Ingesting Logs

Create Graylog input

• Navigate to System > Inputs

• Next to Launch new input, select "Beats" as the input type
• Click Launch new input

• Give the input a title and make sure that the port field is set to 5044
• Click the Launch button to create the input

Create Sidecar API Token

• Navigate to System > Sidecars
• Click on Create or reuse a token for the graylog-sidecar user
• Enter a name into the "Token Name" field
• Click Create Token
• Copy the token and store it in a safe place

Warning

You will not be able to view the token again, so be sure to save it in a secure location

Install Sidecar on NPS Servers

• Download the latest Sidecar installer from https://github.com/Graylog2/collector-sidecar/releases
• Run the Sidecar installer on NPS servers
• Provide the URL your Graylog server's API endpoint and API token during installation

• After installation, configure Sidecar to run as a system service by running these commands at an elevated command prompt:

  "C:\Program Files\graylog\sidecar\graylog-sidecar.exe" -service install
  "C:\Program Files\graylog\sidecar\graylog-sidecar.exe" -service start
  

Add filebeat Collector Configuration

• Navigate to System > Sidecars
• Navigate to the Configuration tab and click Create Configuration
• Enter a Name, choose the "filebeat on Windows" Collector, and input the configuration text below.
• Click Create configuration

Configuration:

# Needed for Graylog
fields_under_root: true
fields.collector_node_id: ${sidecar.nodeName}
fields.gl2_source_collector: ${sidecar.nodeId}

output.logstash:
   hosts: ["10.10.10.10:5044"] # (1)!
path:
  data: ${sidecar.spoolDir!"C:\\Program Files\\Graylog\\sidecar\\cache\\filebeat"}\data
  logs: ${sidecar.spoolDir!"C:\\Program Files\\Graylog\\sidecar"}\logs
tags:
 - windows
filebeat.inputs:
- type: log
  enabled: true
  paths:
    - D:\NPS Logs\iaslog*.log # (2)!

1. Put the IP address of your Graylog server here
2. Enter the log path you configured in NPS

Apply Sidecar Configurations

• Navigate to System > Sidecars
• Click on the Administration tab
• If your NPS server sidecars have been successfully installed, they should be listed
• Under each NPS server sidecar, check the box next to "filebeat"
• Click Assign Configurations

• Click to the left of "NPS Logs" to select the config and click Save

• After a few moments you should see each sidecar's status change to "Running"

Test

We should be receiving log messages now. Let's check:

• Navigate to System > Inputs
• Locate the input you created earlier and click Show received messages
• With any luck, you should see some messages in the table

• Configure
• Ingest
• Process
• Aggregate