We are setting up graylog in AKS. For that kongz/graylog helm is used for setting up graylog, mongodb and opensearch in azure Kubernetes.
Along with nginx-ingress controller has been set to access graylog outside AKS and external IP is mapped with DNS. I am able to access graylog using DNS from my local machine.
Now, we need to ship windows logs from machine hosted in azure into graylog. For that, we have installed graylog sidecar and winlogbeat in windows machine and added beats stream in graylog. However, still we are not able to get logs from machine in graylog. Any idea what are we missing here ?
I am able to access graylog using DNS from my local machine.
I guess you mean the UI via https, right? If this works, DNS and port 443 are fine.
Did you start an input in Graylog, and did you also configure this port in your nginx LB? Is there other extra mapping of external ports necessary in the AKS?
What happens, if you try to build up a TCP connection to that port in your AKS environment? Does it reach an open state?
I would like to warn you, that with this setup a lot of authentication should be implemented. Otherwise 3rd parties could just flood your Graylog with random garbage data.
Yes. I have configured port 80, 443 in ingress. I am able to connect access graylog UI externally using DNS. However, I am not sure which port shall I use while setting up sidecar on windows machine
If you use winlogbeat you will have the logs delivered into a beats input. The Graylog-default port for this is 5044.
Make sure, that systems of the same kind (e.g. your AD server) are delivering into the same input, but systems of a different kind (e.g. you exchange on prem) deliver into another input. It makes it later on easier to distinguish the logs in the processing.
1 Like