Reading Time: 4 minutes

What is Graylog Sidecar?

Graylog Sidecar is a nimble configuration management framework for various log collectors called backends. The Graylog master node acts as a centrally located hub that contains the configurations of the log collectors. Sidecar can run as a service on both Windows and Linux servers.

As web applications become more distributed, one of the most crucial things to understand is how your system behaves. Because of this, we will guide you on how to install Graylog Sidecar which works as a log collector.



In order to run Sidecar, we need to install and configure the following software, before starting any Graylog services.

CentOS 7 Installation of Sidecar 

After meeting the above prerequisites, we will need to download the RPM package of the Sidecar version that we want to use. The most straightforward method is to download a pre-compiled rpm packages from the Graylog repository.

After we downloaded the RPM package, we will need to install it. We can install Graylog using the “yum localinstall” command to install the package.

[root@host3 ~]# wget

--2020-03-11 14:57:51--

Resolving (

Connecting to (||:443... connected.
HTTP request sent, awaiting response... 302 Found

Location: [following]

--2020-03-11 14:57:52--
Resolving (

Connecting to (||:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2941991 (2.8M) [application/octet-stream]
Saving to: ‘graylog-sidecar-1.0.2-1.x86_64.rpm.1’

100%[===============================================================>] 2,941,991   15.6MB/s   in 0.2s   

2020-03-11 14:57:52 (15.6 MB/s) - ‘graylog-sidecar-1.0.2-1.x86_64.rpm.1’ saved [2941991/2941991]

[root@host ~]# 

Install Graylog Sidecar

After we downloaded the RPM package, we will need to install it. We can install the package using the “yum localinstall” command. We are using a yum localinstall command as opposed to the rpm -i command because, yum will insure all the required dependencies are installed.

[root@host ~]# yum localinstall graylog-sidecar-1.0.2-1.x86_64.rpm

Loaded plugins: fastestmirror, priorities

Examining graylog-sidecar-1.0.2-1.x86_64.rpm: graylog-sidecar-1.0.2-1.x86_64

Marking graylog-sidecar-1.0.2-1.x86_64.rpm to be installed

Resolving Dependencies
--> Running transaction check
---> Package graylog-sidecar.x86_64 0:1.0.2-1 will be installed
--> Finished Dependency Resolution

Dependencies Resolved
 Package             Arch        Version      Repository                      Size
graylog-sidecar     x86_64      1.0.2-1      /graylog-sidecar-1.0.2-1.x86_64  7.3 M

Transaction Summary
Install  1 Package

Total size: 7.3 M
Installed size: 7.3 M
Is this ok [y/d/N]: y
Downloading packages:
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Warning: RPMDB altered outside of yum.
  Installing : graylog-sidecar-1.0.2-1.x86_64         1/1 
  Verifying  : graylog-sidecar-1.0.2-1.x86_64         1/1 

  graylog-sidecar.x86_64 0:1.0.2-1

[root@host ~]# 

Graylog Sidecar Configuration 

Before activating Sidecar, we will need to edit the Sidecar configuration file. The default location of the file is /etc/graylog/sidecar/sidecar.yml. We can edit this file using vim.

[root@host ~]# vim /etc/graylog/sidecar/sidecar.yml

When editing the Sidecar configuration file, most of the settings can be left at their default values. The only option which needs to be adjusted is the server_url setting. This option allows us to use the Graylog API and server_api_token, which lets us to authenticate against the Graylog API server. The settings should be configured as follows.

  • server_url: URL to the Graylog API, e.g.
  • server_api_token: The API token to used to authenticate against the Graylog server API.
    e.g. 1jq26cssvc6rj4qac4bt9oeeh0p4vt5u5kal9jocl1g9mdi4og3n
    The token is mandatory and needs to be configured.
The server_api_token needs to be generated using the Graylog API. You can find the link in the official Graylog documentation.

Service Activation 

After editing the Sidecar configuration, we then need to activate the service. Since we are using CentOS 7, we can use the following commands. 

[root@host3 ~]# graylog-sidecar -service install
[root@host3 ~]# systemctl start graylog-sidecar

Open Firewall Port

We also have to open port 9000 in the firewall in order to be able to view the interface. We can accomplish this using the following commands.

netstat -na | grep 9000
iptables-save | grep 9000
echo "filebeat 9000/tcp #sidecare"  sudo tee -a /etc/services
firewall-cmd --zone=public --add-port=9000/tcp --permanent
firewall-cmd --reload

Collector Installation on CentOS 7

After installing Sidecar, we will need to decide which collector we want to use. Graylog contains a default Linux configuration for Filebeat and NXlog. In this tutorial, we will use a Filebeat installation and configuration since it is one of the most commonly used software titles.

Install Filebeat on Linux (CentOS 7) 

Since we are using CentOS 7 as our operating system, the easiest way to install Filebeat is by using YUM, But, before the installation, we need to make sure that we have Beats repository added. Let's download and install the public signing key using the following command.

[root@host3 /]# rpm --import

Next, to add the correct repository, we will need to create a .repo file. In CentOS, you can find your .repo files located in /etc/yum.repos.d/ directory.

Using the following command, run this to add the following lines to our elastic.repo file.

[root@host ~]# echo "[elastic-7.x]
> name=Elastic repository for 7.x packages
> baseurl=
> gpgcheck=1
> gpgkey=
> enabled=1
> autorefresh=1
> type=rpm-md" | sudo tee -a /etc/yum.repos.d/elastic.repo
name=Elastic repository for 7.x packages
[root@host ~]# 

Filebeat Yum Installation 

After the right repo is added to our system, we can start the installation by running the following command.  

[root@host3 /]# yum install filebeat

Configure the Filebeat Service

We can start the service using the following command.

[root@host3 /]# systemctl start filebeat

Now, we can configure the service to start automatically at boot using the following command.

[root@host3 /]# systemctl enable filebeat


Whether you are looking to add in additional logging for your server or an entire server cluster, Sidecar will meet those needs.

Should you have thoughts or questions about the platform sidecar can function in, give us a call at 800.580.4985, or open a chat or ticket with us to speak with one of our knowledgeable Solutions or Experienced Hosting advisors to learn how you can take advantage of these methods today!

Avatar for Denis Bosack

About the Author: Denis Bosack

Latest Articles

Using a Cloudflare Argo Tunnel with load balancing

Read Article

Subdomain takeover — protect your website against it!

Read Article

Controlling PHP settings with a custom php.ini file

Read Article

Linux dos2unix command syntax — removing hidden Windows characters from files

Read Article

Change cPanel password from WebHost Manager (WHM)

Read Article