You can set up filters for Windows Event channels to explicitly include or exclude log events.

About this task

You use the whitelist and blacklist parameters to evaluate a filter expression. The filter expression is a Boolean expression that consists of event fields and operators.

Note:

The blacklist option only works for fields; it cannot be used to blacklist text.

  • whitelist collects only log events for which the filter expression evaluates to non-zero. If you omit whitelist, the value is an implied 1.

  • blacklist excludes log events for which the filter expression evaluates to non-zero. The default value is 0.

For a complete list of Windows event fields and operators see Event Fields and Operators.

Prerequisites

Log in to the Windows machine on which you installed the vRealize Log Insight Windows agent and start the Services manager to verify that the vRealize Log Insight agent service is installed.

Procedure

  1. Navigate to the program data folder of the vRealize Log Insight Windows agent.

    %ProgramData%\VMware\Log Insight Agent

  2. Open the liagent.ini file in any text editor.
  3. Add a whitelist or blacklist parameter in the [winlog|] section.

    For example

    [winlog|unique_section_name]
    channel = event_channel_name
    blacklist = filter_expression
    
  4. Create a filter expression from Windows events fields and operators.

    For example

    whitelist = level > WINLOG_LEVEL_SUCCESS and level < WINLOG_LEVEL_INFO
  5. Save and close the liagent.ini file.

Filter Configurations

You can configure the agent to collect only error events, for example

[winlog|Security-Error]
channel = Security
whitelist = Level == WINLOG_LEVEL_CRITICAL or Level == WINLOG_LEVEL_ERROR

You can configure the agent to collect only VMware Network events from Application channel, for example

[winlog|VMwareNetwork]
channel = Application
whitelist = ProviderName == "VMnetAdapter" or ProviderName == "VMnetBridge" or ProviderName == "VMnetDHCP"

You can configure the agent to collect all events from Security channel except particular events, for example

[winlog|Security-Verbose]
channel = Security
blacklist = EventID == 4688 or EventID == 5447