Wich version of sidecar install on Graylog 5.1

Before you post: Your responses to these questions will help the community help you. Please complete this template if you’re asking a support question.
Don’t forget to select tags to help index your topic!

1. Describe your incident:
Recently we upgraded Graylog to version 5.1 (from 4.x) successfully and now we want to upgrade sidecars version from 1.2.x to the latest version supported.

2. Describe your environment:

• OS Information: Ubuntu 20.04
• Package Version: Graylog 5.1.7

3. What steps have you already taken to try and solve the problem?
We read the documentation and found that we need to install the sidecar version takin into account the version of graylog we are currently running (5.1.7)

We found in the docs, Graylog 5.1 Doc that we need to install sidecar 1.4

But then, when we read the install process below we realize that it will install sidecar 1.5

wget https://packages.graylog2.org/repo/packages/graylog-sidecar-repository_1-5_all.deb
sudo dpkg -i **graylog-sidecar-repository_1-5_all.deb**
sudo apt-get update && sudo apt-get install graylog-sidecar     

4. How can the community help?
We want to know if its compatible sidecar 1.5 with Graylog 5.1. We will plan to upgrade then to 5.2 but by the moment, we will stay in 5.1.

If not, continue with sidecar 1.4

Thanks!

Helpful Posting Tips: Tips for Posting Questions that Get Answers [Hold down CTRL and link on link to open tips documents in a separate tab]

It is compatible. I have Graylog 5.2.1 along with Sidecar agent 1.5.0.

What most matter is the version of winlogbeat for example (if you are using it).

I don’t know why they added Winlogbeat 8.9.0 in the Graylog sidecar 1.5.0 package but it does not work for me with OpenSearch 2.11.0.

So I replaced the Winlogbeat 8.9.0 by the 7.17.13 (works for me). You should try the recommanded version for Opensearch version though (7.12.1)

If you use NXLOGs I think the latest version works as it use GELF.

Thanks for your reply @s0p4L1N.

However, my query is about usign graylog 5.1.7 with the latest sidecar 1.5.

We have winlogbeats inputs and some filebeats inputs. Lastly, we use elastic.

I assume you are using version 7.10.2 of Elasticsearch. You can use the latest Winlogbeat 7.17.x version.

I recommend you to migrate from Elastic to OpenSearch as it will be deprecated any time soon as time pass.

Between 5.1.7 and 5.2.1, no big changes between both. If you look at the sidecar release note, same thing no big changes except the new binaries for winlogbeat and filebeat.

If you look at this documentation: Ingest Windows Event Logs

They say to not use Winlogbeat/filebeat 8.X versions

Don’t confuse software version and package version. The naming is a bit unfortunate in that regard.
See Sidecar version matrix - #5 by nicosalva

Thanks again for your answer.

So if I underestand correctly, installing the latest sidecar 1.5 (with the beats updated to 8.X) I will have problems because of this:

please note that Graylog only supports Winlogbeat 7.x. Do not upgrade to version 8.0 and above

So the correct way is installing Sidecar 1.4 and keep compatibility.

Its correct?

You can have Sidecar 1.5, but you just need to replace the Winlogbeat binary by the compatible one.

C:\Program Files\Graylog\sidecar

image1251×49 4.89 KB

But the binaries:

What you need to understand is that sidecar embbed winlogbeat binary in its package but it does not mean that this is the best suitable.

Or maybe I am wrong but they should update their documentation then to not lead the users in the wrong path.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.