The generated config looks fine, maybe a screenshot of the Graylog input puts some light on this?
On 7 July 2016 at 19:50, Kev Johnson <[email protected]> wrote: > Thanks Marius - I've double checked the input port (and that it's > running!), but even if it were a mismatch I'd expect tcpdump to show the > packets hitting the interface. I suspect that this has to be down to the > generated config, so I'm pasting the contents of one of the servers' > configs below - I'm afraid that I'm not really sure how I would > troubleshoot that, so I'm happy to be told that I've done something stupid! > > define ROOT C:\Program Files (x86)\nxlog >> >> >>> <Extension gelf> >> >> Module xm_gelf >> >> </Extension> >> >> >>> >>> >>> >>> <Input 577e5a4bc745f2099c054dd5> >> >> Module im_msvistalog >> >> PollInterval 10 >> >> SavePos True >> >> ReadFromLast True >> >> </Input> >> >> >>> >>> >>> <Output 577e6c75c745f2099c0561b3> >> >> Module om_udp >> >> Host 192.168.21.12 >> >> Port 5414 >> >> OutputType GELF >> >> Exec $short_message = $raw_event; # Avoids truncation of the >>> short_message field. >> >> Exec $gl2_source_collector = '28a3c8c7-bc02-44e0-98a5-e93e52b057e5'; >> >> Exec $Hostname = hostname_fqdn(); >> >> </Output> >> >> >>> >>> >>> <Route route-0> >> >> Path 577e5a4bc745f2099c054dd5 => 577e6c75c745f2099c0561b3 >> >> </Route> >> >> >>> >>> > On Thursday, 7 July 2016 18:41:36 UTC+1, Marius Sturm wrote: >> >> Hi, >> you could check if the Gelf port on the Graylog side is exactly the same >> as on the Nxlog sender side, usually 12201. Go to System->Inputs (the input >> should have a green badge 'running') verify the port number with the one >> you configured for nxlog in the collector configuration. >> Another thing, Windows is not sending logs all the time so maybe you just >> need to create an event that is triggering a log e.g. opening the control >> panel? >> >> If that doesn't help please post the generated nxlog configuration, maybe >> there is something obvious. >> >> On 7 July 2016 at 18:11, Kev Johnson <[email protected]> wrote: >> >>> Firstly: I love the idea of being able to push out updated configuration >>> files to my collectors. That said: I'm having issues getting logs to my >>> Graylog box (deployed from the OVA) >>> >>> Steps taken so far are as follows >>> >>> >>> - Installed NXlogCE >>> - Uninstalled the NXlog service >>> - Installed the Graylog Collector Sidecar >>> - Edited the sidecar_collector.yml file to point to my Graylog >>> server, and remove the reference to IIS >>> - Installed the Graylog Collector Sidecar service >>> - Started the Graylog Collector Sidecar service >>> - Created a configuration (Windows Logs, ship to the UDP GELF Input >>> defined on my Graylog box) >>> - Created a tag called Windows and applied it to this configuration >>> >>> >>> I see the nxlog.conf get created on the Windows server, I see nxlog.exe >>> start up on server, but nothing is sent. TCPDump on the Graylog server >>> shows only the TCP connections in on port 12900 from the Windows server. >>> >>> Any advice on troubleshooting this would be much appreciated! >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "Graylog Users" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To view this discussion on the web visit >>> https://groups.google.com/d/msgid/graylog2/526b544e-bf0b-4383-9819-61ae5f3ebfcd%40googlegroups.com >>> <https://groups.google.com/d/msgid/graylog2/526b544e-bf0b-4383-9819-61ae5f3ebfcd%40googlegroups.com?utm_medium=email&utm_source=footer> >>> . >>> For more options, visit https://groups.google.com/d/optout. >>> >> >> >> >> -- >> Developer >> >> Tel.: +49 (0)40 609 452 077 >> Fax.: +49 (0)40 609 452 078 >> >> TORCH GmbH - A Graylog Company >> Poolstraße 21 >> 20335 Hamburg >> Germany >> >> https://www.graylog.com <https://www.torch.sh/> >> >> Commercial Reg. (Registergericht): Amtsgericht Hamburg, HRB 125175 >> Geschäftsführer: Lennart Koopmann (CEO) >> > -- > You received this message because you are subscribed to the Google Groups > "Graylog Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/graylog2/0a3e44a6-5f60-4614-8b1c-e260c33edaec%40googlegroups.com > <https://groups.google.com/d/msgid/graylog2/0a3e44a6-5f60-4614-8b1c-e260c33edaec%40googlegroups.com?utm_medium=email&utm_source=footer> > . > > For more options, visit https://groups.google.com/d/optout. > -- Developer Tel.: +49 (0)40 609 452 077 Fax.: +49 (0)40 609 452 078 TORCH GmbH - A Graylog Company Poolstraße 21 20335 Hamburg Germany https://www.graylog.com <https://www.torch.sh/> Commercial Reg. (Registergericht): Amtsgericht Hamburg, HRB 125175 Geschäftsführer: Lennart Koopmann (CEO) -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/CAMqbBb%2BYt8Q0ukTkV4GMPsdsD0HoR8mnwq__zc%3Dck0ysDqhdfw%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
