You can provide the information that an agent sends to a destination with the filter option in the [server|<dest_id>] section of your local liagent.ini file.
The option is of the following form:
filter = {collector_type; collector_filter; event_filter}
| Filter type | Description |
|---|---|
| collector_type | A comma-separated list that defines the collector types. Supported values are filelog or winlog. If no value is provided, all collector types are used. |
| collector_filter | Specifies the name of a collector section in a regex format. For example, vcops_.* refers to all collector sections that begin with "vcops_". |
| event_filter | Filters for log event fields use the same syntax as an acceptlist or a denylist in collector sections. An agent sends only log events that evaluate the expression to True or a non-zero value. An empty event_filter always evaluates to True. To use event_filter on log events, you must have a parser defined in appropriate collector sections for field extraction. If an expression cannot be evaluated due to absence of fields in the collected log event, then the event is dropped. |
More than one filter expression can be specified by separating them with a comma as shown in the following example:
filter=
{winlog;Micr.*;},{filelog;apache-access;level=="error"}
If a message meets more than one set of filter criteria for a destination target, it is sent only once.
| Filter | Meaning |
|---|---|
| filter= {winlog;Microsoft.*;} |
Sends log events from winlog collectors only if the event name begins with "Microsoft". |
| filter= {winlog;Microsoft.*; eventid == 1023} |
Sends log events from winlog collectors only if the event name begins with "Microsoft" and Event ID equal to 1023. |
| filter= {;.*;} |
Default filter value. Sends all log events from all sources. |
| filter= {winlog;.*;} | Sends all log events from winlog sections. |
| filter= {filelog;syslog;facility<5} | Sends log events from [filelog|syslog] section if facility less than 5. [filelog|syslog] sections must have a parser that extracts the facility field. Otherwise, all events are skipped. |
| filter= {;;} | Matches no log events. Use this syntax to deactivate log forwarding. |
The following example adds a filter to the configuration of the second destination of the previous example.
; The second destination receives just syslog events through the plain syslog protocol.
[server|syslog-audit]
hostname=third_party_audit_management.eng.vmware.com
proto=syslog
ssl=no
filter= {filelog; syslog; }
The next example uses a more complex filter expression.
; This destination receives vRealize Operations events if they have the level field equal
;to "error" or "warning" and they are collected by sections whose name begins with "vrops-"
[server|licf-prod1]
hostname=vrops-errors.licf.vmware.com
filter= {; vrops-.*; level == "error" || level == "warning"}
More than one filter expression can be specified by separating them with a comma as shown in the following example.
filter= e.
{winlog;Micr.*;},{filelog;apache-access;level=="error"}
