Sidecar 1.5 Filebeat does not have correct permissions to access /usr/share

[mikuhno]

Problem description

Trying to install Graylog Sidecar 1.5 halts on file creation permissions: Couldn't start validation command: fork/exec /usr/share/filebeat/bin/filebeat: no such file or directory" Both test hosts does not have SELinux installed. Creating folders manually results in: Couldn't start validation command: fork/exec /usr/share/filebeat/bin/filebeat: permission denied" Folders have same user as owner that runs sidecar.

Steps to reproduce the problem

1. yum -y -q install graylog-sidecar-1.5.0-1.x86_64.rpm
2. systemctl status graylog-sidecar shows error in description
3. Graylog starts but filebeat stays in Failing state

Environment

• Sidecar Version: 1.5.0
• Graylog Version: 3.3.8+e223f85
• Operating System: Linux (Tested on CentOS 7 and Ubuntu 20.4)
• Elasticsearch Version:
• MongoDB Version:

[thll]

@mikuhno that Path is where the Sidecar is expecting the filebeat executable according to your collector configuration. Did you install filebeat on that host? You can either install filebeat separately so that the filebeat executable is available at the path you are mentioning above. Alternatively you can use the filebeat that is now bundled with sidecar. In that case the exectuable should be available at /usr/lib/graylog-sidecar/filebeat. You need to configure a collector using that path for your sidecar though.

[mikuhno]

Bah yeah this was configuration error on our side. Didn't figure that graylog side configurate overwrites ones written on host manually. When that was fixed, Filebeat works correctly