You can set or change the target vRealize Log Insight server for a vRealize Log Insight agent running on Windows. You can send log events to up to three destinations and filter output per destination.

The default destination can be configured through the [server] section of the liagent.ini file. The default destination is always present and by default the hostname is set to loginsight. To add more target destinations, create a [server|<dest_id>] section for each target. You must specify a unique hostname as the destination ID for each additional connection. You can use the same options for additional destinations as for the default [server] section. Do not configure additional destinations for auto-upgrade or use them for agent configuration. You can specify two additional destinations.

By default, the agent sends all collected logs to all destinations. You can filter logs to send different logs to different destinations with the file option. For more information, see Filtering Log Events from vRealize Log Insight Agents.

Prerequisites

  • Log in to the Windows machine on which you installed the vRealize Log Insight Windows agent and start the Services manager to verify that the vRealize Log Insightagent service is installed.
  • If you have a vRealize Log Insight cluster with an enabled Integrated Load Balancer, see Enable Integrated Load Balancer for custom SSL certificate-specific requirements.

Procedure

  1. Navigate to the program data directory of the vRealize Log Insight Windows agent.
    %ProgramData%\VMware\Log Insight Agent
  2. Open the liagent.ini file in any text editor.
  3. Modify the following parameters and set the values for your environment.
    Parameter Description
    proto

    Protocol that the agent uses to send log events to the vRealize Log Insight server. The possible values are cfapi and syslog.

    The default is cfapi.

    hostname IP address or host name of the vRealize Log Insight virtual appliance.
    You can specify an IPv4 or IPv6 address. An IPv6 address can be specified with or without square brackets. For example:
    hostname = 2001:cdba::3257:9652
    or
    hostname = [2001:cdba::3257:9652]
    If the host supports both IPv4 and IPv6 stacks and a domain name is specified as the hostname, then the agent chooses the IP stack based on the IP address that the name resolver returns. If the resolver returns both IPv4 and IPv6 addresses, then the agent tries to connect sequentially to both addresses in the given order.
    max_disk_buffer The maximum disk space in MB that the Log Insight Windows Agent can use to buffer log events collected for this particular server. The option overrides the [storage].max_disk_buffer value for this server.

    The default value is 150 MB and you can set the buffer size to between 50 through 8000 MB.

    port
    Communication port that the agent uses to send log events to the vRealize Log Insight or third party server. By default the agent uses the appropriate port based on the options that are set for SSL and the protocol. See default port values provided in the list below. You need to specify the port option only if it's different from these defaults.
    • cfapi with SSL activated: 9543
    • cfapi with SSL deactivated: 9000
    • syslog with SSL activated: 6514
    • syslog with SSL deactivated: 514
    ssl Enables or disables SSL. The default value is yes.

    When ssl is set to yes, the port is set as 9543, unless you specify otherwise.

    reconnect The time in minutes to force re-connection to the server. The default value is 30.
    filter Specifies the information an agent sends to a destination. This option takes three arguments:
    {collector_type; collector_filter; event_filter}
    [server]
    hostname=LOGINSIGHT
    ; Hostname or IP address of your Log Insight server / cluster load balancer. Default:
    ;hostname=LOGINSIGHT
     
    ; Protocol can be cfapi (Log Insight REST API), syslog. Default:
    ;proto=cfapi
    
    ; Log Insight server port to connect to. Default ports for protocols (all TCP):
    ; syslog: 514; syslog with ssl: 6514; cfapi: 9000; cfapi with ssl: 9543. Default:
    ;port=9543
    
    ; SSL usage. Default:
    ;ssl=yes
    
  4. Save and close the liagent.ini file.

Example

The following configuration example sets a target vRealize Log Insight server that uses a trusted certificate authority.
[server]
proto=cfapi
hostname=LOGINSIGHT
port=9543
ssl=yes;  
ssl_ca_path=/etc/pki/tls/certs/ca.pem

The following example shows a multi-destination configuration that includes filtering messages per destination.

; The first (default) destination receives all collected events.
[server]
hostname=prod1.licf.vmware.com

; The second destination receives just syslog events through the plain syslog protocol.
[server|syslog-audit]
hostname=third_party_audit_management.eng.vmware.com
proto=syslog
ssl=no
filter={filelog; syslog; }


; The third destination receives vRealize Operations events if they have the level field equal to "error" or "warning" 
; and they are collected by sections whose name begins with "vrops-"

[server|licf-prod1]
hostname=vrops-errors.licf.vmware.com
filter={; vrops-.*; level == "error" || level == "warning"}

; Collecting syslog messages.
[filelog|syslog]
directory=/var/log
include=messages

; various vROPs logs. Note that all section names begin with a "vrops-" prefix, which is used in third destination filter.
[filelog|vrops-ANALYTICS-analytics]
directory=/data/vcops/log
include=analytics*.log*
exclude=analytics*-gc.log*
parser=auto

[filelog|vrops-COLLECTOR-collector]
directory=/data/vcops/log
include=collector.log*
event_marker=^\d{4}-\d{2}-\d{2}[\s]\d{2}:\d{2}:\d{2}\,\d{3}
parser=auto

[filelog|vrops-COLLECTOR-collector_wrapper]
directory=/data/vcops/log
include=collector-wrapper.log*
event_marker=^\d{4}-\d{2}-\d{2} [\s]\d{2}:\d{2}:\d{2}\.\d{3} 
parser=auto

What to do next

You can configure additional SSL options for the vRealize Log Insight agent. See Configure SSL Connection Between the Server and the Log Insight Agents.