Yeah, sounds possible to me. All configurations look correct. So some Windows firewall might be the root cause. Maybe you can try with a test host with all firewalls disabled.
On 7 July 2016 at 20:38, Kev Johnson <[email protected]> wrote: > > <https://lh3.googleusercontent.com/-z7mPWg_KxJA/V36hBRtxUfI/AAAAAAAAEjQ/njRGd-GswWAHBnP-ivYvz2QU_pg--mmSQCLcB/s1600/Screen%2BShot%2B2016-07-07%2Bat%2B19.34.38.png> > Does this help? Given that we're getting nothing but the Sidecar checking > traffic back from the servers I'm still leaning toward this being an issue > on the server rather than on the Graylog side. Any known issues with McAfee > VirusScan Enterprise (beyond the obvious!) - I can't remove it, but if I > need to tweak it some I probably can. Not 100% certain that this would be > the case though, as if I just use NXlog to send syslog all works fine. > > On Thursday, 7 July 2016 19:27:47 UTC+1, Marius Sturm wrote: >> >> The generated config looks fine, maybe a screenshot of the Graylog input >> puts some light on this? >> >> On 7 July 2016 at 19:50, Kev Johnson <[email protected]> wrote: >> >>> Thanks Marius - I've double checked the input port (and that it's >>> running!), but even if it were a mismatch I'd expect tcpdump to show the >>> packets hitting the interface. I suspect that this has to be down to the >>> generated config, so I'm pasting the contents of one of the servers' >>> configs below - I'm afraid that I'm not really sure how I would >>> troubleshoot that, so I'm happy to be told that I've done something stupid! >>> >>> define ROOT C:\Program Files (x86)\nxlog >>>> >>>> >>>>> <Extension gelf> >>>> >>>> Module xm_gelf >>>> >>>> </Extension> >>>> >>>> >>>>> >>>>> >>>>> >>>>> <Input 577e5a4bc745f2099c054dd5> >>>> >>>> Module im_msvistalog >>>> >>>> PollInterval 10 >>>> >>>> SavePos True >>>> >>>> ReadFromLast True >>>> >>>> </Input> >>>> >>>> >>>>> >>>>> >>>>> <Output 577e6c75c745f2099c0561b3> >>>> >>>> Module om_udp >>>> >>>> Host 192.168.21.12 >>>> >>>> Port 5414 >>>> >>>> OutputType GELF >>>> >>>> Exec $short_message = $raw_event; # Avoids truncation of the >>>>> short_message field. >>>> >>>> Exec $gl2_source_collector = '28a3c8c7-bc02-44e0-98a5-e93e52b057e5'; >>>> >>>> Exec $Hostname = hostname_fqdn(); >>>> >>>> </Output> >>>> >>>> >>>>> >>>>> >>>>> <Route route-0> >>>> >>>> Path 577e5a4bc745f2099c054dd5 => 577e6c75c745f2099c0561b3 >>>> >>>> </Route> >>>> >>>> >>>>> >>>>> >>> On Thursday, 7 July 2016 18:41:36 UTC+1, Marius Sturm wrote: >>>> >>>> Hi, >>>> you could check if the Gelf port on the Graylog side is exactly the >>>> same as on the Nxlog sender side, usually 12201. Go to System->Inputs (the >>>> input should have a green badge 'running') verify the port number with the >>>> one you configured for nxlog in the collector configuration. >>>> Another thing, Windows is not sending logs all the time so maybe you >>>> just need to create an event that is triggering a log e.g. opening the >>>> control panel? >>>> >>>> If that doesn't help please post the generated nxlog configuration, >>>> maybe there is something obvious. >>>> >>>> On 7 July 2016 at 18:11, Kev Johnson <[email protected]> wrote: >>>> >>>>> Firstly: I love the idea of being able to push out updated >>>>> configuration files to my collectors. That said: I'm having issues getting >>>>> logs to my Graylog box (deployed from the OVA) >>>>> >>>>> Steps taken so far are as follows >>>>> >>>>> >>>>> - Installed NXlogCE >>>>> - Uninstalled the NXlog service >>>>> - Installed the Graylog Collector Sidecar >>>>> - Edited the sidecar_collector.yml file to point to my Graylog >>>>> server, and remove the reference to IIS >>>>> - Installed the Graylog Collector Sidecar service >>>>> - Started the Graylog Collector Sidecar service >>>>> - Created a configuration (Windows Logs, ship to the UDP GELF >>>>> Input defined on my Graylog box) >>>>> - Created a tag called Windows and applied it to this configuration >>>>> >>>>> >>>>> I see the nxlog.conf get created on the Windows server, I see >>>>> nxlog.exe start up on server, but nothing is sent. TCPDump on the Graylog >>>>> server shows only the TCP connections in on port 12900 from the Windows >>>>> server. >>>>> >>>>> Any advice on troubleshooting this would be much appreciated! >>>>> >>>>> -- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "Graylog Users" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to [email protected]. >>>>> To view this discussion on the web visit >>>>> https://groups.google.com/d/msgid/graylog2/526b544e-bf0b-4383-9819-61ae5f3ebfcd%40googlegroups.com >>>>> <https://groups.google.com/d/msgid/graylog2/526b544e-bf0b-4383-9819-61ae5f3ebfcd%40googlegroups.com?utm_medium=email&utm_source=footer> >>>>> . >>>>> For more options, visit https://groups.google.com/d/optout. >>>>> >>>> >>>> >>>> >>>> -- >>>> Developer >>>> >>>> Tel.: +49 (0)40 609 452 077 >>>> Fax.: +49 (0)40 609 452 078 >>>> >>>> TORCH GmbH - A Graylog Company >>>> Poolstraße 21 >>>> 20335 Hamburg >>>> Germany >>>> >>>> https://www.graylog.com <https://www.torch.sh/> >>>> >>>> Commercial Reg. (Registergericht): Amtsgericht Hamburg, HRB 125175 >>>> Geschäftsführer: Lennart Koopmann (CEO) >>>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "Graylog Users" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To view this discussion on the web visit >>> https://groups.google.com/d/msgid/graylog2/0a3e44a6-5f60-4614-8b1c-e260c33edaec%40googlegroups.com >>> <https://groups.google.com/d/msgid/graylog2/0a3e44a6-5f60-4614-8b1c-e260c33edaec%40googlegroups.com?utm_medium=email&utm_source=footer> >>> . >>> >>> For more options, visit https://groups.google.com/d/optout. >>> >> >> >> >> -- >> Developer >> >> Tel.: +49 (0)40 609 452 077 >> Fax.: +49 (0)40 609 452 078 >> >> TORCH GmbH - A Graylog Company >> Poolstraße 21 >> 20335 Hamburg >> Germany >> >> https://www.graylog.com <https://www.torch.sh/> >> >> Commercial Reg. (Registergericht): Amtsgericht Hamburg, HRB 125175 >> Geschäftsführer: Lennart Koopmann (CEO) >> > -- > You received this message because you are subscribed to the Google Groups > "Graylog Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/graylog2/f977b6d3-2c3f-45e7-99a9-b5020123e4d8%40googlegroups.com > <https://groups.google.com/d/msgid/graylog2/f977b6d3-2c3f-45e7-99a9-b5020123e4d8%40googlegroups.com?utm_medium=email&utm_source=footer> > . > > For more options, visit https://groups.google.com/d/optout. > -- Developer Tel.: +49 (0)40 609 452 077 Fax.: +49 (0)40 609 452 078 TORCH GmbH - A Graylog Company Poolstraße 21 20335 Hamburg Germany https://www.graylog.com <https://www.torch.sh/> Commercial Reg. (Registergericht): Amtsgericht Hamburg, HRB 125175 Geschäftsführer: Lennart Koopmann (CEO) -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/CAMqbBbLH6zYmB9vzWCVHf4qokhAJ1MDPjUyJHPr%3DU0RFav071g%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
