Thanks for the reply, i managed to run collector. However i encounter this error.
level=error msg="[UpdateRegistration] Bad response from Graylog server: 405 Method Not Allowed"
level=error msg="[RequestConfiguration] Bad response status from Graylog server: 404 Not Found"
level=error msg=“Can’t fetch configuration from Graylog API: GET http://graylog_server:9000/api/plugins/org.graylog.plugins.collector?tags=%5B%22linux%22%5D: 404 HTTP 404 Not Found”
Is http://graylog_server:9000/api/ the correct URI of the Graylog REST API?
Is the Collector plugin installed in your Graylog cluster? It’s being shipped by default, but check on the System/Node/Details page.
What’s the complete output of the following command on the machine running the Collector Sidecar?
Yes, collector plugin is there. I able to see collector under system/node.
Below is the results of the curl request :
HTTP/1.1 200 OK
X-Graylog-Node-ID: 573cc295-80f5-4447-8e71-cb29cc0e525b
X-Runtime-Microseconds: 1313
Content-Type: application/json
Date: Fri, 06 Jul 2018 08:11:34 GMT
Content-Length: 253
{
"cluster_id" : "f170227c-9520-42fa-bbdf-ee6d48b907d9",
"node_id" : "573cc295-80f5-4447-8e71-cb29cc0e525b",
"version" : "2.4.5+8e18e6a",
"tagline" : "Manage your logs in the dark and have lasers going and make it look like you're from space!"
}
Under the web interface, system -> nodes - > details -> installed plugins
-> Collector is there.
Thanks.
Edited : added graylog server initialization message.
2018-07-06 16:07:13,104 INFO : org.graylog2.shared.initializers.JerseyService - Started REST API at http://graylog_server:9000/api/
2018-07-06 16:07:13,105 INFO : org.graylog2.shared.initializers.JerseyService - Started Web Interface at http://graylog_server:9000/
The complete content of the plugin section as below :
Installed plugins 9 plugins installed
Name Version Author Description
AWS plugins 2.4.5 Graylog, Inc. Collection of plugins to read data from or interact with the Amazon Web Services (AWS). Website
CEF Input 2.4.5 Graylog, Inc. Input plugin to receive CEF (Common Event Format) messages. Website
Collector 2.4.5 Graylog, Inc. Collectors plugin Website
Elastic Beats Input 2.4.5 Graylog, Inc. Input plugin for Elastic Beats (Beats/Lumberjack protocol). Website
Enterprise Integration Plugin 2.4.5 Graylog, Inc Provides basic integration with Graylog Enterprise Website
MapWidgetPlugin 2.4.5 Graylog, Inc. Map widget for Graylog Website
NetFlow Plugin 2.4.5 Graylog, Inc. Provides NetFlow inputs Website
Pipeline Processor Plugin 2.4.5 Graylog, Inc. Pluggable pipeline processing framework Website
Threat Intelligence Plugin 2.4.5 Graylog, Inc. Threat intelligence database lookup functions for the Graylog Pipeline Processor Website
This is the log generated when i start sidecar by using
./graylog-collector-sidecar
INFO[0000] No node-id was configured, falling back to hostname
INFO[0000] Fetching configurations tagged by: [linux]
INFO[0000] Starting signal distributor
INFO[0000] [filebeat] Starting (exec driver)
ERRO[0001] [filebeat] Backend finished unexpectedly, trying to restart 1/3.
INFO[0001] [filebeat] Stopping
INFO[0003] [filebeat] Starting (exec driver)
ERRO[0004] [filebeat] Backend finished unexpectedly, trying to restart 2/3.
INFO[0004] [filebeat] Stopping
INFO[0006] [filebeat] Starting (exec driver)
ERRO[0007] [filebeat] Backend finished unexpectedly, trying to restart 3/3.
INFO[0007] [filebeat] Stopping
INFO[0009] [filebeat] Starting (exec driver)
ERRO[0010] [filebeat] Unable to start collector after 3 tries, giving up!
ERRO[0010] [RequestConfiguration] Bad response status from Graylog server: 404 Not Found
ERRO[0010] Can't fetch configuration from Graylog API: GET http://graylog_server:9000/api/plugins/org.graylog.plugins.collector?tags=%5B%22linux%22%5D: 404 HTTP 404 Not Found
ERRO[0010] [UpdateRegistration] Bad response from Graylog server: 405 Method Not Allowed
Are you running a load-balancer or a reverse proxy in front of Graylog’s REST API?
What’s the content of /etc/graylog/collector-sidecar/collector-id? See http://docs.graylog.org/en/2.4/pages/collector_sidecar.html#configuration for details.
What’s the output of the following commands on the machine running the Collector Sidecar?
# namei -l /etc/graylog/collector-sidecar/collector-id
# stat /etc/graylog/collector-sidecar/collector-id
# hostname
# hostname -f
# hostname -a
Hi,
yes the collector-id should contain a uuid that identifies this instance. You can remove the file and let the Sidecar create a fresh ID for you (needs write access to /etc/graylog/collector-sidecar for the sidecar process).
Thanks for your reply, i removed the existing collector-id.
When i restart the collector service, i receive this error.
INFO[0000] collector-id file doesn't exist, generating a new one
INFO[0000] Using collector-id: c173dd92-c546-4892-903d-51f98d5938bb
INFO[0000] No node-id was configured, falling back to hostname
INFO[0000] Fetching configurations tagged by: [linux]
INFO[0000] Starting signal distributor
INFO[0000] [filebeat] Starting (exec driver)
ERRO[0001] [filebeat] Backend finished unexpectedly, trying to restart 1/3.
INFO[0001] [filebeat] Stopping
INFO[0003] [filebeat] Starting (exec driver)
ERRO[0004] [filebeat] Backend finished unexpectedly, trying to restart 2/3.
INFO[0004] [filebeat] Stopping
INFO[0006] [filebeat] Starting (exec driver)
ERRO[0007] [filebeat] Backend finished unexpectedly, trying to restart 3/3.
INFO[0007] [filebeat] Stopping
INFO[0009] [filebeat] Starting (exec driver)
ERRO[0010] [filebeat] Unable to start collector after 3 tries, giving up!
ERRO[0010] stat /var/cache/graylog: no such file or directory
INFO[0010] Trying to create directory for: /var/cache/graylog/collector-sidecar
INFO[0010] [filebeat] Configuration change detected, rewriting configuration file.
ERRO[0010] [filebeat] Error during configuration validation: Flag --configtest has been deprecated, configtest flag has been deprecated, use test config subcommand
Exiting: error loading config file: config file ("/etc/graylog/collector-sidecar/generated/filebeat.yml") must be owned by the beat user (uid=0) or root
ERRO[0010] [filebeat] Collector configuration file is not valid, waiting for the next update.
How should i proceed? Thanks again.
Edited : i removed the filebeat.yml and restart the service. Now everything is working. Thanks lot Graylog !
Make sure that you use the beat version that is bundled with the sidecar version, looks like you are using a newer version where the command line options did change.
Run the Sidecar as root user to make sure the generated configuration file is accepted by the beat process.