Cyber Defense with MITRE Framework | Graylog + SOC Prime | On-Demand Webinar >> ​


In this Graylog feature video, we will go over Sidecars, a lightweight configuration management solution for different types of log collectors (backends), such as Winlogbeat, Nxlog, Filebeat, and many others.


Sidecars provide a framework to configure and manage several backends remotely and apply these configurations in a global template format. In the “Sidecar” overview page you will find every agent that has this process running on it so you can manage these configurations.

In our example, we have two backends – a Domain Controller running on a Windows host, and a Graylog instance running on a Linux host. They’re both up and running, and they communicated just a few seconds ago, meaning that they are both working properly. By clicking on the red “Include inactive sidecars” button, you can also show the inactive backends.


Clicking on the blue “Configuration” button on the top right corner of the screen, you will open the Collectors Configuration tab. Up top, on the Configuration section, you can see how you’re collecting logs. Things will be different depending on whether you’re collecting, for example, an Apache Log or an SQL log.

By clicking on the “Edit” button, you will open a new panel with a more detailed overview of what’s happening. Here, you can go ahead and edit the current configuration, such as by changing the host where the logger is going to report back, defining the type of data you’re going to collect, or adding a few filters. Once you’re done, you can save this configuration.


The second part of this panel is the “Log Collectors” section on the bottom. Here you will see the name of a few pre-built backends such as Filebeat and Winlogbeat, but you can also create your own collector by clicking on the green “Create Log Collector” button.

Once in the New Log Collector window, you can define many parameters, such as giving it a name, selecting the type of process (Windows or Linux), and choosing the path where it’s at. You can also create a template of how to run that process.


If you want to see which server is running what collector and vice versa, you can click on the Administration tab. It will show you every computer here, so you know who is running what. You can also filter the information by clicking on the rightmost filters (collectors, operating system, etc.). In this specific example, you can see that the Domain Controller is using Winlogbeat, the process is running on that box, and it is using a Windows Server template.

If you want to change the template, you do so by selecting the process, clicking on “Configure” and then choosing another template you may have (provided you had a second one). Each host could have four to five configurations depending upon what you need to collect. By clicking on the “Process” button, you can start, restart, or stop the process.

That’s all you need to know for the Sidecars function. Happy logging!