You can set or change the target vRealize Log Insight server that the vRealize Log Insight Linux agent sends events to. You can send events to one or more destinations.

About this task

Multiple destination connections are defined through the [server|<dest_id>] section of the li-agent.ini file, where <dest_id> is a unique per configuration connection id. You can use the same options for additional destinations as for the default [server] section. However, additional destinations should not be configured for auto-upgrade and the destination servers cannot be used for agent configuration. You can specify two additional destinations.

When you define additional [server] sections, you must specify a hostname. By default, the agent sends all collected events to all destinations. You can filter events to send different events to different destinations.

Prerequisites

  • Log in as root or use sudo to run console commands.

  • Log in to the Linux machine on which you installed the vRealize Log Insight Linux agent, open a console and run pgrep liagent to verify that the vRealize Log Insight Linux agent is installed and running.

  • If you have a vRealize Log Insight cluster with an enabled Integrated Load Balancer, see Enable Integrated Load Balancer for custom SSL certificate specific requirements.

Procedure

  1. Open the /var/lib/loginsight-agent/liagent.ini file in any text editor.
  2. Modify the following parameters and set the values for your environment.

    Parameter

    Description

    proto

    Protocol that the agent uses to send events to the vRealize Log Insight server. The possible values are cfapi and syslog.

    The default is cfapi.

    hostname

    IP address or host name of the vRealize Log Insight virtual appliance.

    You can specify an IPv4 or IPv6 address. An IPv6 address can be specified with or without square brackets. For example:

    hostname = 2001:cdba::3257:9652
    or
    hostname = [2001:cdba::3257:9652]

    If the host supports both IPv4 and IPv6 stacks and a domain name is specified as the hostname, then the agent will use the IP stack depending on the IP address that is returned by the name resolver. If the resolver returns both IPv4 and IPv6 addresses, than the agent will try to connect sequentially to both addresses in the given order.

    port

    Communication port that the agent uses to send events to the vRealize Log Insight or third party server. By default the agent uses the appropriate port based on the options that are set for SSL and the protocol. See default port values provided in the list below. You need to specify the port option only if it's different from these defaults.

    ssl

    Enables or disables SSL. The default value is yes.

    When ssl is set to yes, if you do not set a value for the port, the port is automatically picked up as 9543.

    reconnect

    The time in minutes to force reconnection to the server. The default value is 30.

    [server]
    hostname=LOGINSIGHT
    ; Hostname or IP address of your Log Insight server / cluster load balancer. Default:
    ;hostname=LOGINSIGHT
    
    ; Protocol can be cfapi (Log Insight REST API), syslog. Default:
    ;proto=cfapi
    
    ; Log Insight server port to connect to. Default ports for protocols (all TCP):
    ; syslog: 514; syslog with ssl: 6514; cfapi: 9000; cfapi with ssl: 9543. Default:
    ;port=9543
    
    ; SSL usage. Default:
    ;ssl=yes
    
  3. Save and close the liagent.ini file.

Example

The following configuration example sets a target vRealize Log Insight server that uses a trusted certificate authority.

[server]
proto=cfapi
hostname=LOGINSIGHT
port=9543
ssl=yes;  
ssl_ca_path=/etc/pki/tls/certs/ca.pem

The following example shows a multi-destination configuration.

  • The first (default) destination receives all collected events.

    [server]
    hostname=prod1.licf.vmware.com
  • The second destination receives just syslog events through the plain syslog protocol.

    [server|syslog-audit]
    hostname=third_party_audit_management.eng.vmware.com
    proto=syslog
    ssl=no
    filter= {filelog; syslog; }
  • The third destination receives vRealize Operations Manager events if they have the level field equal to "error" or "warning" and they are collected by sections whose name begins with "vrops-"

[server|licf-prod1]
hostname=vrops-errors.licf.vmware.com
filter= {; vrops-.*; level == "error" || level == "warning"}

;Collecting syslog messages.
[filelog|syslog]
directory=/var/log
include=messages

;various vRops logs. Note that all section names begin with "vrops-" prefix, which is used in third destination filter.
[filelog|vrops-ANALYTICS-analytics]
directory=/data/vcops/log
include=analytics*.log*
exclude=analytics*-gc.log*
parser=auto
[filelog|vrops-COLLECTOR-collector]
directory=/data/vcops/log
include=collector.log*
event_marker=^\d
{4}-\d{2}-\d{2}[\s]\d{2}:\d{2}:\d{2}\,\d{3}
parser=auto

[filelog|vrops-COLLECTOR-collector_wrapper]
directory=/data/vcops/log
include=collector-wrapper.log*
event_marker=^\d{4} 
-\d
{2}-\d{2} 
[\s]\d
{2}:\d{2} 
:\d
{2} 
\.\d
{3} 
parser=auto

What to do next

You can configure additional SSL options for the vRealize Log Insight Linux agent. See Configure SSL Connection Between the Server and the Log Insight Agents.