Setting up Graylog Sidecar & Filebeat

graylog server | sidecar | filebeat | syslog udp

tested on ubuntu/hirsute

Requirements

make sure the graylog server is reachable

nmap -p 80,443,9000 GRAYLOG-SERVER
curl -i http://GRAYLOG-SERVER:9000/api/?pretty=true

you will also need a TOKEN from the web interface. create a token for some collectors to reach the server

    System / Sidecars

    create token
    token name      sidecar-token

Sidecar install

grab the latest repository

ver=1-2
wget https://packages.graylog2.org/repo/packages/graylog-sidecar-repository_${ver}_all.deb
dpkg -i graylog-sidecar-repository_${ver}_all.deb
apt update && apt install graylog-sidecar

–or– grab the latest sidecar

    wget https://packages.graylog2.org/repo/debian/pool/sidecar-stable/1.4/g/graylog-sidecar/graylog-sidecar_1.4.0-2_amd64.deb
    dpkg -i graylog-sidecar_1.4.0-2_amd64.deb

and do not forget to install that service manually

graylog-sidecar -service install
    systemctl status graylog-sidecar # enabled already

Filebeat install

install repo for filebeat (https://www.elastic.co/guide/en/beats/filebeat/8.7/setup-repositories.html#_apt)

apt install gnupg1
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | apt-key add -
apt-get install apt-transport-https
echo "deb https://artifacts.elastic.co/packages/8.x/apt stable main" | tee -a /etc/apt/sources.list.d/elastic-8.x.list
apt-get update && apt-get install filebeat
systemctl status filebeat # enabled by default

no need to enable that one – it will get handled by the sidecar

systemctl disable filebeat

Sidecar setup

    cd /etc/graylog/sidecar/
    mv -i sidecar.yml sidecar.yml.dist
    grep -vE '^#|^$' sidecar.yml.dist > sidecar.yml
    vi sidecar.yml

    server_url: "http://graylog-server:9000/api/"
    server_api_token: "TOKEN-HERE"

Filebeat setup

no need - that’s what the sidecar is about

Ready to go

    nmap graylog-server -p 5044

tail -F /var/log/graylog-sidecar/sidecar.log

systemctl restart graylog-sidecar
    systemctl status graylog-sidecar

and once it is up check that there’s a ID for the client node

    cat /etc/graylog/sidecar/node-id; echo
ls -lF /etc/graylog/sidecar/node-id

you can also track the generated confs

ls -alF /var/lib/graylog-sidecar/generated/

you are now ready to setup filebeat from the graylog server web interface.

Resources

INGEST FROM FILES https://docs.graylog.org/docs/files

GRAYLOG SIDECAR https://docs.graylog.org/docs/sidecar

install

https://www.symmcom.com/docs/how-tos/servers/how-to-install-and-configure-garylog-sidecar-on-debian-11

download

https://github.com/Graylog2/collector-sidecar/releases

filebeat

Filebeat quick start: installation and configuration https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-installation-configuration.html

alternatives

NXLog Community Edition https://nxlog.co/products/nxlog-community-edition/download


HOME | GUIDES | LECTURES | LAB | SMTP HEALTH | HTML5 | CONTACT
Copyright © 2024 Pierre-Philipp Braun