33.219+0400 INFO [seccomp] seccomp/seccomp.go:116 Syscall filter successfully installed
2020-10-26T11:59:33.219+0400 INFO [beat] instance/beat.go:931 Beat info {“system_info”: {“beat”: {“path”: {“config”: “/etc/filebeat”, “data”: “/var/lib/filebeat”, “home”: “/usr/share/filebeat”, “logs”: “/var/log/filebeat”}, “type”: “filebeat”, “uuid”: “8e02babe-5460-4350-93b3-ece74242b8ad”}}}
2020-10-26T11:59:33.219+0400 INFO [beat] instance/beat.go:940 Build info {“system_info”: {“build”: {“commit”: “fdb5036adbe45aa10a03882b2245578ad17c3615”, “libbeat”: “6.8.12”, “time”: “2020-08-12T06:26:46.000Z”, “version”: “6.8.12”}}}
2020-10-26T11:59:33.219+0400 INFO [beat] instance/beat.go:943 Go runtime info {“system_info”: {“go”: {“os”:“linux”,“arch”:“amd64”,“max_procs”:8,“version”:“go1.10.8”}}}
2020-10-26T11:59:33.220+0400 INFO [beat] instance/beat.go:947 Host info {“system_info”: {“host”: {“architecture”:“x86_64”,“boot_time”:“2020-08-26T09:54:57+04:00”,“containerized”:false,“name”:“localhost.novalocal”,“ip”:[“127.0.0.1/8”,"::1/128",“10.2.0.29/24”,“fe80::f816:3eff:fed1:25ba/64”],“kernel_version”:“3.10.0-1062.12.1.el7.x86_64”,“mac”:[“fa:16:3e:d1:25:ba”],“os”:{“family”:“redhat”,“platform”:“centos”,“name”:“CentOS Linux”,“version”:“7 (Core)”,“major”:7,“minor”:7,“patch”:1908,“codename”:“Core”},“timezone”:"+04",“timezone_offset_sec”:14400,“id”:“5003025f93c1a84914ea5ae66519c100”}}}
2020-10-26T11:59:33.221+0400 INFO [beat] instance/beat.go:976 Process info {“system_info”: {“process”: {“capabilities”: {“inheritable”:null,“permitted”:[“chown”,“dac_override”,“dac_read_search”,“fowner”,“fsetid”,“kill”,“setgid”,“setuid”,“setpcap”,“linux_immutable”,“net_bind_service”,“net_broadcast”,“net_admin”,“net_raw”,“ipc_lock”,“ipc_owner”,“sys_module”,“sys_rawio”,“sys_chroot”,“sys_ptrace”,“sys_pacct”,“sys_admin”,“sys_boot”,“sys_nice”,“sys_resource”,“sys_time”,“sys_tty_config”,“mknod”,“lease”,“audit_write”,“audit_control”,“setfcap”,“mac_override”,“mac_admin”,“syslog”,“wake_alarm”,“block_suspend”],“effective”:[“chown”,“dac_override”,“dac_read_search”,“fowner”,“fsetid”,“kill”,“setgid”,“setuid”,“setpcap”,“linux_immutable”,“net_bind_service”,“net_broadcast”,“net_admin”,"net_r

#################################
[root@localhost ~]# filebeat test config
Config OK
[root@localhost ~]#

############################################
[root@localhost ~]# filebeat test output
elasticsearch: http://localhost:9200
parse url… OK
connection…
parse host… OK
dns lookup… OK
addresses: ::1, 127.0.0.1
dial up… ERROR dial tcp [::1]:9200: connect: connection refused
[root@localhost ~]#

I have a query here.Do we need to install and configure elastic search client server also.

No Need
change file /etc/filebeat/filebeat.yml

# ================================= Dashboards =================================

setup.dashboards.enabled: true
# ---------------------------- Elasticsearch Output ----------------------------
#output.elasticsearch:
  # Array of hosts to connect to.
  hosts: ["<server IP>:9200"]
# ------------------------------ Logstash Output -------------------------------
output.logstash:
   #The Logstash hosts
  hosts: ["<server IP>:5044"]

Hi Bahram,

after changing the server IP. still failing.

[root@localhost ~]# filebeat test output
elasticsearch: http://<graylog server IP adderess:5044…
parse url… OK
connection…
parse host… OK
dns lookup… OK
addresses: <>
dial up… ERROR dial tcp <>:5044: connect: no route to host

Hi

Check for port 5044 is opened?
$ sudo netstat -peanut | grep “:5044”

Did you disable TLS for input ?
check traffic incoming to server
$ sudo tcpdump -i eth0 host and udp port 5044

and check graylog-server log
$sudo tail -f /var/log/graylog-server/server.log

$ sudo netstat -peanut | grep “:5044”

Did you disable TLS for input ?
check traffic incoming to server
$ sudo tcpdump -i eth0 host and udp port 5044

and check graylog-server log
$sudo tail -f /var/log/graylog-server/server.log

SolutionReply

This topic will close 14 days after the last reply.

ShareBookmarkFlagReply

Watching

You will receive notifications because you created this topic.
Please find the below output.

Check for port 5044 is opened? – port is opened
[root@localhost ~]# netstat -anpl |grep -i 5044
tcp6 0 0 :::5044 :::* LISTEN 1988/java
udp6 0 0 ipaddress:5044 :::* 1988/java
udp6 0 0 ipaddress:5044 :::* 1988/java
udp6 0 0 ipaddress:5044 :::* 1988/java
udp6 0 0 ipaddress:5044 :::* 1988/java
[root@localhost ~]#
$ sudo netstat -peanut | grep “:5044”

Did you disable TLS for input ?
check traffic incoming to server
$ sudo tcpdump -i eth0 host and udp port 5044

[root@localhost ~]# tcpdump -i eth0 host IPaddress -c 30
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
08:09:04.555868 IP localhost.ssh > router-IP.58282: Flags [P.], seq 134682988:134683196, ack 3472816293, win 1600, length 208
08:09:04.556174 IP localhost.60771 > host-10-2-0-3.example.org.domain: 58475+ PTR? 1.0.16.172.in-addr.arpa. (41)
08:09:04.557200 IP host-10-2-0-3.example.org.domain > localhost.60771: 58475 Refused 0/0/0 (41)
08:09:04.557268 IP localhost.58504 > host-10-2-0-2.example.org.domain: 58475+ PTR? 1.0.16.172.in-addr.arpa. (41)
08:09:04.558471 IP host-10-2-0-2.example.org.domain > localhost.58504: 58475 Refused 0/0/0 (41)
08:09:04.558505 IP localhost.42343 > dns.google.domain: 58475+ PTR? 1.0.16.172.in-addr.arpa. (41)
08:09:04.559831 IP router-IP.58282 > localhost.ssh: Flags [.], ack 0, win 6143, length 0
08:09:04.562607 IP dns.google.domain > localhost.42343: 58475 NXDomain 0/0/0 (41)
08:09:04.563316 IP localhost.41928 > host-10-2-0-3.example.org.domain: 58007+ PTR? 37.0.2.10.in-addr.arpa. (40)
08:09:04.563628 IP host-10-2-0-3.example.org.domain > localhost.41928: 58007* 1/0/0 PTR localhost. (71)
08:09:04.563723 IP localhost.33537 > host-10-2-0-3.example.org.domain: 44110+ PTR? 3.0.2.10.in-addr.arpa. (39)
08:09:04.563764 IP localhost.ssh > router-IP.58282: Flags [P.], seq 208:400, ack 1, win 1600, length 192
08:09:04.563872 IP host-10-2-0-3.example.org.domain > localhost.33537: 44110* 1/0/0 PTR host-10-2-0-3.example.org. (78)
08:09:04.563949 IP localhost.46256 > host-10-2-0-3.example.org.domain: 50364+ PTR? 2.0.2.10.in-addr.arpa. (39)
08:09:04.563984 IP localhost.ssh > router-IP.58282: Flags [P.], seq 400:688, ack 1, win 1600, length 288
08:09:04.564081 IP host-10-2-0-3.example.org.domain > localhost.46256: 50364* 1/0/0 PTR host-10-2-0-2.example.org. (78)
08:09:04.564155 IP localhost.52924 > host-10-2-0-3.example.org.domain: 521+ PTR? 8.8.8.8.in-addr.arpa. (38)
08:09:04.564191 IP localhost.ssh > router-IP.58282: Flags [P.], seq 688:976, ack 1, win 1600, length 288
08:09:04.564292 IP host-10-2-0-3.example.org.domain > localhost.52924: 521 Refused 0/0/0 (38)
08:09:04.564320 IP localhost.47563 > host-10-2-0-2.example.org.domain: 521+ PTR? 8.8.8.8.in-addr.arpa. (38)
08:09:04.564754 IP host-10-2-0-2.example.org.domain > localhost.47563: 521 Refused 0/0/0 (38)
08:09:04.564770 IP localhost.46387 > dns.google.domain: 521+ PTR? 8.8.8.8.in-addr.arpa. (38)
08:09:04.568722 IP dns.google.domain > localhost.46387: 521 1/0/0 PTR dns.google. (62)
08:09:04.568868 IP localhost.ssh > router-IP.58282: Flags [P.], seq 976:3056, ack 1, win 1600, length 2080
08:09:04.568902 IP localhost.ssh > router-IP.58282: Flags [P.], seq 3056:3232, ack 1, win 1600, length 176
08:09:04.568927 IP localhost.ssh > router-IP.58282: Flags [P.], seq 3232:3408, ack 1, win 1600, length 176
08:09:04.568952 IP localhost.ssh > router-IP.58282: Flags [P.], seq 3408:3584, ack 1, win 1600, length 176
08:09:04.568981 IP localhost.ssh > router-IP.58282: Flags [P.], seq 3584:3760, ack 1, win 1600, length 176
08:09:04.569295 IP router-IP.58282 > localhost.ssh: Flags [.], ack 400, win 6147, length 0
08:09:04.569305 IP localhost.ssh > router-IP.58282: Flags [P.], seq 3760:3936, ack 1, win 1600, length 176
30 packets captured
30 packets received by filter
0 packets dropped by kernel

and check graylog-server log
$sudo tail -f /var/log/graylog-server/server.log

[root@localhost1 ~]# tail -f /var/log/graylog-server/server.log
2020-10-27T08:37:04.334+04:00 WARN [NodePingThread] Did not find meta info of this node. Re-registering.
2020-10-27T08:37:18.357+04:00 WARN [NodePingThread] Did not find meta info of this node. Re-registering.
2020-10-27T13:07:56.298+04:00 ERROR [AbstractTcpTransport] Error in Input [Beats/5f801ed14df3cc5d1e5f4c43] (channel [id: 0x48c8b3af, L:/IPaddress:5044 ! R:/IPaddress:56048]) (cause io.netty.handler.codec.DecoderException: java.lang.IllegalStateException: Unknown beats protocol version: -1)
2020-10-27T13:07:56.301+04:00 ERROR [AbstractTcpTransport] Error in Input [Beats/5f801ed14df3cc5d1e5f4c43] (channel [id: 0x48c8b3af, L:/IPaddress:5044 ! R:/IPaddress:56048]) (cause io.netty.handler.codec.DecoderException: java.lang.IllegalStateException: Unknown beats protocol version: -12)
2020-10-27T23:20:08.599+04:00 INFO [connection] Opened connection [connectionId{localValue:9, serverValue:9}] to localhost:27017
2020-10-27T23:20:08.600+04:00 INFO [connection] Opened connection [connectionId{localValue:10, serverValue:10}] to localhost:27017
2020-10-27T23:20:08.601+04:00 INFO [connection] Opened connection [connectionId{localValue:13, serverValue:12}] to localhost:27017
2020-10-27T23:20:08.601+04:00 INFO [connection] Opened connection [connectionId{localValue:11, serverValue:13}] to localhost:27017
2020-10-27T23:20:08.602+04:00 INFO [connection] Opened connection [connectionId{localValue:12, serverValue:11}] to localhost:27017
2020-10-27T23:20:08.942+04:00 INFO [connection] Opened connection [connectionId{localValue:14, serverValue:14}] to localhost:27017

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.