You can set up filters for Linux log files to specify which log events to include or exclude.
About this task
By default the vRealize Log Insight Linux agent collects hidden files created by programs or editors. The hidden file names start with a period. You can prevent the vRealize Log Insight Linux agent from collecting hidden files, by adding an exclude exclude=.* parameter.
You use the whitelist and blacklist parameters to evaluate a filter expression. The filter expression is a Boolean expression that consists of event fields and operators.
The blacklist option only works for fields; it cannot be used to blacklist text.
whitelist collects only log events for which the filter expression evaluates to non-zero. If you omit whitelist, the value is an implied 1.
blacklist excludes log events for which the filter expression evaluates to non-zero. The default value is 0.
For a complete list of Linux event fields and operators see Collect Events from a Log File.
Log in as root or use sudo to run console commands.
Log in to the Linux machine on which you installed the vRealize Log Insight Linux agent, open a console and run pgrep liagent to verify that the vRealize Log Insight Linux agent is installed and running.
- Open the /var/lib/loginsight-agent/liagent.ini file in any text editor.
- Add a whitelist or blacklist parameter in the [filelog|] section.
[filelog|apache] directory = path_to_log_directory include = glob_pattern blacklist = filter_expression
- Create a filter expression from Linux events fields and operators.
whitelist = server_name
- Save and close the liagent.ini file.
You can configure the agent to collect only Apache logs where the server_name is sample.com and the remote_host is not equal to 127.0.0.1, as shown in the following example:
[filelog|apache] directory=/var/log/httpd include=access_log parser=clf whitelist = server_name == "sample.com" blacklist = remote_host == "127.0.0.1"