Windows sidecar filebeat configuration

Graylog Central (peer support)
, ,
1

We have winlogbeat working on a windows client via sidecar and would like to send over line-by-line data from other log files—NPS, SMTP. I configured a filebeat input on the graylog server and a filbeat.yml file is pushed to the windows client. I’m not sure what I’m missing, but we are not getting any messages.

Here is the generated filebeat.yml:
filebeat:
prospectors:

  • encoding: utf8
    exclude_files: []
    fields:
    collector_node_id: AAIS-DC03
    gl2_source_collector: a61be42d-465a-4a15-99d5-27cf16ec71d8
    type: log
    ignore_older: 168h
    paths:
    • C:\Windows\System32\LogFiles\NPS*log
      scan_frequency: 10s
      tail_files: true
      type: log
      output:
      logstash:
      hosts:
    • graylog.aaisdirect.com:5044
      path:
      data: C:\Program Files\graylog\collector-sidecar\cache\filebeat\data
      logs: C:\Program Files\graylog\collector-sidecar\logs
      tags:
  • windows
  • iis
  • NPS

Here is the resultant filebeat log: (pardon the broken line breaks)
2018-07-07T10:10:01-05:00 INFO Home path: [C:\Program Files\graylog\collector-sidecar] Config path: [C:\Program Files\graylog\collector-sidecar] Data path: [C:\Program Files\graylog\collector-sidecar\cache\filebeat\data] Logs path: [C:\Program Files\graylog\collector-sidecar\logs]
2018-07-07T10:10:01-05:00 INFO Metrics logging every 30s
2018-07-07T10:10:01-05:00 INFO Beat UUID: 8c24684a-c69c-4132-b6de-72642e18250f
2018-07-07T10:10:01-05:00 INFO Setup Beat: filebeat; Version: 6.1.2
2018-07-07T10:10:01-05:00 INFO Beat name: AAIS-DC03
2018-07-07T10:10:01-05:00 ERR Not loading modules. Module directory not found: C:\ProgramFiles\graylog\collector-sidecar\module
2018-07-07T10:10:01-05:00 INFO filebeat start running.
2018-07-07T10:10:01-05:00 INFO No registry file found under: C:\Program Files\graylog\collector-sidecar\cache\filebeat\data\registry. Creating a new registry file.
2018-07-07T10:10:01-05:00 ERR Error: The service process could not connect to the service controller.
2018-07-07T10:10:01-05:00 INFO Loading registrar data from C:\Program Files\graylog\collector-sidecar\cache\filebeat\data\registry
2018-07-07T10:10:01-05:00 INFO States Loaded from registrar: 0
2018-07-07T10:10:01-05:00 WARN Filebeat is unable to load the Ingest Node pipelines for the configured modules because the Elasticsearch output is not configured/enabled. If you have already loaded the Ingest Node pipelines or are using Logstash pipelines, you can ignore this warning.
2018-07-07T10:10:01-05:00 INFO Loading Prospectors: 1
2018-07-07T10:10:01-05:00 INFO Starting Registrar
2018-07-07T10:10:01-05:00 INFO Starting prospector of type: log; ID: 8278901464537072971
2018-07-07T10:10:01-05:00 INFO Loading and starting Prospectors completed. Enabled prospectors: 1
2018-07-07T10:10:31-05:00 INFO Non-zero metrics in the last 30s: beat.info.uptime.ms=30115 beat.memstats.gc_next=4194304 beat.memstats.memory_alloc=3149488 beat.memstats.memory_total=8826752 filebeat.events.added=105 filebeat.events.done=
105 filebeat.harvester.open_files=0 filebeat.harvester.running=0 libbeat.config.module.running=0 libbeat.output.type=logstash libbeat.pipeline.clients=1 libbeat.pipeline.events.active=0 libbeat.pipeline.events.filtered=105 libbeat.pipeline.events.total=105 registrar.states.current=105 registrar.states.update=105 registrar.writes=106
(similar last line repeated every 30 seconds)

What are we doing wrong?

2

It looks like this was some kind of race condition in the initial setup. I stopped the sidecar service and ran filebeat in debug mode and everything worked. I then restarted sidecar and everything is still working. I guess this is closed.

3

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.