You can specify the information an agent sends to a destination with the filter option in the [server|<dest_id>] section of your local liagent.ini file.

The option is of the following form:

filter = {collector_type; collector_filter; event_filter}

Filter type

Description

collector_type

A comma-separated list that defines the collector types. Supported values are filelog or winlog. If no value is specified, all collector types are used.

collector_filter

Specifies the name of a collector section in a regex format. For example, vcops_.* refers to all collector sections that begin with "vcops_".

event_filter

Filters for event fields use the same syntax as whitelists or blacklists in collector sections. An agent sends only events that evaluate the expression to True or a non-zero value. An empty event_filter always evaluates to True. To use event_filter on events you must have a parser defined in appropriate collector sections for fields extraction. If an expression can't be evaluated due to absence of fields in the collected event, then the event is dropped.

More than one filter expression can be specified by separating them with a comma as shown in the following example:

filter= 
{winlog;Micr.*;},{filelog;apache-access;level=="error"}

If a message meets more than one set of filter criteria for a destination target, it is sent only once.

Table 1. Syntax Examples

Filter

Meaning

filter= {winlog;Micrsoft.*;}

Sends events from winlog collectors only if the event name begins with "Microsoft".

filter= {winlog;Micrsoft.*; eventid == 1023}

Sends events from winlog collectors only if the event name begins with "Microsoft" and Event ID equal to 1023.

filter= {;.*;}

Default filter value. Sends all events from all sources.

filter= {winlog;.*;}

Sends all events from winlog sections.

filter= {filelog;syslog;facility<5}

Sends events from [filelog|syslog] section if facility less than 5. [filelog|syslog] sections must have a parser that extracts the facility field; otherwise, all events are skipped.

filter= {;;}

Matches no events. Use this syntax to disable event forwarding.

The following example adds a filter to the configuration of the second destination of the previous example.

 

; The second destination receives just syslog events through the plain syslog protocol.
[server|syslog-audit]
hostname=third_party_audit_management.eng.vmware.com
proto=syslog
ssl=no
filter= {filelog; syslog; }

The next example uses a more complex filter expression.

; This destination receives vRealize Operations Manager events if they have the level field equal
;to "error" or "warning" and they are collected by sections whose name begins with "vrops-"

[server|licf-prod1]
hostname=vrops-errors.licf.vmware.com
filter= {; vrops-.*; level == "error" || level == "warning"}

More than one filter expression can be specified by separating them with a comma as shown in the following example.

filter= e.
{winlog;Micr.*;},{filelog;apache-access;level=="error"}