Set up Windows Log File Channel Filtering

You can set up filters for Windows log files to explicitly include or exclude log events.

You use the whitelist and blacklist parameters to evaluate a filter expression. The filter expression is a Boolean expression that consists of event fields and operators.

Note: The blacklist option only works for fields; it cannot be used to block text.

The whitelist parameter collects only log events for which the filter expression evaluates to non-zero. If you omit this parameter, the value is an implied 1.
The blacklist parameter excludes log events for which the filter expression evaluates to non-zero. The default value is 0.

For a complete list of Windows event fields and operators see Event Fields and Operators.

Prerequisites

Log in to the Windows machine on which you installed the vRealize Log Insight Windows agent and start the Services manager to verify that the vRealize Log Insight agent service is installed.

Procedure

Navigate to the program data directory of the vRealize Log Insight Windows agent.
%ProgramData%\VMware\Log Insight Agent
Open the liagent.ini file in any text editor.

Add a whitelist or blacklist parameter in the [filelog|] section.

For example:

[filelog|apache]
directory = path_to_log_directory
include = glob_pattern
blacklist = filter_expression

Create a filter expression from Windows events fields and operators.
For example
```
whitelist = myServer
```
Save and close the liagent.ini file.

Example: Filter Configurations

You can configure the agent to collect only Apache logs where the server_name is

[filelog|apache]
directory=C:\Program Files\Apache Software Foundation\Apache2.4\logs
include=error.log
parser=clf
whitelist = server_name == "sample.com"
blacklist = remote_host == "127.0.0.1"