Graylog Sidecar / Filebeat Setup

graylog server | sidecar | filebeat | syslog udp

Requirements

on the Graylog server web UI

first, you need to prepare the Graylog server to receive those beats as an input method

    System / Input

    Beats > Launch new input

    check   "Global"
    title   beats
    bind    0.0.0.0
    port    5044

Setup

on the Graylog server web UI

also create a Sidecar configuration to grab the log files with. change log location and target listener

    System / Sidecars --> Configuration

    Crate Configuration

    name            ...filebeat-linux-cutstom
    color           ...
    collector       filebeat on Linux

    fields_under_root: true
    fields.collector_node_id: ${sidecar.nodeName}
    fields.gl2_source_collector: ${sidecar.nodeId}

    filebeat.inputs:
    - input_type: log
      paths:
      - /var/log/messages
      - /var/log/syslog
      - /var/log/*/*log
      type: log

    output.logstash:
       hosts: ["graylog-server:5044"]

    path:
      data: /var/lib/graylog-sidecar/collectors/filebeat/data
      logs: /var/lib/graylog-sidecar/collectors/filebeat/log

Ready to go

on the Graylog server web UI

enable Filebeat for the hosts you want managed that way

    System > Sidecars / Administration

    enable Filebeat on the newly appeared node

HOME | GUIDES | LECTURES | LAB | SMTP HEALTH | HTML5 | CONTACT
Copyright © 2024 Pierre-Philipp Braun