Windows 10 Log Fetching

Hi,

I’m new here and installed a graylog server and tried to fetch log from windows 10 machine with the help of sidecars.

Sidecar is up and running but i’m not receiving any logs in the dashboard.

I checked time and date on my server and client both are in sync

Looking forward for your solution and ideas

he @Supportme

did you configure any collector? Like Winlogbeat/Filebeat or NXLog to get your log from windows? Did you configure the Graylog Input for that Collector? Can the collector reach Graylog on that port?

Did you read the docs? What docs did you read?

Hi,

I installed sidecar in the client, Winlog beat to collect log as it come in build in sidecar.

Input Configuration

bind_address:
0.0.0.0
no_beats_prefix:
false
number_worker_threads:
8
override_source:

port:
5044
recv_buffer_size:
1048576
tcp_keepalive:
false
tls_cert_file:

tls_client_auth:
disabled
tls_client_auth_cert_file:

tls_enable:
false
tls_key_file:

tls_key_password:


I think its graylog can communicate with the graylog server.
Is there any way to check on that.

I read the official and watch some youtube videos to configure the server and sidecar.

so you have sidecar installed - did you actually create a configuration in the Graylog UI for the sidecar/collector? means, did you configure winlogbeat?

Just changed the host IP address

# Needed for Graylog
fields_under_root: true
fields.collector_node_id: ${sidecar.nodeName}
fields.gl2_source_collector: ${sidecar.nodeId}

output.logstash:
   hosts: ["192.168.2.3:5044"]
path:
  data: C:\Program Files\Graylog\sidecar\cache\winlogbeat\data
  logs: C:\Program Files\Graylog\sidecar\logs
tags:
 - windows
winlogbeat:
  event_logs:
   - name: Application
   - name: System
   - name: Security

Going from memory here are sidecar installation steps. Post up any errors, code or unexpected results (in a nice format) so that we can see where you are in the process. For instance, you haven’t mentioned that you have applied your configuration to the client (yet). :slight_smile:

  • Create graylog input
  • install sidecar on client
  • configure client sidecar to point to graylog
  • note client shows up in sidecars but without a configuration
  • Create a sidecar configuration in Graylog
  • apply the sidecar configuration to the client
  • observe that the status changes to running or failed
  • if it failed, hover your mouse over the “failed” to get a short idea of what the issue is.

Hi,

As you said I had done the installation properly and sidecar is up running it doesn’t show any kind of errors.

Hi,

I doubt the server.conf file is not configured properly. I read some posts reg the fetching problem and all has suggested to go through server,conf file and the timezone, i had configured it as

root_timezone = Asia/Kolkata

Someone kindly give your opinion

he @Supportme

the configuration root_timezone is just the setting of the timezone that is used when you login with the hardcoded admin account.

Hi,

I thought i had solved the issue but its not rectified.

Still i can’t fetch logs from windows machine

I was working with another post on this - Sidecar Issues with Windows 2012 R2 Domain Controller

Check your logs on the client side (notes about it in link above) post anything odd (but not all of it and please format using the tools)

1 Like

time=“2020-01-11T11:10:25+05:30” level=info msg=“Starting signal distributor”
time=“2020-01-11T11:10:35+05:30” level=info msg=“No configurations assigned to this instance. Skipping configuration request.”
time=“2020-01-11T11:10:55+05:30” level=info msg=“Adding process runner for: winlogbeat”
time=“2020-01-11T11:10:55+05:30” level=info msg="[winlogbeat] Configuration change detected, rewriting configuration file."
time=“2020-01-11T11:10:56+05:30” level=info msg="[winlogbeat] Starting (svc driver)"
time=“2020-01-11T11:11:06+0528 5:30” level=info msg=“Collector [winlogbeat] is already running, skipping start action.”

The log generated in the column

This would mean that although you may have created a configuration, you have not explicitly assigned it to the machine in the Graylog UI.

You would also notice there are no winlogbeat files in that folder either (they log transmission to graylog). In the Graylog web UI under System->Sidecars click on “administration”… find your machine. On the left side, check the type of configuration you want to apply, then on the right pull down the “Configure” menu and choose your configuration you built to apply. assuming all else is correct, in a few moments the client will check in, pick up the configuration and start sending in messages.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.