You can specify up to three destinations for the vRealize Log Insight Linux agent to send log events to.

Multiple destination connections are defined through the [server|<dest_id>] section of the li-agent.ini file where <dest_id> is a unique per-configuration connection id. You can use the same options for additional destinations as for the default [server] section. However, do not configure additional destinations for auto-upgrade or use them for agent configuration. You can specify two additional destinations.

The first target you define can use the default server value loginsight. When you define additional targets, you must specify a hostname in the [server] sections for subsequent targets. Without filtering, the agent sends all collected logs to all destinations. This is the default. However, you can filter logs to send different logs to different destinations.

Prerequisites

  • Log in as root or use sudo to run console commands.
  • Log in to the Linux machine on which you installed the vRealize Log Insight Linux agent, open a console and run pgrep liagent to verify that the vRealize Log Insight Linux agent is installed and running.
  • If you have a vRealize Log Insight cluster with an activated Integrated Load Balancer, see Activate Integrated Load Balancer for custom SSL certificate-specific requirements.

Procedure

  1. Open the /var/lib/loginsight-agent/liagent.ini file in any text editor.
  2. Modify the following parameters and set the values for your environment.
    Parameter Description
    proto

    Protocol that the agent uses to send log events to the vRealize Log Insight server. The possible values are cfapi and syslog.

    The default is cfapi.

    hostname IP address or host name of the vRealize Log Insight virtual appliance.
    You can specify an IPv4 or IPv6 address. An IPv6 address can be specified with or without square brackets. For example:
    hostname = 2001:cdba::3257:9652
    or
    hostname = [2001:cdba::3257:9652]
    If the host supports both IPv4 and IPv6 stacks and a domain name is specified as the hostname, then the agent uses the IP stack depending on the IP address that is returned by the name resolver. If the resolver returns both IPv4 and IPv6 addresses, then the agent tries to connect sequentially to both addresses in the given order.
    max_disk_buffer The maximum disk space in MB that the Log Insight Linux Agent can use to buffer log events collected for this particular server. The option overrides the [storage].max_disk_buffer value for this server.

    The default value is 150 MB and you can set the buffer size to between 50 through 8000 MB.

    port
    Communication port that the agent uses to send log events to the vRealize Log Insight or third party server. By default the agent uses the appropriate port based on the options that are set for SSL and the protocol. See default port values provided in the list below. You need to specify the port option only if it's different from these defaults.
    • cfapi with SSL activated: 9543
    • cfapi with SSL deactivated: 9000
    • syslog with SSL activated: 6514
    • syslog with SSL deactivated: 514
    ssl Activates or deactivates SSL. The default value is yes.

    When ssl is set to yes, if you do not set a value for the port, the port is automatically picked up as 9543.

    reconnect The time in minutes to force reconnection to the server. The default value is 30.
    [server]
    hostname=LOGINSIGHT
    ; Hostname or IP address of your Log Insight server / cluster load balancer. Default:
    ;hostname=LOGINSIGHT
    
    ; Protocol can be cfapi (Log Insight REST API), syslog. Default:
    ;proto=cfapi
    
    ; Log Insight server port to connect to. Default ports for protocols (all TCP):
    ; syslog: 514; syslog with ssl: 6514; cfapi: 9000; cfapi with ssl: 9543. Default:
    ;port=9543
    
    ; SSL usage. Default:
    ;ssl=yes
    
  3. Save and close the liagent.ini file.

Example

The following configuration example sets a target vRealize Log Insight server that uses a trusted certificate authority.
[server]
proto=cfapi
hostname=LOGINSIGHT
port=9543
ssl=yes;  
ssl_ca_path=/etc/pki/tls/certs/ca.pem

The following example shows a multi-destination configuration.

  • The first (default) destination receives all collected log events.
    [server]
    hostname=prod1.licf.vmware.com
  • The second destination receives just syslog events through the plain syslog protocol.
    [server|syslog-audit]
    hostname=third_party_audit_management.eng.vmware.com
    proto=syslog
    ssl=no
    filter= {filelog; syslog; }
  • The third destination receives vRealize Operations log events if they have the level field equal to "error" or "warning" and they are collected by sections whose name begins with "vrops-"
[server|licf-prod1]
hostname=vrops-errors.licf.vmware.com
filter= {; vrops-.*; level == "error" || level == "warning"}

;Collecting syslog messages.
[filelog|syslog]
directory=/var/log
include=messages

;various vRops logs. Note that all section names begin with "vrops-" prefix, which is used in third destination filter.
[filelog|vrops-ANALYTICS-analytics]
directory=/data/vcops/log
include=analytics*.log*
exclude=analytics*-gc.log*
parser=auto
[filelog|vrops-COLLECTOR-collector]
directory=/data/vcops/log
include=collector.log*
event_marker=^\d
{4}-\d{2}-\d{2}[\s]\d{2}:\d{2}:\d{2}\,\d{3}
parser=auto

[filelog|vrops-COLLECTOR-collector_wrapper]
directory=/data/vcops/log
include=collector-wrapper.log*
event_marker=^\d{4} 
-\d
{2}-\d{2} 
[\s]\d
{2}:\d{2} 
:\d
{2} 
\.\d
{3} 
parser=auto

What to do next

You can configure additional SSL options for the vRealize Log Insight Linux agent. See Configure SSL Connection Between the Server and the Log Insight Agents.