You can configure the vRealize Log Insight Windows agent to collect events from one or more log files.

About this task

Collecting from Encrypted Folders

An agent is able to collect from encrypted folders. The Agent will collect from an encrypted folder only if it is run by the user who encrypted the folder.

Field names are restricted. The following field names are reserved and cannot be used as field names.

  • event_type

  • hostname

  • source

  • text


Log in to the Windows machine on which you installed the vRealize Log Insight Windows agent and start the Services manager to verify that the vRealize Log Insight agent service is installed.


  1. Navigate to the program data folder of the vRealize Log Insight Windows agent.

    %ProgramData%\VMware\Log Insight Agent

  2. Open the liagent.ini file in any text editor.
  3. Add configuration parameters and set the values for your environment.




    A unique name for the configuration section.


    The full path to the log file directory.

    You can define the same directory under one or more different configuration sections, to collect logs from the same file multiple times. This process makes it possible to apply different tags and filters to the same source of events.


    If you use exactly the same configurations for these sections, duplicated events are observed on the server side.


    (Optional) The name of a file name or a file mask (glob pattern) from which to collect data . You can provide values as a semicolon separated list. The default value is *, which means that all files are included. The parameter is case sensitive.


    By default .zip and .gz files are excluded from collection.


    If you are collecting a rotated log file, use the include and exclude parameters to specify a glob pattern that matches both the primary and the rotated file. If the glob pattern matches only the primary log file, the vRealize Log Insight agents might miss events during rotation. The vRealize Log Insight agents automatically determine the correct order of rotated files and sends events to the vRealize Log Insight server in the right order. For example, if your primary log file is named myapp.log and rotated logs are myapp.log.1 and myapp.log.2 and so on, you can use the following include pattern:

    include= myapp.log;myapp.log.*


    (Optional) A file name or file mask (glob pattern) to exclude from collection. You can provide values as a semicolon separated list. The default value is empty, which means that no file is excluded.


    (Optional) A regular expression that denotes the start of an event in the log file. If omitted defaults to newline. The expressions you type must use the Perl regular expressions syntax.


    Symbols, for example quotation marks (" "), are not treated as wrappers for regular expressions. They are treated as part of the pattern.

    Since the vRealize Log Insight agent is optimized for real-time collection, partial log messages written with an internal delay may be split into multiple events. If log file appending stops for more than 200ms without a new observed event_marker, the partial event is treated as complete, parsed, and delivered. This timing logic is non-configurable and has priority over the event_marker setting. Log file appenders should flush full events.


    (Optional) A parameter to enable or disable the configuration section. The possible values are yes or no. The default value is yes.


    (Optional) The character encoding of the log files that the agent monitors. The possible values are UTF-8, UTF-16LE, and UTF-16BE. The default value is UTF-8.


    (Optional) A parameter to add custom tags to the fields of collected events. Define tags using JSON notation. Tag names can contain letters, numbers, and underscores. A tag name can only begin with a letter or an underscore and cannot exceed 64 characters. Tag names are not case sensitive. For example, if you use tags={"tag_name1" : "tag value 1", "Tag_Name1" : "tag value 2" }, Tag_Name1 will be ignored as a duplicate. You cannot use event_type and timestamp as tag names. Any duplicates within the same declaration are ignored.

    Tags can override the APP-NAME field, if the destination is a syslog server. For example, tags={"appname":"VROPS"}.


    (Optional) A parameter to exclude individual fields from collection. You can provide multiple values as a semicolon- or comma-separated list. For example,

    • exclude_fields=hostname; filepath

    • exclude_fields=type; size

    • exclude_fields=type, size



directory=C:\ProgramData\VMware\VMware VirtualCenter\Logs
directory=C:\Program Files (x86)\Apache Software Foundation\Apache2.2\logs
tags={"Provider" : "Apache"}
directory=C:\Program Files\Microsoft SQL Server\MSSQL10.MSSQLSERVER\MSSQL\Log