Once you have installed Graylog Sidecar on either Linux or Windows and set up your preferred collectors, now you can manage your Sidecar instance as needed.

Locate Sidecar

Once you install the Sidecar package and start the service for the first time, verify that it shows up in the Sidecars Overview page. A new Sidecar instance will have default collector configurations assigned.

Hint: Obsolete or disconnected Sidecars are removed from the Sidecar list after 14 days. This default period may be edited on the SystemSidecars page.

View Sidecar Status

Each Sidecar instance is able to send status information back to Graylog. A status page with the configured information will be displayed when you click on each detailed Sidecar page under Node details.

Manage Failure Tracking

If you manage a large deployment with numerous Sidecars, it may be daunting to analyze the reason for each collector’s failure individually. For this purpose, we incorporated a Failure Tracking page into Sidecars.

This searchable and sortable page displays the name, status, error message, and verbose error message of each collector.

Create and Edit Variables

Configuration variables can contain arbitrary strings, like the IP address of your Graylog server, or the port of an input. These variables can be used in multiple collector configurations. This helps avoid duplication and also simplifies management.

In order to create a configuration variable:

  1. Go to the Collector Configuration page.

  2. Find the Collector Configuration Reference.

  3. Click on Variables and then click on Create Variable.

  4. Enter the necessary content in the modal and click Save.

In the following example, we replace the hard coded IP and port from our Beats input with a new variable named ${user.graylog_host}. First we need to create the variable via the modal on the Collector Configuration page, as explained above. Once we enter the necessary information and click Create Variable, we can now use this variable in all our configurations.



In cases where you need to change the IP or port of your input, you only need to change the variable through the Graylog interface. To do so:

  1. Go to the Collector Configuration page under System>Sidecars.

  2. Find the configuration you need and click Edit.

  3. Go to Variables in the Collector Configuration Reference.

  4. Click the Edit button corresponding to the variable you wish to change.

  5. Edit the information found in the modal.

Secure Sidecar Communication

The communication between Sidecar and Graylog will be secured if your API utilizes TLS/SSL.

To secure the communication between the collector and Graylog, select Enable TLS in your Beats input. Graylog will then create a self-signed certificate for this input.

Enable Certificate-Based Client Authentication

If you want Graylog to only accept data from authenticated collectors, please follow the steps in Secured Graylog and Beats Input.

Assign Tags

You can assign configurations based on tags. Tags are used to define which configurations the host should receive. For example, a user can create a configuration for Apache access log files. In this case, the configuration gets the tag apache.

The Sidecar can also be started on all web servers running the Apache daemon with the apache tag to fetch this configuration and to collect web access log files.

This is the specific configuration section of a configuration YAML file that would typically exist in an endpoint computer:

Copy 
# A list of tags to assign to this Sidecar. Collector configuration matching any of these tags will automatically be
# applied to the Sidecar.
# Example:
# tags:
# - apache-logs
# - dns-logs

Once the system applies the tag to the endpoint, it automatically starts collecting logs and funnels them into Graylog. The tag feature frees users and administrators from the burden of managing the collector configurations on all PCs or other endpoints registering to Graylog. Configurations are automatically assigned to new clients as long as their YAML configuration file includes the matching tag.

Sidecar tags can be stored in the endpoint client, such as a Windows Server and Windows Workstation or any other Linux server or workstation. They are also built so that you can attach them to different collectors for Winlogbeat, Filebeat, Metricbeat, and NX log clients.

Sidecar also allows you to have multiple collector configurations assigned to one endpoint. For example, you could have a configuration set for a Winlogbeat tag and another for a Sysmon tag layered on the same Windows client.

Hint: Snippets can also be used to provide additional configuration of the agent when it may not be possible via the system. They can be used to represent more complicated collector configurations. Simply paste the whole content of your NXLog configuration into a snippet or use it as an extension to the inputs and outputs previously defined. All snippets will be copied directly to the generated collector configuration regardless of whether their inputs or outputs are defined.

Debug Sidecar

The Sidecar writes log files to the directory configured in log_path. There is one file for each backend. You can check for general issues like file permissions or log transmission problems in these files. The Sidecar itself writes to Sidecar.log. Problems like "failed connection to the Graylog API" can be found here.

You can also start the Sidecar in the foreground and monitor the output of the process:

Copy 
graylog-Sidecar -debug

Uninstall Sidecar

If for any reason you need to uninstall Graylog Sidecar, on a Linux operating system you can simply uninstall the package. To uninstall in Windows run the following commands:

Copy 
"C:\Program Files\Graylog\graylog-Sidecar.exe" -service stop 
"C:\Program Files\Graylog\graylog-Sidecar.exe" -service uninstall

Note that you should prefix the commands with & when using PowerShell.