A vRealize Log Insight agent collects events from log files and forwards them to a vRealize Log Insight server or any third-party syslog destination.

Agents support syslog and the vRealize Log Insight ingestion API (cfapi protocol) and can be used with Linux or Windows platforms. You configure agents through the web interface, with the liagent.ini file on the server and client side, or as part of installation.

Agents include the following features:

  • Single or group deployment

  • Automatic upgrade

  • Parsing that operates on log messages and extracts structured data. You can configure parsers for FileLog and WinLog collectors or both.

  • Support for multi-line messages

  • Native support for several log rotation schemes

  • An extensive ingestion API that includes client-side compression, encryption, and the ability to add metadata to events

The vRealize Log Insight server supports centralized configuration management and creation and management of groups of agents.

The following figure shows the elements of an agent deployment configuration.

A vRealize Log Insight forwarder is a dedicated instance of a vRealize Log Insight server whose primary job is to forward events to a remote destination. Normally, a server instance used as a forwarder is not used for query. The forwarder uses an internal load balancer and is otherwise structured like a vRealize Log Insight server.

Agents write their own operation logs. For Windows, these logs are located in the C:\ProgramData\VMware\Log Insight Agent\logs directory. For Linux, the path for the operation log is /var/log/loginsight-agent/liagent_*.log. Log files are rotated when an agent is restarted or when the file reaches a size of 10 MB. A combined limit of 50 MB of files is kept in rotation. You cannot collect agent logs with the vRealize Log Insight agent itself.

Agents are used for real-time log collection. Use the vRealize Log Insight Importer to import historic log collections, including support bundles.

Separate installation downloads for Windows and Linux operating systems are provided.

On Windows systems, the agent runs as a Windows service and starts immediately after installation. The agent monitors application log files and Windows event channels, pools for collecting related Windows system events. Collected events are forwarded to vRealize Log Insight servers or third-party syslog destinations.

On Linux systems, the agent runs as a daemon and starts immediately after installation. The vRealize Log Insight Linux agent collects events from log files on Linux machines and forwards them to vRealize Log Insight servers or syslog destinations. Debian, Red Hat, and Linux binary installation packages are available.