You can set up filters for Linux log files to explicitly include or exclude log events.

About this task

Note:

By default the vRealize Log Insight Linux agent collects hidden files created by programs or editors. The hidden file names start with a period. You can prevent the vRealize Log Insight Linux agent from collecting hidden files, by adding an exclude exclude=.* parameter.

You use the whitelist and blacklist parameters to evaluate a filter expression. The filter expression is a Boolean expression that consists of event fields and operators.

Note:

The blacklist option only works for fields; it cannot be used to blacklist text.

  • whitelist collects only log events for which the filter expression evaluates to non-zero. If you omit whitelist, the value is an implied 1.

  • blacklist excludes log events for which the filter expression evaluates to non-zero. The default value is 0.

For a complete list of Linux event fields and operators see Collect Events from a Log File.

Prerequisites

  • Log in as root or use sudo to run console commands.

  • Log in to the Linux machine on which you installed the vRealize Log Insight Linux agent, open a console and run pgrep liagent to verify that the vRealize Log Insight Linux agent is installed and running.

Procedure

  1. Open the /var/lib/loginsight-agent/liagent.ini file in any text editor.
  2. Add a whitelist or blacklist parameter in the [filelog|] section.

    For example

    [filelog|apache]
    directory = path_to_log_directory
    include = glob_pattern
    blacklist = filter_expression
    
  3. Create a filter expression from Linux events fields and operators.

    For example

    whitelist = server_name
  4. Save and close the liagent.ini file.

Filter Configurations

You can configure the agent to collect only Apache logs where the server_name is sample.com and the remote_host is not equal to 127.0.0.1, for example

[filelog|apache]
directory=/var/log/httpd
include=access_log
parser=clf
whitelist = server_name == "sample.com"
blacklist = remote_host == "127.0.0.1"