Thanks Marius - I'll give that a go today. Thanks for sense checking my config and confirming I've not done anything silly!
On Thursday, 7 July 2016 22:30:29 UTC+1, Marius Sturm wrote: > > Yeah, sounds possible to me. All configurations look correct. So some > Windows firewall might be the root cause. Maybe you can try with a test > host with all firewalls disabled. > > On 7 July 2016 at 20:38, Kev Johnson <[email protected] <javascript:> > > wrote: > >> >> <https://lh3.googleusercontent.com/-z7mPWg_KxJA/V36hBRtxUfI/AAAAAAAAEjQ/njRGd-GswWAHBnP-ivYvz2QU_pg--mmSQCLcB/s1600/Screen%2BShot%2B2016-07-07%2Bat%2B19.34.38.png> >> Does this help? Given that we're getting nothing but the Sidecar checking >> traffic back from the servers I'm still leaning toward this being an issue >> on the server rather than on the Graylog side. Any known issues with McAfee >> VirusScan Enterprise (beyond the obvious!) - I can't remove it, but if I >> need to tweak it some I probably can. Not 100% certain that this would be >> the case though, as if I just use NXlog to send syslog all works fine. >> >> On Thursday, 7 July 2016 19:27:47 UTC+1, Marius Sturm wrote: >>> >>> The generated config looks fine, maybe a screenshot of the Graylog input >>> puts some light on this? >>> >>> On 7 July 2016 at 19:50, Kev Johnson <[email protected]> wrote: >>> >>>> Thanks Marius - I've double checked the input port (and that it's >>>> running!), but even if it were a mismatch I'd expect tcpdump to show the >>>> packets hitting the interface. I suspect that this has to be down to the >>>> generated config, so I'm pasting the contents of one of the servers' >>>> configs below - I'm afraid that I'm not really sure how I would >>>> troubleshoot that, so I'm happy to be told that I've done something stupid! >>>> >>>> define ROOT C:\Program Files (x86)\nxlog >>>>> >>>>> >>>>>> <Extension gelf> >>>>> >>>>> Module xm_gelf >>>>> >>>>> </Extension> >>>>> >>>>> >>>>>> >>>>>> >>>>>> >>>>>> <Input 577e5a4bc745f2099c054dd5> >>>>> >>>>> Module im_msvistalog >>>>> >>>>> PollInterval 10 >>>>> >>>>> SavePos True >>>>> >>>>> ReadFromLast True >>>>> >>>>> </Input> >>>>> >>>>> >>>>>> >>>>>> >>>>>> <Output 577e6c75c745f2099c0561b3> >>>>> >>>>> Module om_udp >>>>> >>>>> Host 192.168.21.12 >>>>> >>>>> Port 5414 >>>>> >>>>> OutputType GELF >>>>> >>>>> Exec $short_message = $raw_event; # Avoids truncation of the >>>>>> short_message field. >>>>> >>>>> Exec $gl2_source_collector = '28a3c8c7-bc02-44e0-98a5-e93e52b057e5'; >>>>> >>>>> Exec $Hostname = hostname_fqdn(); >>>>> >>>>> </Output> >>>>> >>>>> >>>>>> >>>>>> >>>>>> <Route route-0> >>>>> >>>>> Path 577e5a4bc745f2099c054dd5 => 577e6c75c745f2099c0561b3 >>>>> >>>>> </Route> >>>>> >>>>> >>>>>> >>>>>> >>>> On Thursday, 7 July 2016 18:41:36 UTC+1, Marius Sturm wrote: >>>>> >>>>> Hi, >>>>> you could check if the Gelf port on the Graylog side is exactly the >>>>> same as on the Nxlog sender side, usually 12201. Go to System->Inputs >>>>> (the >>>>> input should have a green badge 'running') verify the port number with >>>>> the >>>>> one you configured for nxlog in the collector configuration. >>>>> Another thing, Windows is not sending logs all the time so maybe you >>>>> just need to create an event that is triggering a log e.g. opening the >>>>> control panel? >>>>> >>>>> If that doesn't help please post the generated nxlog configuration, >>>>> maybe there is something obvious. >>>>> >>>>> On 7 July 2016 at 18:11, Kev Johnson <[email protected]> wrote: >>>>> >>>>>> Firstly: I love the idea of being able to push out updated >>>>>> configuration files to my collectors. That said: I'm having issues >>>>>> getting >>>>>> logs to my Graylog box (deployed from the OVA) >>>>>> >>>>>> Steps taken so far are as follows >>>>>> >>>>>> >>>>>> - Installed NXlogCE >>>>>> - Uninstalled the NXlog service >>>>>> - Installed the Graylog Collector Sidecar >>>>>> - Edited the sidecar_collector.yml file to point to my Graylog >>>>>> server, and remove the reference to IIS >>>>>> - Installed the Graylog Collector Sidecar service >>>>>> - Started the Graylog Collector Sidecar service >>>>>> - Created a configuration (Windows Logs, ship to the UDP GELF >>>>>> Input defined on my Graylog box) >>>>>> - Created a tag called Windows and applied it to this >>>>>> configuration >>>>>> >>>>>> >>>>>> I see the nxlog.conf get created on the Windows server, I see >>>>>> nxlog.exe start up on server, but nothing is sent. TCPDump on the >>>>>> Graylog >>>>>> server shows only the TCP connections in on port 12900 from the Windows >>>>>> server. >>>>>> >>>>>> Any advice on troubleshooting this would be much appreciated! >>>>>> >>>>>> -- >>>>>> You received this message because you are subscribed to the Google >>>>>> Groups "Graylog Users" group. >>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>> send an email to [email protected]. >>>>>> To view this discussion on the web visit >>>>>> https://groups.google.com/d/msgid/graylog2/526b544e-bf0b-4383-9819-61ae5f3ebfcd%40googlegroups.com >>>>>> >>>>>> <https://groups.google.com/d/msgid/graylog2/526b544e-bf0b-4383-9819-61ae5f3ebfcd%40googlegroups.com?utm_medium=email&utm_source=footer> >>>>>> . >>>>>> For more options, visit https://groups.google.com/d/optout. >>>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> Developer >>>>> >>>>> Tel.: +49 (0)40 609 452 077 >>>>> Fax.: +49 (0)40 609 452 078 >>>>> >>>>> TORCH GmbH - A Graylog Company >>>>> Poolstraße 21 >>>>> 20335 Hamburg >>>>> Germany >>>>> >>>>> https://www.graylog.com <https://www.torch.sh/> >>>>> >>>>> Commercial Reg. (Registergericht): Amtsgericht Hamburg, HRB 125175 >>>>> Geschäftsführer: Lennart Koopmann (CEO) >>>>> >>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "Graylog Users" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected]. >>>> To view this discussion on the web visit >>>> https://groups.google.com/d/msgid/graylog2/0a3e44a6-5f60-4614-8b1c-e260c33edaec%40googlegroups.com >>>> >>>> <https://groups.google.com/d/msgid/graylog2/0a3e44a6-5f60-4614-8b1c-e260c33edaec%40googlegroups.com?utm_medium=email&utm_source=footer> >>>> . >>>> >>>> For more options, visit https://groups.google.com/d/optout. >>>> >>> >>> >>> >>> -- >>> Developer >>> >>> Tel.: +49 (0)40 609 452 077 >>> Fax.: +49 (0)40 609 452 078 >>> >>> TORCH GmbH - A Graylog Company >>> Poolstraße 21 >>> 20335 Hamburg >>> Germany >>> >>> https://www.graylog.com <https://www.torch.sh/> >>> >>> Commercial Reg. (Registergericht): Amtsgericht Hamburg, HRB 125175 >>> Geschäftsführer: Lennart Koopmann (CEO) >>> >> -- >> You received this message because you are subscribed to the Google Groups >> "Graylog Users" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected] <javascript:>. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/graylog2/f977b6d3-2c3f-45e7-99a9-b5020123e4d8%40googlegroups.com >> >> <https://groups.google.com/d/msgid/graylog2/f977b6d3-2c3f-45e7-99a9-b5020123e4d8%40googlegroups.com?utm_medium=email&utm_source=footer> >> . >> >> For more options, visit https://groups.google.com/d/optout. >> > > > > -- > Developer > > Tel.: +49 (0)40 609 452 077 > Fax.: +49 (0)40 609 452 078 > > TORCH GmbH - A Graylog Company > Poolstraße 21 > 20335 Hamburg > Germany > > https://www.graylog.com <https://www.torch.sh/> > > Commercial Reg. (Registergericht): Amtsgericht Hamburg, HRB 125175 > Geschäftsführer: Lennart Koopmann (CEO) > -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/5ed2bfb9-6a1f-4268-b824-18da263f93c7%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
