Set Up Sidecar Collectors
Now that you have installed Sidecar, you can manage your instance via the Overview page and assign log collectors to it. Note that there are two types of collectors:
-
Default collectors (using ready-to-use configurations)
Review and Edit Default Collectors
Several default collector configurations have been added to Sidecar. These default configurations are ready-to-use and will be automatically assigned once the Sidecar is installed. They will immediately start collecting data such as event logs or audit framework data.
To view the collectors that will be running by default:
-
Go to System > Sidecars.
-
Click on the Overview tab and select the Sidecar.
Previously, you needed to install collectors manually before being able to utilize the Sidecar. Starting with Sidecar version 1.5, Sidecar ships with the collectors shown below:
Operating System | Ships With |
---|---|
Linux x86/x86_64 | Filebeat, Auditbeat |
Windows x86/x86_64 | Filebeat, Winlogbeat |
Edit Default Collector Configurations
You may view and edit all default Sidecar configurations on the System > Sidecars page under Configuration.
You may edit any sidecar configurations according to your preferences, but the variable ${user.graylog_host
should always match the Graylog IP. You may also delete the default
tag under Configuration Assignment Tags. This way, the configuration will not apply to the sidecar by default.
Install Collectors Manually
Graylog contains default collector configurations for Filebeat, Winlogbeat, and Auditbeat; however, you can also decide which additional collectors you want to use with your Sidecar and install them manually. The following section details how to install NXLog collectors as an example, but you may install other collectors as you prefer. Since you are able to define your own collector backends, you could run sysmon, auditd, packetbeat, etc.
NXLog on Ubuntu
Install the NXLog package from the official NXLog download page. Because the Sidecar takes control of stopping and starting NXlog, it is necessary to stop all running instances of NXlog and unconfigure the default system service:
sudo systemctl stop nxlog
sudo update-rc.d -f nxlog remove
sudo gpasswd -a nxlog adm
sudo chown -R nxlog.nxlog /var/spool/nxlog
NXLog on CentOS
Stop all running instances of NXlog and unconfigure the default system service on a RedHat based system:
sudo service nxlog stop
sudo chkconfig --del nxlog
sudo gpasswd -a nxlog root
sudo chown -R nxlog.nxlog /var/spool/nxlog
NXlog on Windows
Install the NXLog package from the official NXLog download page and deactivate the system service. We only need the binaries installed on the system:
"C:\Program Files\nxlog\nxlog" -u
&
when using PowerShell.
Now that you have installed your preferred collectors, proceed to Getting Started with Graylog Sidecar for details on how to use your Sidecar collector(s).