Setting up Graylog Sidecar

graylog | sidecar | filebeat

tested on ubuntu/hirsute

Requirements

make sure the graylog server is reachable

nmap -p 80,443,9000 GRAYLOG-SERVER
curl -i http://GRAYLOG-SERVER:9000/api/?pretty=true

and you need a TOKEN from the web interface

Install

grab the latest repository

ver=1-2
wget https://packages.graylog2.org/repo/packages/graylog-sidecar-repository_${ver}_all.deb
dpkg -i graylog-sidecar-repository_${ver}_all.deb
apt update && apt install graylog-sidecar
graylog-sidecar -service install

Setup

mv -i /etc/graylog/sidecar/sidecar.yml /etc/graylog/sidecar/sidecar.yml.dist
grep -vE '^#|^$' /etc/graylog/sidecar/sidecar.yml.dist > /etc/graylog/sidecar/sidecar.yml
vi /etc/graylog/sidecar/sidecar.yml

server_url: "http://buster:9000/api/"
server_api_token: "TOKEN-HERE"

Ready to go

tail -F /var/log/graylog-sidecar/sidecar.log

systemctl restart graylog-sidecar.service
systemctl enable graylog-sidecar.service

date
ls -alF /var/lib/graylog-sidecar/generated/
ls -lF /etc/graylog/sidecar/node-id

setup filebeat and enable from the graylog server web interface

System > Sidecars / Administration

enable Filebeat on the newly appeared node

Resources

INGEST FROM FILES https://docs.graylog.org/docs/files

GRAYLOG SIDECAR https://docs.graylog.org/docs/sidecar

download

https://github.com/Graylog2/collector-sidecar/releases

filebeat

Filebeat quick start: installation and configuration https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-installation-configuration.html

alternatives

NXLog Community Edition https://nxlog.co/products/nxlog-community-edition/download


HOME | GUIDES | LECTURES | LAB | SMTP HEALTH | HTML5
Copyright © 2022 Pierre-Philipp Braun