You can add a Windows event channel to the Log Insight Windows Agent configuration. The Log Insight Windows Agent will collect the events and send them to the vRealize Log Insight server.

About this task

Field names are restricted. The following field names are reserved and cannot be used as field names.

  • event_type

  • hostname

  • source

  • text

Prerequisites

Log in to the Windows machine on which you installed the vRealize Log Insight Windows agent and start the Services manager to verify that the vRealize Log Insight agent service is installed.

Procedure

  1. Navigate to the program data folder of the vRealize Log Insight Windows agent.

    %ProgramData%\VMware\Log Insight Agent

  2. Open the liagent.ini file in any text editor.
  3. Add the following parameters and set the values for your environment.

    Parameter

    Description

    [winlog|section_name]

    A unique name for the configuration section.

    channel

    The full name of the event channel as shown in the Event Viewer built-in Windows application. To copy the correct channel name, right-click a channel in Event Viewer, select Properties and copy the contents of Full Name field.

    enabled

    An optional parameter to enable or disable the configuration section. The possible values are yes or no (case-insensitive). The default value is yes.

    tags

    Optional parameter to add custom tags to the fields of collected events. Define tags using JSON notation. Tag names can contain letters, numbers, and underscores. A tag name can only begin with a letter or an underscore and cannot exceed 64 characters. Tag names are not case sensitive. For example, if you use tags={"tag_name1" : "tag value 1", "Tag_Name1" : "tag value 2" }, Tag_Name1 will be ignored as a duplicate. You cannot use event_type and timestamp as tag names. Any duplicates within the same declaration are ignored.

    Tags can override the APP-NAME field, if the destination is a syslog server. For example, tags={"appname":"VROPS"}.

    whitelist, blacklist

    Optional parameters to explicitly include or exclude log events.

    Note:

    The blacklist option only works for fields; it cannot be used to blacklist text.

    exclude_fields

    (Optional) A parameter to exclude individual fields from collection. You can provide multiple values as a semicolon separated list. For example, exclude_fields=EventId; ProviderName

    [winlog|section_name]
    channel=event_channel_name
    enabled=yes_or_no
    tags={"tag_name1" : "Tag value 1", "tag_name2" : "tag value 2" }
  4. Save and close the liagent.ini file.

Configurations

See the following [winlog| configuration examples.

[winlog|Events_Firewall ]
channel=Microsoft-Windows-Windows Firewall With Advanced Security/Firewall 
enabled=no
[winlog|custom]
channel=Custom
tags={"ChannelDescription": "Events testing channel"}