search

Graylog2 / collector-sidecar

Manage log collectors through Graylog
https://www.graylog.org/
Other
268 stars 56 forks source link

Graylog sidecar overwrites the 'hosts' entry winlogbeat.yml configuration file #147

Closed cyberkryption closed 7 years ago

cyberkryption commented 7 years ago

Problem description

Graylog sidecar overwrites the 'hosts' entry winlogbeat.yml configuration file with the entry shown in bold below when stopping and starting the service:

fields: gl2_source_collector: 11cbe9fc-4b61-4ac5-96c8-080cc06e1fdf output: logstash: hosts: - localhost:5044 path: data: C:\Program Files\graylog\collector-sidecar\cache\winlogbeat\data logs: C:\Program Files\graylog\collector-sidecar\logs tags:

Steps to reproduce the problem

  1. Install sysmon using bat file from ion-storm github repo at https://github.com/ion-storm/sysmon-config
  2. Ensure sysmon is running
  3. Install collector-sidecar version collector_sidecar_installer_00.1.0-rc.1
  4. Start the graylog collector service
  5. A configuration file is generated in the generated directory as above
  6. Stop the service and change hosts to point to graylog server ip 7.Start the service and the configuration is overwritten with the localhost:5044 entry
  7. Check in logs, there are error messages about no being able to connect to [:1]:5044 9 Stop the service
  8. Change the configuration file to point to graylog server ip
  9. Start winlogbeat manually, logs appear correctly in graylog.

Tested on Windows Server 2016 AD Server, Win10 Stable (domain joined) from http://modern.ie

Example winlogbeat logs - Failed connection

2017-03-04T16:39:48Z INFO Home path: [C:\Program Files\graylog\collector-sidecar] Config path: [C:\Program Files\graylog\collector-sidecar] Data path: [C:\Program Files\graylog\collector-sidecar\cache\winlogbeat\data] Logs path: [C:\Program Files\graylog\collector-sidecar\logs] 2017-03-04T16:39:48Z INFO Setup Beat: winlogbeat; Version: 5.1.1 2017-03-04T16:39:48Z INFO Max Retries set to: 3 2017-03-04T16:39:48Z INFO Activated logstash as output plugin. 2017-03-04T16:39:48Z INFO Publisher name: MSEDGEWIN10 2017-03-04T16:39:48Z INFO Metrics logging every 30s 2017-03-04T16:39:48Z INFO Flush Interval set to: 1s 2017-03-04T16:39:48Z INFO Max Bulk Size set to: 2048 2017-03-04T16:39:48Z INFO State will be read from and persisted to C:\Program Files\graylog\collector-sidecar\cache\winlogbeat\data.winlogbeat.yml 2017-03-04T16:39:48Z INFO winlogbeat start running. 2017-03-04T16:39:48Z ERR Error: The service process could not connect to the service controller. 2017-03-04T16:39:51Z ERR Connecting error publishing events (retrying): dial tcp [::1]:5044: connectex: No connection could be made because the target machine actively refused it. 2017-03-04T16:39:54Z ERR Connecting error publishing events (retrying): dial tcp 127.0.0.1:5044: connectex: No connection could be made because the target machine actively refused it. 2017-03-04T16:39:58Z ERR Connecting error publishing events (retrying): dial tcp [::1]:5044: connectex: No connection could be made because the target machine actively refused it.

Example- Manual Winlogbeat - Good Connection

c:\Program Files\graylog\collector-sidecar\generated>"C:\Program Files\graylog\collector-sidecar\winlogbeat.exe" -v -e -c winlogbeat.yml 2017/03/04 16:48:44.442746 beat.go:267: INFO Home path: [C:\Program Files\graylog\collector-sidecar] Config path: [C:\Program Files\graylog\collector-sidecar] Data path: [C:\Program Files\graylog\collector-sidecar\cache\winlogbeat\data] Logs path: [C:\Program Files\graylog\collector-sidecar\logs] 2017/03/04 16:48:44.445911 beat.go:177: INFO Setup Beat: winlogbeat; Version: 5.1.1 2017/03/04 16:48:44.446970 logstash.go:90: INFO Max Retries set to: 3 2017/03/04 16:48:44.448027 outputs.go:106: INFO Activated logstash as output plugin. 2017/03/04 16:48:44.448027 publish.go:291: INFO Publisher name: MSEDGEWIN10 2017/03/04 16:48:44.457889 logp.go:219: INFO Metrics logging every 30s 2017/03/04 16:48:44.459993 async.go:63: INFO Flush Interval set to: 1s 2017/03/04 16:48:44.459993 async.go:64: INFO Max Bulk Size set to: 2048 2017/03/04 16:48:44.461051 winlogbeat.go:71: INFO State will be read from and persisted to C:\Program Files\graylog\collector-sidecar\cache\winlogbeat\data.winlogbeat.yml 2017/03/04 16:48:44.462111 beat.go:207: INFO winlogbeat start running. 2017/03/04 16:48:44.703480 winlogbeat.go:237: INFO EventLog[Microsoft-Windows-Sysmon/Operational] Successfully published 55 events 2017/03/04 16:48:45.781590 winlogbeat.go:237: INFO EventLog[Microsoft-Windows-Sysmon/Operational] Successfully published 1 events 2017/03/04 16:49:14.460764 logp.go:230: INFO Non-zero metrics in the last 30s: msg_file_cache.Microsoft-Windows-Sysmon/OperationalMisses=1 libbeat.logstash.published_and_acked_events=56 libbeat.logstash.call_count.PublishEvents=2 libbeat.logstash.publish.read_bytes=30 libbeat.logstash.publish.write_bytes=18642 published_events.Microsoft-Windows-Sysmon/Operational=56 published_events.total=56 libbeat.publisher.published_events=56 msg_file_cache.Microsoft-Windows-Sysmon/OperationalHits=55 msg_file_cache.Microsoft-Windows-Sysmon/OperationalSize=1 2017/03/04 16:49:44.461076 logp.go:232: INFO No non-zero metrics in the last 30s 2017/03/04 16:50:14.461517 logp.go:232: INFO No non-zero metrics in the last 30s 2017/03/04 16:50:44.460570 logp.go:232: INFO No non-zero metrics in the last 30s 2017/03/04 16:51:14.461222 logp.go:232: INFO No non-zero metrics in the last 30s 2017/03/04 16:51:44.461221 logp.go:230: INFO Non-zero metrics in the last 30s: msg_file_cache.Microsoft-Windows-Sysmon/OperationalSize=-1 2017/03/04 16:52:04.114262 winlogbeat.go:237: INFO EventLog[Microsoft-Windows-Sysmon/Operational] Successfully published 1 events 2017/03/04 16:52:14.460323 logp.go:230: INFO Non-zero metrics in the last 30s: libbeat.logstash.published_and_acked_events=1 published_events.total=1 libbeat.logstash.call_count.PublishEvents=1 libbeat.logstash.publish.read_bytes=6 libbeat.logstash.publish.write_bytes=982 msg_file_cache.Microsoft-Windows-Sysmon/OperationalSize=1 msg_file_cache.Microsoft-Windows-Sysmon/OperationalMisses=1 libbeat.publisher.published_events=1 published_events.Microsoft-Windows-Sysmon/Operational=1 2017/03/04 16:52:44.461154 logp.go:232: INFO No non-zero metrics in the last 30s 2017/03/04 16:53:14.460328 logp.go:232: INFO No non-zero metrics in the last 30s 2017/03/04 16:53:34.884943 winlogbeat.go:237: INFO EventLog[Microsoft-Windows-Sysmon/Operational] Successfully published 5 events 2017/03/04 16:53:36.008802 winlogbeat.go:237: INFO EventLog[Microsoft-Windows-Sysmon/Operational] Successfully published 8 events 2017/03/04 16:53:44.460912 logp.go:230: INFO Non-zero metrics in the last 30s: libbeat.logstash.publish.write_bytes=5181 libbeat.publisher.published_events=13 published_events.total=13 libbeat.logstash.call_count.PublishEvents=2 msg_file_cache.Microsoft-Windows-Sysmon/OperationalHits=13 published_events.Microsoft-Windows-Sysmon/Operational=13 libbeat.logstash.published_and_acked_events=13 libbeat.logstash.publish.read_bytes=12 2017/03/04 16:53:45.036502 winlogbeat.go:237: INFO EventLog[Microsoft-Windows-Sysmon/Operational] Successfully published 1 events 2017/03/04 16:53:46.052603 winlogbeat.go:237: INFO EventLog[Microsoft-Windows-Sysmon/Operational] Successfully published 6 events 2017/03/04 16:53:47.073031 winlogbeat.go:237: INFO EventLog[Microsoft-Windows-Sysmon/Operational] Successfully published 9 events 2017/03/04 16:53:48.116131 winlogbeat.go:237: INFO EventLog[Microsoft-Windows-Sysmon/Operational] Successfully published 19 events 2017/03/04 16:53:49.162960 winlogbeat.go:237: INFO EventLog[Microsoft-Windows-Sysmon/Operational] Successfully published 21 events 2017/03/04 16:53:50.177064 winlogbeat.go:237: INFO EventLog[Microsoft-Windows-Sysmon/Operational] Successfully published 2 events 2017/03/04 16:54:14.464585 logp.go:230: INFO Non-zero metrics in the last 30s: libbeat.logstash.call_count.PublishEvents=6 msg_file_cache.Microsoft-Windows-Sysmon/OperationalHits=58 published_events.Microsoft-Windows-Sysmon/Operational=58 libbeat.publisher.published_events=58 libbeat.logstash.publish.read_bytes=36 published_events.total=58 libbeat.logstash.publish.write_bytes=19132 libbeat.logstash.published_and_acked_events=58 2017/03/04 16:54:44.461045 logp.go:232: INFO No non-zero metrics in the last 30s 2017/03/04 16:54:57.239636 winlogbeat.go:237: INFO EventLog[Microsoft-Windows-Sysmon/Operational] Successfully published 1 events 2017/03/04 16:55:14.460477 logp.go:230: INFO Non-zero metrics in the last 30s: libbeat.logstash.published_and_acked_events=1 libbeat.logstash.call_count.PublishEvents=1 libbeat.logstash.publish.read_bytes=6 libbeat.logstash.publish.write_bytes=1003 msg_file_cache.Microsoft-Windows-Sysmon/OperationalHits=1 published_events.Microsoft-Windows-Sysmon/Operational=1 published_events.total=1 libbeat.publisher.published_events=1 2017/03/04 16:55:44.461483 logp.go:232: INFO No non-zero metrics in the last 30s 2017/03/04 16:56:14.462135 logp.go:232: INFO No non-zero metrics in the last 30s 2017/03/04 16:56:44.461378 logp.go:232: INFO No non-zero metrics in the last 30s 2017/03/04 16:57:14.460631 logp.go:232: INFO No non-zero metrics in the last 30s 2017/03/04 16:57:44.461115 logp.go:230: INFO Non-zero metrics in the last 30s: msg_file_cache.Microsoft-Windows-Sysmon/OperationalSize=-1 2017/03/04 16:57:49.519588 winlogbeat.go:237: INFO EventLog[Microsoft-Windows-Sysmon/Operational] Successfully published 4 events 2017/03/04 16:57:50.532152 winlogbeat.go:237: INFO EventLog[Microsoft-Windows-Sysmon/Operational] Successfully published 5 events 2017/03/04 16:58:06.558871 winlogbeat.go:237: INFO EventLog[Microsoft-Windows-Sysmon/Operational] Successfully published 1 events 2017/03/04 16:58:14.136142 winlogbeat.go:237: INFO EventLog[Microsoft-Windows-Sysmon/Operational] Successfully published 1 events

Environment

mariussturm commented 7 years ago

Hi, the Sidecar is constantly re-writing the configuration files for the collectors when they differ from the configuration you did in the web interface. So when you setup an Winlogbeat output in the web interface with localhost:5044 it will always render that to the configuration file. If you want to change that you have to put the IP address of your Graylog server in the configuration in the web interface. Does this make sense in your use-case?

cyberkryption commented 7 years ago

Hi Marius,

I see my mistake now, I will change it back and check it works.

Could you consider adding something to the documentation about the output plugin effect?

Thank you

Paul Dutot @cyberkryption

On 9 Mar 2017 11:20 a.m., "Marius Sturm" notifications@github.com wrote:

Hi, the Sidecar is constantly re-writing the configuration files for the collectors when they differ from the configuration you did in the web interface. So when you setup an Winlogbeat output in the web interface with localhost:5044 it will always render that to the configuration file. If you want to change that you have to put the IP address of your Graylog server in the configuration in the web interface. Does this make sense in your use-case?

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/Graylog2/collector-sidecar/issues/147#issuecomment-285325561, or mute the thread https://github.com/notifications/unsubscribe-auth/AC2IbDdXA2-9PYsZHCBA1Xxp4iI1NNgeks5rj-B_gaJpZM4MTK8W .

mariussturm commented 7 years ago

Alright, thanks for your feedback!