You can specify up to three destinations for the vRealize Log Insight Linux agent to send log events to.
Multiple destination connections are defined through the [server|<dest_id>]
section of the li-agent.ini file where <dest_id> is a unique per-configuration connection id. You can use the same options for additional destinations as for the default [server]
section. However, do not configure additional destinations for auto-upgrade or use them for agent configuration. You can specify two additional destinations.
The first target you define can use the default server value loginsight
. When you define additional targets, you must specify a hostname in the [server]
sections for subsequent targets. Without filtering, the agent sends all collected logs to all destinations. This is the default. However, you can filter logs to send different logs to different destinations.
Prerequisites
- Log in as root or use sudo to run console commands.
- Log in to the Linux machine on which you installed the vRealize Log Insight Linux agent, open a console and run pgrep liagent to verify that the vRealize Log Insight Linux agent is installed and running.
- If you have a vRealize Log Insight cluster with an activated Integrated Load Balancer, see Activate Integrated Load Balancer for custom SSL certificate-specific requirements.
Procedure
Example
[server] proto=cfapi hostname=LOGINSIGHT port=9543 ssl=yes; ssl_ca_path=/etc/pki/tls/certs/ca.pem
The following example shows a multi-destination configuration.
- The first (default) destination receives all collected log events.
[server] hostname=prod1.licf.vmware.com
- The second destination receives just syslog events through the plain syslog protocol.
[server|syslog-audit] hostname=third_party_audit_management.eng.vmware.com proto=syslog ssl=no filter= {filelog; syslog; }
- The third destination receives vRealize Operations log events if they have the level field equal to "error" or "warning" and they are collected by sections whose name begins with "vrops-"
[server|licf-prod1] hostname=vrops-errors.licf.vmware.com filter= {; vrops-.*; level == "error" || level == "warning"} ;Collecting syslog messages. [filelog|syslog] directory=/var/log include=messages ;various vRops logs. Note that all section names begin with "vrops-" prefix, which is used in third destination filter. [filelog|vrops-ANALYTICS-analytics] directory=/data/vcops/log include=analytics*.log* exclude=analytics*-gc.log* parser=auto [filelog|vrops-COLLECTOR-collector] directory=/data/vcops/log include=collector.log* event_marker=^\d {4}-\d{2}-\d{2}[\s]\d{2}:\d{2}:\d{2}\,\d{3} parser=auto [filelog|vrops-COLLECTOR-collector_wrapper] directory=/data/vcops/log include=collector-wrapper.log* event_marker=^\d{4} -\d {2}-\d{2} [\s]\d {2}:\d{2} :\d {2} \.\d {3} parser=auto
What to do next
You can configure additional SSL options for the vRealize Log Insight Linux agent. See Configure SSL Connection Between the Server and the Log Insight Agents.