What is Graylog Sidecar?
Graylog Sidecar is a nimble configuration management framework for various log collectors called backends. The Graylog master node acts as a centrally located hub that contains the configurations of the log collectors. Sidecar can run as a service on both Windows and Linux servers.
As web applications become more distributed, one of the most crucial things to understand is how your system behaves. Because of this, we will guide you on how to install Graylog Sidecar which works as a log collector.
In order to run Sidecar, we need to install and configure the following software, before starting any Graylog services.
CentOS 7 Installation of Sidecar
After meeting the above prerequisites, we will need to download the RPM package of the Sidecar version that we want to use. The most straightforward method is to download a pre-compiled rpm packages from the Graylog repository.
After we downloaded the RPM package, we will need to install it. We can install Graylog using the “yum localinstall” command to install the package.
[root@host3 ~]# wget https://github.com/Graylog2/collector-sidecar/releases/download/1.0.2/graylog-sidecar-1.0.2-1.x86_64.rpm --2020-03-11 14:57:51-- https://github.com/Graylog2/collector-sidecar/releases/download/1.0.2/graylog-sidecar-1.0.2-1.x86_64.rpm Resolving github.com (github.com)... 18.104.22.168 Connecting to github.com (github.com)|22.214.171.124|:443... connected. HTTP request sent, awaiting response... 302 Found Location: https://github-production-release-asset-2e65be.s3.amazonaws.com/46565708/327c3c80-c020-11e9-9ca8-3c584ca1e5e7?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20200311%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20200311T185753Z&X-Amz-Expires=300&X-Amz-Signature=aca6f4fee706c6fd96825c91408fd6697dd2c3d22cc6481544a22af23d570cb6&X-Amz-SignedHeaders=host&actor_id=0&response-content-disposition=attachment%3B%20filename%3Dgraylog-sidecar-1.0.2-1.x86_64.rpm&response-content-type=application%2Foctet-stream [following] --2020-03-11 14:57:52-- https://github-production-release-asset-2e65be.s3.amazonaws.com/46565708/327c3c80-c020-11e9-9ca8-3c584ca1e5e7?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20200311%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20200311T185753Z&X-Amz-Expires=300&X-Amz-Signature=aca6f4fee706c6fd96825c91408fd6697dd2c3d22cc6481544a22af23d570cb6&X-Amz-SignedHeaders=host&actor_id=0&response-content-disposition=attachment%3B%20filename%3Dgraylog-sidecar-1.0.2-1.x86_64.rpm&response-content-type=application%2Foctet-stream Resolving github-production-release-asset-2e65be.s3.amazonaws.com (github-production-release-asset-2e65be.s3.amazonaws.com)... 126.96.36.199 Connecting to github-production-release-asset-2e65be.s3.amazonaws.com (github-production-release-asset-2e65be.s3.amazonaws.com)|188.8.131.52|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 2941991 (2.8M) [application/octet-stream] Saving to: ‘graylog-sidecar-1.0.2-1.x86_64.rpm.1’ 100%[===============================================================>] 2,941,991 15.6MB/s in 0.2s 2020-03-11 14:57:52 (15.6 MB/s) - ‘graylog-sidecar-1.0.2-1.x86_64.rpm.1’ saved [2941991/2941991] [root@host ~]#
Install Graylog Sidecar
After we downloaded the RPM package, we will need to install it. We can install the package using the “yum localinstall” command. We are using a yum localinstall command as opposed to the rpm -i command because, yum will insure all the required dependencies are installed.
[root@host ~]# yum localinstall graylog-sidecar-1.0.2-1.x86_64.rpm Loaded plugins: fastestmirror, priorities Examining graylog-sidecar-1.0.2-1.x86_64.rpm: graylog-sidecar-1.0.2-1.x86_64 Marking graylog-sidecar-1.0.2-1.x86_64.rpm to be installed Resolving Dependencies --> Running transaction check ---> Package graylog-sidecar.x86_64 0:1.0.2-1 will be installed --> Finished Dependency Resolution Dependencies Resolved ====================================================================== Package Arch Version Repository Size ====================================================================== Installing: graylog-sidecar x86_64 1.0.2-1 /graylog-sidecar-1.0.2-1.x86_64 7.3 M Transaction Summary ====================================================================== Install 1 Package Total size: 7.3 M Installed size: 7.3 M Is this ok [y/d/N]: y Downloading packages: Running transaction check Running transaction test Transaction test succeeded Running transaction Warning: RPMDB altered outside of yum. Installing : graylog-sidecar-1.0.2-1.x86_64 1/1 Verifying : graylog-sidecar-1.0.2-1.x86_64 1/1 Installed: graylog-sidecar.x86_64 0:1.0.2-1 Complete! [root@host ~]#
Graylog Sidecar Configuration
Before activating Sidecar, we will need to edit the Sidecar configuration file. The default location of the file is /etc/graylog/sidecar/sidecar.yml. We can edit this file using vim.
[root@host ~]# vim /etc/graylog/sidecar/sidecar.yml
When editing the Sidecar configuration file, most of the settings can be left at their default values. The only option which needs to be adjusted is the server_url setting. This option allows us to use the Graylog API and server_api_token, which lets us to authenticate against the Graylog API server. The settings should be configured as follows.
- server_url: URL to the Graylog API, e.g. http://192.168.1.1:9000/api/
- server_api_token: The API token to used to authenticate against the Graylog server API.
The token is mandatory and needs to be configured.
After editing the Sidecar configuration, we then need to activate the service. Since we are using CentOS 7, we can use the following commands.
[root@host3 ~]# graylog-sidecar -service install [root@host3 ~]# systemctl start graylog-sidecar
Open Firewall Port
We also have to open port 9000 in the firewall in order to be able to view the interface. We can accomplish this using the following commands.
netstat -na | grep 9000 iptables-save | grep 9000 echo "filebeat 9000/tcp #sidecare" sudo tee -a /etc/services firewall-cmd --zone=public --add-port=9000/tcp --permanent firewall-cmd --reload
Collector Installation on CentOS 7
After installing Sidecar, we will need to decide which collector we want to use. Graylog contains a default Linux configuration for Filebeat and NXlog. In this tutorial, we will use a Filebeat installation and configuration since it is one of the most commonly used software titles.
Install Filebeat on Linux (CentOS 7)
Since we are using CentOS 7 as our operating system, the easiest way to install Filebeat is by using YUM, But, before the installation, we need to make sure that we have Beats repository added. Let's download and install the public signing key using the following command.
[root@host3 /]# rpm --import https://packages.elastic.co/GPG-KEY-elasticsearch
Next, to add the correct repository, we will need to create a .repo file. In CentOS, you can find your .repo files located in /etc/yum.repos.d/ directory.
Using the following command, run this to add the following lines to our elastic.repo file.
[root@host ~]# echo "[elastic-7.x] > name=Elastic repository for 7.x packages > baseurl=https://artifacts.elastic.co/packages/7.x/yum > gpgcheck=1 > gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch > enabled=1 > autorefresh=1 > type=rpm-md" | sudo tee -a /etc/yum.repos.d/elastic.repo [elastic-7.x] name=Elastic repository for 7.x packages baseurl=https://artifacts.elastic.co/packages/7.x/yum gpgcheck=1 gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch enabled=1 autorefresh=1 type=rpm-md [root@host ~]#
Filebeat Yum Installation
After the right repo is added to our system, we can start the installation by running the following command.
[root@host3 /]# yum install filebeat
Configure the Filebeat Service
We can start the service using the following command.
[root@host3 /]# systemctl start filebeat
Now, we can configure the service to start automatically at boot using the following command.
[root@host3 /]# systemctl enable filebeat
Whether you are looking to add in additional logging for your server or an entire server cluster, Sidecar will meet those needs.
Our Sales and Support teams are available 24 hours by phone or e-mail to assist.