Thanks Marius - I'll give that a go today. Thanks for sense checking my config and confirming I've not done anything silly!
On Thursday, 7 July 2016 22:30:29 UTC+1, Marius Sturm wrote: > > Yeah, sounds possible to me. All configurations look correct. So some > Windows firewall might be the root cause. Maybe you can try with a test > host with all firewalls disabled. > > On 7 July 2016 at 20:38, Kev Johnson <k...@drunkmonkey.co.uk <javascript:> > > wrote: > >> >> <https://lh3.googleusercontent.com/-z7mPWg_KxJA/V36hBRtxUfI/AAAAAAAAEjQ/njRGd-GswWAHBnP-ivYvz2QU_pg--mmSQCLcB/s1600/Screen%2BShot%2B2016-07-07%2Bat%2B19.34.38.png> >> Does this help? Given that we're getting nothing but the Sidecar checking >> traffic back from the servers I'm still leaning toward this being an issue >> on the server rather than on the Graylog side. Any known issues with McAfee >> VirusScan Enterprise (beyond the obvious!) - I can't remove it, but if I >> need to tweak it some I probably can. Not 100% certain that this would be >> the case though, as if I just use NXlog to send syslog all works fine. >> >> On Thursday, 7 July 2016 19:27:47 UTC+1, Marius Sturm wrote: >>> >>> The generated config looks fine, maybe a screenshot of the Graylog input >>> puts some light on this? >>> >>> On 7 July 2016 at 19:50, Kev Johnson <k...@drunkmonkey.co.uk> wrote: >>> >>>> Thanks Marius - I've double checked the input port (and that it's >>>> running!), but even if it were a mismatch I'd expect tcpdump to show the >>>> packets hitting the interface. I suspect that this has to be down to the >>>> generated config, so I'm pasting the contents of one of the servers' >>>> configs below - I'm afraid that I'm not really sure how I would >>>> troubleshoot that, so I'm happy to be told that I've done something stupid! >>>> >>>> define ROOT C:\Program Files (x86)\nxlog >>>>> >>>>> >>>>>> <Extension gelf> >>>>> >>>>> Module xm_gelf >>>>> >>>>> </Extension> >>>>> >>>>> >>>>>> >>>>>> >>>>>> >>>>>> <Input 577e5a4bc745f2099c054dd5> >>>>> >>>>> Module im_msvistalog >>>>> >>>>> PollInterval 10 >>>>> >>>>> SavePos True >>>>> >>>>> ReadFromLast True >>>>> >>>>> </Input> >>>>> >>>>> >>>>>> >>>>>> >>>>>> <Output 577e6c75c745f2099c0561b3> >>>>> >>>>> Module om_udp >>>>> >>>>> Host 192.168.21.12 >>>>> >>>>> Port 5414 >>>>> >>>>> OutputType GELF >>>>> >>>>> Exec $short_message = $raw_event; # Avoids truncation of the >>>>>> short_message field. >>>>> >>>>> Exec $gl2_source_collector = '28a3c8c7-bc02-44e0-98a5-e93e52b057e5'; >>>>> >>>>> Exec $Hostname = hostname_fqdn(); >>>>> >>>>> </Output> >>>>> >>>>> >>>>>> >>>>>> >>>>>> <Route route-0> >>>>> >>>>> Path 577e5a4bc745f2099c054dd5 => 577e6c75c745f2099c0561b3 >>>>> >>>>> </Route> >>>>> >>>>> >>>>>> >>>>>> >>>> On Thursday, 7 July 2016 18:41:36 UTC+1, Marius Sturm wrote: >>>>> >>>>> Hi, >>>>> you could check if the Gelf port on the Graylog side is exactly the >>>>> same as on the Nxlog sender side, usually 12201. Go to System->Inputs >>>>> (the >>>>> input should have a green badge 'running') verify the port number with >>>>> the >>>>> one you configured for nxlog in the collector configuration. >>>>> Another thing, Windows is not sending logs all the time so maybe you >>>>> just need to create an event that is triggering a log e.g. opening the >>>>> control panel? >>>>> >>>>> If that doesn't help please post the generated nxlog configuration, >>>>> maybe there is something obvious. >>>>> >>>>> On 7 July 2016 at 18:11, Kev Johnson <k...@drunkmonkey.co.uk> wrote: >>>>> >>>>>> Firstly: I love the idea of being able to push out updated >>>>>> configuration files to my collectors. That said: I'm having issues >>>>>> getting >>>>>> logs to my Graylog box (deployed from the OVA) >>>>>> >>>>>> Steps taken so far are as follows >>>>>> >>>>>> >>>>>> - Installed NXlogCE >>>>>> - Uninstalled the NXlog service >>>>>> - Installed the Graylog Collector Sidecar >>>>>> - Edited the sidecar_collector.yml file to point to my Graylog >>>>>> server, and remove the reference to IIS >>>>>> - Installed the Graylog Collector Sidecar service >>>>>> - Started the Graylog Collector Sidecar service >>>>>> - Created a configuration (Windows Logs, ship to the UDP GELF >>>>>> Input defined on my Graylog box) >>>>>> - Created a tag called Windows and applied it to this >>>>>> configuration >>>>>> >>>>>> >>>>>> I see the nxlog.conf get created on the Windows server, I see >>>>>> nxlog.exe start up on server, but nothing is sent. TCPDump on the >>>>>> Graylog >>>>>> server shows only the TCP connections in on port 12900 from the Windows >>>>>> server. >>>>>> >>>>>> Any advice on troubleshooting this would be much appreciated! >>>>>> >>>>>> -- >>>>>> You received this message because you are subscribed to the Google >>>>>> Groups "Graylog Users" group. >>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>> send an email to graylog2+u...@googlegroups.com. >>>>>> To view this discussion on the web visit >>>>>> https://groups.google.com/d/msgid/graylog2/526b544e-bf0b-4383-9819-61ae5f3ebfcd%40googlegroups.com >>>>>> >>>>>> <https://groups.google.com/d/msgid/graylog2/526b544e-bf0b-4383-9819-61ae5f3ebfcd%40googlegroups.com?utm_medium=email&utm_source=footer> >>>>>> . >>>>>> For more options, visit https://groups.google.com/d/optout. >>>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> Developer >>>>> >>>>> Tel.: +49 (0)40 609 452 077 >>>>> Fax.: +49 (0)40 609 452 078 >>>>> >>>>> TORCH GmbH - A Graylog Company >>>>> Poolstraße 21 >>>>> 20335 Hamburg >>>>> Germany >>>>> >>>>> https://www.graylog.com <https://www.torch.sh/> >>>>> >>>>> Commercial Reg. (Registergericht): Amtsgericht Hamburg, HRB 125175 >>>>> Geschäftsführer: Lennart Koopmann (CEO) >>>>> >>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "Graylog Users" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to graylog2+u...@googlegroups.com. >>>> To view this discussion on the web visit >>>> https://groups.google.com/d/msgid/graylog2/0a3e44a6-5f60-4614-8b1c-e260c33edaec%40googlegroups.com >>>> >>>> <https://groups.google.com/d/msgid/graylog2/0a3e44a6-5f60-4614-8b1c-e260c33edaec%40googlegroups.com?utm_medium=email&utm_source=footer> >>>> . >>>> >>>> For more options, visit https://groups.google.com/d/optout. >>>> >>> >>> >>> >>> -- >>> Developer >>> >>> Tel.: +49 (0)40 609 452 077 >>> Fax.: +49 (0)40 609 452 078 >>> >>> TORCH GmbH - A Graylog Company >>> Poolstraße 21 >>> 20335 Hamburg >>> Germany >>> >>> https://www.graylog.com <https://www.torch.sh/> >>> >>> Commercial Reg. (Registergericht): Amtsgericht Hamburg, HRB 125175 >>> Geschäftsführer: Lennart Koopmann (CEO) >>> >> -- >> You received this message because you are subscribed to the Google Groups >> "Graylog Users" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to graylog2+u...@googlegroups.com <javascript:>. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/graylog2/f977b6d3-2c3f-45e7-99a9-b5020123e4d8%40googlegroups.com >> >> <https://groups.google.com/d/msgid/graylog2/f977b6d3-2c3f-45e7-99a9-b5020123e4d8%40googlegroups.com?utm_medium=email&utm_source=footer> >> . >> >> For more options, visit https://groups.google.com/d/optout. >> > > > > -- > Developer > > Tel.: +49 (0)40 609 452 077 > Fax.: +49 (0)40 609 452 078 > > TORCH GmbH - A Graylog Company > Poolstraße 21 > 20335 Hamburg > Germany > > https://www.graylog.com <https://www.torch.sh/> > > Commercial Reg. (Registergericht): Amtsgericht Hamburg, HRB 125175 > Geschäftsführer: Lennart Koopmann (CEO) > -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/5ed2bfb9-6a1f-4268-b824-18da263f93c7%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
