Use sidecar tags in filebeat config

mpibpc-mroose · January 12, 2023, 12:19pm

1. Describe your incident:
I’m trying to work with modular configurations for my filebeat sidecars. For example I want to include an nginx related filestream only, when the sidecar has the “nginx” tag set. For that I have configured the nginx tag in my sidecar.conf:

tags:
  - linux
  - nginx

… added the tag in the Graylog UI and used it as following in the sidecar configuration:

# Needed for Graylog
fields_under_root: true
fields.collector_node_id: ${sidecar.nodeName}
fields.gl2_source_collector: ${sidecar.nodeId}

filebeat.inputs:
<#if sidecar.tags.apache??>
- type: filestream
  id: apache_logs
  paths:
    - /var/log/apache2/error.log
    - /var/log/apache2/*access.log
  fields.apache: true
</#if>
<#if sidecar.tags.nginx??>
- type: filestream
  id: nginx_logs
  paths:
    - /var/log/nginx/access.log
    - /var/log/nginx/error.log
  fields.nginx: true
</#if>
- type: filestream
  id: auth_logs
  paths:
    - /var/log/auth.log
  fields.linux_auth: true
- type: filestream
  id: linux_generic_logs
  paths:
    - /var/log/syslog
    - /var/log/*.log
  prospector.scanner.exclude_files: ['auth.log']
  exclude_lines: ['uccee', 'ucces', 'Started Time & Date Service.']

output.logstash:
   hosts: ["S1020-graylog.mpinat.mpg.de:5044"]
path:
  data: ${sidecar.spoolDir!"/var/lib/graylog-sidecar/collectors/filebeat"}/data
  logs: ${sidecar.spoolDir!"/var/lib/graylog-sidecar/collectors/filebeat"}/log

But the nginx “section” is not in my sidecars generated filebeat configuration:

~# cat /var/lib/graylog-sidecar/generated/filebeat.conf

# Needed for Graylog
fields_under_root: true
fields.collector_node_id: S1020-Graylog.mpinat.mpg.de
fields.gl2_source_collector: s1020-graylog

filebeat.inputs:
- type: filestream
  id: auth_logs
  paths:
    - /var/log/auth.log
  fields.linux_auth: true
- type: filestream
  id: linux_generic_logs
  paths:
    - /var/log/syslog
    - /var/log/*.log
  prospector.scanner.exclude_files: ['auth.log']
  exclude_lines: ['uccee', 'ucces', 'Started Time & Date Service.']

output.logstash:
   hosts: ["S1020-graylog.mpinat.mpg.de:5044"]
path:
  data: /var/lib/graylog-sidecar/collectors/filebeat/data
  logs: /var/lib/graylog-sidecar/collectors/filebeat/log

2. Describe your environment:

OS Information: Ubuntu 20.04 LTS with dockerrized Graylog 5.02

4. How can the community help?

Does anyone have something like this working?
does any documentation about the template engine syntax (<#if …> and so on) exists somewhere?

benoitp · January 12, 2023, 4:45pm

Hello a tried something similar and this is not working

In “Collector Configuration”, in one conf I added “test” in “Configuration Assignment Tags”
and in “Configuraton” I added this :

<#if sidecar.tags.test??>
# test
</#if>

On the client side :
/etc/graylog/sidecar/sidecar.yml

tags:
  - test

But nothing happened in “/var/lib/graylog-sidecar/generated/filebeat.conf”

The documentation of Sidecar is not clear at all about tags and how config files are applied if we have several tags on an host who match several configurations.

tmacgbay · January 12, 2023, 5:03pm

The sidecar is just a wrapper around getting a Elasticsearch filebeat (Or Nxlog ) configuration out to machines in a consistent manner. I have never seen conditionals <#if... used in a beats configuration (Which… actually doesn’t say much…) … I also can’t find its use in the filebeat documentation. Where are you finding examples of using it - because it would be pretty cool if we could get that working!

mpibpc-mroose · January 13, 2023, 12:51pm

Seems to be deprecated

github.com/Graylog2/graylog2-server

Allow multiple configurations for a sidecar

opened 10:20AM - 21 Feb 19 UTC

bitfactory-henno-schooljan

feature triaged sidecar

In Graylog 2, tags were a very convenient method for classifying and combining c…onfigurations for specific sidecars. E.g. a generic 'linux' tag for gathering generic logs from all Linux machines, and more specific tags that would only apply to certain machines (including these Linux machines). Simply defining the appropriate tags in a sidecar configuration file on a server would cause it to collect the correct logs from this server, using the combined configurations for all these tags. With the removal of tag-based configuration it looks like it is no longer possible to apply multiple configurations to a sidecar. I need to create a configuration for every single combination of (former) tags I want to use on all my servers, and combine the desired log inputs inside all these configurations using variables if I want to avoid duplication. The number of combinations can grow exponentially when more log inputs are introduced. How difficult would it be to allow multiple configurations to be applied to a sidecar, effectively allowing the combination of different configurations without having to create a lot of compound configurations every time a new log input is introduced?

Pleas upvote this issue. I think this is an essential feature which should be implemented again.

benoitp · January 13, 2023, 1:43pm

All it comes from the doc that is not clear about this.
I copy/paste the doc with “1.2” written in the commands.

You need to have at least 1.3 version of Sidecar to have it works.

The doc about tags and sniplets is too minimalist.

The things to know :
each Configuration must be a full configuration, as Sidecar will spawn one process of the log shipper for each Configuration attached to the host.

Ex. in “sidecar.yml” on my Linux host, i have this

tags:
  - "Linux standard logs"
  - "Graylog server"

I have 2 corresponding Configuration in Graylog (with the same tag as their name in their conf)

Sidecar automatically launch 2 process of Filebeat with theses configurations :

system · January 27, 2023, 1:44pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Configuration of tags collector-sidecar Graylog Central (peer support) sidecar , filebeat-linux	8	4518	October 16, 2017
Graylog 3.0 filebeat configuration and tags Graylog Central (peer support) sidecar , filebeat-linux	20	5809	March 21, 2019
Sidecar with Filebeat not working with modules Graylog Central (peer support) sidecar , filebeat-linux , nosendlogfblx , failoadcongfigfblx	1	1035	April 28, 2021
Graylog 3 Sidecar Config Management Graylog Central (peer support) sidecar	4	629	July 16, 2019
Getting stated with filebeat Graylog Central (peer support) sidecar	1	1960	August 17, 2017

Use sidecar tags in filebeat config

Related Topics