Now that you have installed Sidecar, you can manage your instance via the Overview page and assign log collectors to it. Note that there are two types of collectors:

  1. Default collectors (using ready-to-use configurations)

  2. Manually installed collectors

Review and Edit Default Collectors

Several default collector configurations have been added to Sidecar. These default configurations are ready-to-use and will be automatically assigned once the Sidecar is installed. They will immediately start collecting data such as event logs or audit framework data.

To view the collectors that will be running by default:

  1. Go to System > Sidecars.

  2. Click on the Overview tab and select the Sidecar.

Previously, you needed to install collectors manually before being able to utilize the Sidecar. Starting with Sidecar version 1.5, Sidecar ships with the collectors shown below:

Operating System Ships With
Linux x86/x86_64 Filebeat, Auditbeat
Windows x86/x86_64 Filebeat, Winlogbeat

Edit Default Collector Configurations

You may view and edit all default Sidecar configurations on the System > Sidecars page under Configuration.

You may edit any sidecar configurations according to your preferences, but the variable ${user.graylog_host should always match the Graylog IP. You may also delete the default tag under Configuration Assignment Tags. This way, the configuration will not apply to the sidecar by default.

Install Collectors Manually

Graylog contains default collector configurations for Filebeat, Winlogbeat, and Auditbeat; however, you can also decide which additional collectors you want to use with your Sidecar and install them manually. The following section details how to install NXLog collectors as an example, but you may install other collectors as you prefer. Since you are able to define your own collector backends, you could run sysmon, auditd, packetbeat, etc.

NXLog on Ubuntu

Install the NXLog package from the official NXLog download page. Because the Sidecar takes control of stopping and starting NXlog, it is necessary to stop all running instances of NXlog and unconfigure the default system service:

Copy 
sudo systemctl stop nxlog
sudo update-rc.d -f nxlog remove
sudo gpasswd -a nxlog adm
sudo chown -R nxlog.nxlog /var/spool/nxlog    

NXLog on CentOS

Stop all running instances of NXlog and unconfigure the default system service on a RedHat based system:

Copy 
sudo service nxlog stop
sudo chkconfig --del nxlog
sudo gpasswd -a nxlog root
sudo chown -R nxlog.nxlog /var/spool/nxlog            

NXlog on Windows

Install the NXLog package from the official NXLog download page and deactivate the system service. We only need the binaries installed on the system:

Copy 
"C:\Program Files\nxlog\nxlog" -u
            

Hint: Prefix the commands with & when using PowerShell. 

Now that you have installed your preferred collectors, proceed to Getting Started with Graylog Sidecar for details on how to use your Sidecar collector(s).