You can provide the information that an agent sends to a destination with the filter option in the [server|<dest_id>] section of your local liagent.ini file.

The option is of the following form:

filter = {collector_type; collector_filter; event_filter}
Filter type Description
collector_type A comma-separated list that defines the collector types. Supported values are filelog or winlog. If no value is provided, all collector types are used.
collector_filter Specifies the name of a collector section in a regex format. For example, vcops_.* refers to all collector sections that begin with "vcops_".
event_filter Filters for log event fields use the same syntax as an acceptlist or a denylist in collector sections. An agent sends only log events that evaluate the expression to True or a non-zero value. An empty event_filter always evaluates to True. To use event_filter on log events, you must have a parser defined in appropriate collector sections for field extraction. If an expression cannot be evaluated due to absence of fields in the collected log event, then the event is dropped.

More than one filter expression can be specified by separating them with a comma as shown in the following example:

filter= 
{winlog;Micr.*;},{filelog;apache-access;level=="error"}

If a message meets more than one set of filter criteria for a destination target, it is sent only once.

Table 1. Syntax Examples
Filter Meaning

filter= {winlog;Microsoft.*;}

Sends log events from winlog collectors only if the event name begins with "Microsoft".

filter= {winlog;Microsoft.*; eventid == 1023}

Sends log events from winlog collectors only if the event name begins with "Microsoft" and Event ID equal to 1023.

filter= {;.*;}

Default filter value. Sends all log events from all sources.
filter= {winlog;.*;} Sends all log events from winlog sections.
filter= {filelog;syslog;facility<5} Sends log events from [filelog|syslog] section if facility less than 5. [filelog|syslog] sections must have a parser that extracts the facility field. Otherwise, all events are skipped.
filter= {;;} Matches no log events. Use this syntax to deactivate log forwarding.

The following example adds a filter to the configuration of the second destination of the previous example.

 

; The second destination receives just syslog events through the plain syslog protocol.
[server|syslog-audit]
hostname=third_party_audit_management.eng.vmware.com
proto=syslog
ssl=no
filter= {filelog; syslog; }

The next example uses a more complex filter expression.

; This destination receives vRealize Operations events if they have the level field equal
;to "error" or "warning" and they are collected by sections whose name begins with "vrops-"

[server|licf-prod1]
hostname=vrops-errors.licf.vmware.com
filter= {; vrops-.*; level == "error" || level == "warning"}

More than one filter expression can be specified by separating them with a comma as shown in the following example.

filter= e.
{winlog;Micr.*;},{filelog;apache-access;level=="error"}