A vRealize Log Insight agent collects events from log files and forwards them to a vRealize Log Insight server.

Agents support syslog and the vRealize Log Insight ingestion API (cfapi protocol) and can be used with Linux or Windows platforms. You configure agents through the web interface, with the liagent.ini file on the server and client side, or as part of installation.

You can use the following features with agents:

  • Single or group deployment

  • Manual or automatic upgrade

  • Centralized configuration management, including support for local and global configuration of agents during installation or through configuration files, the web interface, or the API

  • Agent groups, which share a common configuration

  • Use with the vRealize Log Insight forwarders. Forwarders function in a way similar to syslog aggregators and are identical to the primary vRealize Log Insight cluster nodes.

The following figure shows the elements of an agent deployment configuration.

Agents write their own operation logs. For Windows, these logs are located in the C:\ProgramData\VMware\Log Insight Agent\logs directory. For Linux, the path for the operation log is /var/log/loginsight-agent/liagent_*.log. Log files are rotated when an agent is restarted or when the file reaches a size of 10 MB. A combined limit of 50 MB of files is kept in rotation. Collecting agent logs using the vRealize Log Insight agent itself is not supported.

Separate agents for Windows and Linux operating systems are provided.

Windows Agents

The vRealize Log Insight Windows agent collects events from Windows event channels and log files, and forwards them to the vRealize Log Insight server. A Windows event channel is a pool for collecting related events in a Windows system. Applications can also store log data in flat text files on the file system The vRealize Log Insight agent monitors event channels and directories and collects and forwards events from application log files.

The vRealize Log Insight Windows agent has a limit of 64 KB per request to the vRealize Log Insight server.

The vRealize Log Insight Windows agent runs as a Windows service and starts immediately after installation. During and after installation, you can configure the following options for the vRealize Log Insight Windows agent:

  • The target vRealize Log Insight server to which the vRealize Log Insight Windows agent forwards events

  • The communication protocol and port that the agent uses.

  • Adding or removing Windows event channels.

  • Selecting Windows directories to monitor or adding flat log files for collection.

Linux Agents

The vRealize Log Insight Linux agent collects events from log files on Linux machines and forwards them to the vRealize Log Insight server.

The Log Insight Linux Agent runs as a daemon and starts immediately after installation. After installation, you can configure the following options:

  • The target vRealize Log Insight server to which the agent forwards events.

  • The directories that the agent monitors.