Hi Rob, the Graylog Collector Sidecar simply configures and starts the actual collectors (Filebeat or nxlog), so you'll have to check with their docs if that's possible:
https://nxlog.co/docs/nxlog-ce/nxlog-reference-manual.html https://www.elastic.co/guide/en/beats/filebeat/current/index.html Cheers, Jochen On Thursday, 9 February 2017 23:16:11 UTC+1, Rob Repp wrote: > > The files are definitely updating. One interesting thing, I tried do > establish this by just tailing the file with both Notepad++ and with a > freeware "tail" utility for Windows and it never updated. I had to manually > reload the file to see any changes. Further, I never saw any update in the > file Date Modified. Is there some way to force collector sidecar to poll > the files even if they don't show any obvious activity? > > On Tuesday, February 7, 2017 at 1:55:07 AM UTC-6, Jochen Schalanda wrote: >> >> Hi Rob, >> >> this sounds like either there is simply no new content in the files >> you've configured nxlog to watch, or that the file pattern is wrong. Try >> using another File pattern in the nxlog im_file input or switch to >> Filebeat. >> >> Cheers, >> Jochen >> >> On Monday, 6 February 2017 23:22:59 UTC+1, Rob Repp wrote: >>> >>> Okay, I did a packet capture that's showing traffic between the two >>> boxes. There seems to be the Graylog host sending a json of the nxlog.conf >>> config data to the DHCP server once every four seconds or so, and the DHCP >>> server sending back HTTP requests on port 9000. None of the exchanges look >>> like they contain data from the DHCP logs. >>> >>> On Monday, February 6, 2017 at 10:37:44 AM UTC-6, Jochen Schalanda wrote: >>>> >>>> Hi Rob, >>>> >>>> since the configuration doesn't show any obvious errors, please use >>>> Wireshark or a similar tool like tcpdump to check if the log messages from >>>> nxlog are sent to the correct host and if the UDP packets actually arrive >>>> at the Graylog GELF UDP input. >>>> >>>> Cheers, >>>> Jochen >>>> >>>> On Monday, 6 February 2017 17:08:21 UTC+1, Rob Repp wrote: >>>>> >>>>> The traffic is not being blocked. There's no firewall on either >>>>> machine, and the network path is unobstructed. Further, the Collector >>>>> status for that Collector is showing green, with Backend "Nxlog: >>>>> running." >>>>> It looks like it's connected and responsive. It's just that there never >>>>> seem to be any messages on the associated Input. >>>>> Tks, >>>>> R. >>>>> >>>>> On Saturday, February 4, 2017 at 3:30:18 AM UTC-6, Jochen Schalanda >>>>> wrote: >>>>>> >>>>>> Hi Rob, >>>>>> >>>>>> the configuration looks good so far. Make sure that the host >>>>>> "re.da.ct.ed" can be accessed by your Windows machine and that port >>>>>> 5441/udp is open and not blocked by a firewall. >>>>>> >>>>>> Cheers, >>>>>> Jochen >>>>>> >>>>>> On Friday, 3 February 2017 23:10:50 UTC+1, Rob Repp wrote: >>>>>>> >>>>>>> Okay, in order: >>>>>>> >>>>>>> 1. I'm using the OVA VM image from Graylog, so most of the >>>>>>> configuration is already done. All I did was add a Connector with one >>>>>>> nxlog >>>>>>> input and one nxlog output, and then the GELF UDP input that the >>>>>>> WinDHCP >>>>>>> json created. >>>>>>> >>>>>>> The WinDHCP input is configured like this: >>>>>>> >>>>>>> WinDHCPLogs-gelf GELF UDP RUNNING >>>>>>> On node 771f3128 / graylog >>>>>>> <http://172.30.39.100/system/nodes/771f3128-a581-433b-a561-613c6bb8c5bf> >>>>>>> >>>>>>> - bind_address: >>>>>>> 0.0.0.0 >>>>>>> - decompress_size_limit: >>>>>>> 8388608 >>>>>>> - override_source: >>>>>>> *<empty>* >>>>>>> - port: >>>>>>> 5441 >>>>>>> - recv_buffer_size: >>>>>>> 1048576 >>>>>>> >>>>>>> >>>>>>> 2. The nxlog.conf file is: >>>>>>> >>>>>>> define ROOT C:\Program Files (x86)\nxlog >>>>>>> >>>>>>> <Extension gelf> >>>>>>> Module xm_gelf >>>>>>> </Extension> >>>>>>> >>>>>>> Moduledir %ROOT%\modules >>>>>>> CacheDir %ROOT%\data >>>>>>> Pidfile %ROOT%\data\nxlog.pid >>>>>>> SpoolDir %ROOT%\data >>>>>>> LogFile %ROOT%\data\nxlog.log >>>>>>> LogLevel INFO >>>>>>> >>>>>>> <Extension logrotate> >>>>>>> Module xm_fileop >>>>>>> <Schedule> >>>>>>> When @daily >>>>>>> Exec file_cycle('%ROOT%\data\nxlog.log', 7); >>>>>>> </Schedule> >>>>>>> </Extension> >>>>>>> >>>>>>> <Input 588bc33f682c990374bab049> >>>>>>> Module im_file >>>>>>> File 'C:\Windows\System32\dhcp\DhcpSrvLog-*.log' >>>>>>> PollInterval 1 >>>>>>> SavePos True >>>>>>> ReadFromLast True >>>>>>> Recursive False >>>>>>> RenameCheck True >>>>>>> Exec $FileName = file_name(); # Send file name with each message >>>>>>> </Input> >>>>>>> >>>>>>> <Output 588bc2db682c990374baafe0> >>>>>>> Module om_udp >>>>>>> Host re.da.ct.ed >>>>>>> Port 5441 >>>>>>> OutputType GELF >>>>>>> Exec $short_message = $raw_event; # Avoids truncation of the >>>>>>> short_message field. >>>>>>> Exec $gl2_source_collector = '9960a8cd-7abe-4021-939f-89b22909aa32'; >>>>>>> Exec $Hostname = hostname_fqdn(); >>>>>>> </Output> >>>>>>> >>>>>>> <Route route-0> >>>>>>> Path 588bc33f682c990374bab049 => 588bc2db682c990374baafe0 >>>>>>> </Route> >>>>>>> >>>>>>> 3. collector_sidecar.yml is this: >>>>>>> >>>>>>> server_url: http://re.da.ct.ed:9000/api >>>>>>> update_interval: 10 >>>>>>> tls_skip_verify: false >>>>>>> send_status: true >>>>>>> list_log_files: >>>>>>> node_id: NS1 >>>>>>> collector_id: file:C:\Program >>>>>>> Files\graylog\collector-sidecar\collector-id >>>>>>> cache_path: C:\Program Files\graylog\collector-sidecar\cache >>>>>>> log_path: C:\Program Files\graylog\collector-sidecar\logs >>>>>>> log_rotation_time: 86400 >>>>>>> log_max_age: 604800 >>>>>>> tags: dhcp >>>>>>> backends: >>>>>>> - name: nxlog >>>>>>> enabled: true >>>>>>> binary_path: C:\Program Files (x86)\nxlog\nxlog.exe >>>>>>> configuration_path: C:\Program >>>>>>> Files\graylog\collector-sidecar\generated\nxlog.conf >>>>>>> - name: winlogbeat >>>>>>> enabled: false >>>>>>> binary_path: C:\Program >>>>>>> Files\graylog\collector-sidecar\winlogbeat.exe >>>>>>> configuration_path: C:\Program >>>>>>> Files\graylog\collector-sidecar\generated\winlogbeat.yml >>>>>>> - name: filebeat >>>>>>> enabled: false >>>>>>> binary_path: C:\Program >>>>>>> Files\graylog\collector-sidecar\filebeat.exe >>>>>>> configuration_path: C:\Program >>>>>>> Files\graylog\collector-sidecar\generated\filebeat.yml >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> On Friday, February 3, 2017 at 3:21:21 AM UTC-6, Jochen Schalanda >>>>>>> wrote: >>>>>>>> >>>>>>>> Hi Rob, >>>>>>>> >>>>>>>> How did you configure Graylog? Which inputs did you create and how >>>>>>>> did you configure them? >>>>>>>> How did you configure the Graylog Collector Sidecar and what's the >>>>>>>> generated nxlog configuration? >>>>>>>> >>>>>>>> Cheers, >>>>>>>> Jochen >>>>>>>> >>>>>>>> On Thursday, 2 February 2017 23:30:20 UTC+1, Rob Repp wrote: >>>>>>>>> >>>>>>>>> I set up a Graylog 2.1.2 server by deploying the downloadable OVA >>>>>>>>> from graylog.org. I'm trying to monitor a Windows 2008 R2 server >>>>>>>>> with the DHCP role installed. The DHCP server deposits activity data >>>>>>>>> into >>>>>>>>> log files at C:\Windows\System32\dhcp\DhcpSrvLog-*.log. I have >>>>>>>>> collector-sidecar and nxlog installed on the Windows machine, and >>>>>>>>> configured to send the log data back to a collector input on the >>>>>>>>> Graylog >>>>>>>>> server. >>>>>>>>> >>>>>>>>> My configuration is based on the WindowsDHCP content pack >>>>>>>>> available in the Graylog marketplace. I imported the content pack >>>>>>>>> json, >>>>>>>>> configured collector-sidecar on Windows and the Graylog collector >>>>>>>>> starting >>>>>>>>> from the sample code at https://github.com/JulioQc/WinDHCP. >>>>>>>>> Unfortunately, when I do "show messages" for the collector, there's >>>>>>>>> nothing >>>>>>>>> coming in. >>>>>>>>> >>>>>>>>> Has anyone had any success with this configuration? If not, is >>>>>>>>> there a better method for monitoring Windows DHCP activity with >>>>>>>>> Graylog? >>>>>>>>> Thanks! >>>>>>>>> >>>>>>>> -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/43e2f830-0a79-4cff-a944-90de1f731f2a%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
