Install and Configure Sidecar on CentOS and Windows

On Graylog

Create token for the new client machine

1. Call the web interface for Graylog

2. From System choose Sidecars

3. Here you can see all clients that are already connected to Graylog using Sidecar.
   Click on Create or reuse a token for the graylog-sidecar user to create a new token.

4. Give the new token a name (usually the name of the client) and click on Create Token

5. Copy the new token, you will need it later.

On the targeted client machine

Windows 10

1. Go to https://github.com/Graylog2/collector-sidecar/releases and download the latest graylog_sidecar_installer_x.x.exe.

2. Get new API key using this tutorial.

3. Start the installer, and when asked fill as shown:
   (Here you can use the new token generated before)
   `

4. Open the Command Prompt by pressing Win + R then write cmd and press Enter.

5. In the Command Prompt enter
   "C:\Program Files\Graylog\sidecar\graylog-sidecar.exe" -service install
   then
   "C:\Program Files\Graylog\sidecar\graylog-sidecar.exe" -service start

CentOS

Install Graylog-Sidecar

A. If you have internet access on the VM

1. Install the Graylog Sidecar repository
   sudo rpm -Uvh https://packages.graylog2.org/repo/packages/graylog-sidecar-repository-1-2.noarch.rpm

2. Update the system
   sudo yum update

3. Install Graylog-Sidcar
   sudo yum install graylog-sidecar

B. If you don’t have internet access on the VM

1. Go to https://github.com/Graylog2/collector-sidecar/releases and download the latest
   graylog_sidecar_installer_x.x.x.86_64.rpm.

2. Move the file to the home directory on the server.

3. From your home directory, run this command to install the file.
   sudo yum install graylog_sidecar_installer_x.x.x86_64.rpm

After installing Graylog-Sidecar using method A or B you can continue here to configure it

1. Open the configuration file with sudo rights
   /etc/graylog/sidecar/sidecar.yml

2. Remove the ## from the second line and change the IP address to match the IP address of the Graylog server. (In my case it’s 192.168.1.200)
   From #server_url: "http://172.0.0.1:9000/api/
   To server_url: "http://192.168.1.200:9000/api/

3. In the sixth line (server_api_token), paste the copied API
   It should look like this:
   server_api_token: "u3r9k243gfbm5ih3p2settm8tndqo0dosa07gsiqls1iomi0d7t"
   (Here you can use the new token generated before)

Install Filebeat

A. If you have internet access on the VM

1. Download and Install the public signing key for Filebeat
   sudo rpm --import https://packages.elastic.co/GPG-KEY-elasticsearch

2. Create the file /etc/yum.repos.d/elastic.repo

3. Open the created file and write this in it

   1 2 3 4 5 6 7 8

   [elastic-7.x] name=Elastic repository for 7.x packages baseurl=https://artifacts.elastic.co/packages/7.x/yum gpgcheck=1 gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch enabled=2 autorefresh=1 type=rpm-md

4. Install Filebeat
   sudo yum install filebeat

B. If you don’t have internet access on the VM

1. Go to https://www.elastic.co/downloads/beats/filebeat and download the rpm x86_64 package.

2. Move the file to the home directory on the server.

3. From your home directory, run this command to install the file.
   sudo yum install filebeat-x.x.x-x86_64.rpm

After installing Filebeat using method A or B you can continue here to enable and start the service

1. Start and Enable the Graylog-Sidecar

   1 2 3

   sudo graylog-sidecar -service install sudo systemctl start graylog-sidecar sudo systemctl enable graylog-sidecar