A VMware Aria Operations for Logs agent collects logs from log files and forwards them to a VMware Aria Operations for Logs server or any third-party syslog destination.
Agents support syslog and the VMware Aria Operations for Logs ingestion API (cfapi protocol) and can be used with Linux or Windows platforms. You configure agents through the web interface, with the liagent.ini file on the server and client side, or as part of installation.
Agents include the following features:
- Single or group deployment
- Automatic upgrade
- Parsing that operates on log messages and extracts structured data. You can configure parsers for FileLog and WinLog collectors or both.
- Support for multi-line messages
- Native support for several log rotation schemes
- An extensive ingestion API that includes client-side compression, encryption, and the ability to add metadata to logs
The VMware Aria Operations for Logs server supports centralized configuration management and creation and management of groups of agents.
The following figure shows the elements of an agent deployment configuration.
A VMware Aria Operations for Logs log forwarder is a dedicated instance of a VMware Aria Operations for Logs server whose primary job is to forward logs to a remote destination. Normally, a server instance used as a forwarder is not used for query. The forwarder uses an internal load balancer and is otherwise structured like a VMware Aria Operations for Logs server.
Agents write their own operation logs. For Windows, these logs are located in the C:\ProgramData\VMware\Log Insight Agent\logs directory. For Linux, the path for the operation log is /var/log/loginsight-agent/liagent_*.log. Log files are rotated when an agent is restarted or when the file reaches a size of 10 MB. A combined limit of 50 MB of files is kept in rotation. You cannot collect agent logs with the VMware Aria Operations for Logs agent itself.
Agents are used for real-time log collection. Use the VMware Aria Operations for Logs Importer to import historic log collections, including support bundles.
Separate installation downloads for Windows and Linux operating systems are provided.
On Windows systems, the agent runs as a Windows service and starts immediately after installation. The agent monitors application log files and Windows event channels, pools for collecting related Windows system logs. Collected logs are forwarded to VMware Aria Operations for Logs servers or third-party syslog destinations.
On Linux systems, the agent runs as a daemon and starts immediately after installation. The VMware Aria Operations for Logs Linux agent collects logs from log files on Linux machines and forwards them to VMware Aria Operations for Logs servers or syslog destinations. Debian, Red Hat, and Linux binary installation packages are available.
