You can set or change the target vRealize Log Insight server for a vRealize Log Insight agent running on Windows. You can send log events to up to three destinations and filter output per destination.
The default destination can be configured through the [server]
section of the liagent.ini file. The default destination is always present and by default the hostname is set to loginsight. To add more target destinations, create a [server|<dest_id>]
section for each target. You must specify a unique hostname as the destination ID for each additional connection. You can use the same options for additional destinations as for the default [server]
section. Do not configure additional destinations for auto-upgrade or use them for agent configuration. You can specify two additional destinations.
By default, the agent sends all collected logs to all destinations. You can filter logs to send different logs to different destinations with the file
option. For more information, see Filtering Log Events from vRealize Log Insight Agents.
Prerequisites
- Log in to the Windows machine on which you installed the vRealize Log Insight Windows agent and start the Services manager to verify that the vRealize Log Insightagent service is installed.
- If you have a vRealize Log Insight cluster with an enabled Integrated Load Balancer, see Enable Integrated Load Balancer for custom SSL certificate-specific requirements.
Procedure
Example
[server] proto=cfapi hostname=LOGINSIGHT port=9543 ssl=yes; ssl_ca_path=/etc/pki/tls/certs/ca.pem
The following example shows a multi-destination configuration that includes filtering messages per destination.
; The first (default) destination receives all collected events. [server] hostname=prod1.licf.vmware.com ; The second destination receives just syslog events through the plain syslog protocol. [server|syslog-audit] hostname=third_party_audit_management.eng.vmware.com proto=syslog ssl=no filter={filelog; syslog; } ; The third destination receives vRealize Operations events if they have the level field equal to "error" or "warning" ; and they are collected by sections whose name begins with "vrops-" [server|licf-prod1] hostname=vrops-errors.licf.vmware.com filter={; vrops-.*; level == "error" || level == "warning"} ; Collecting syslog messages. [filelog|syslog] directory=/var/log include=messages ; various vROPs logs. Note that all section names begin with a "vrops-" prefix, which is used in third destination filter. [filelog|vrops-ANALYTICS-analytics] directory=/data/vcops/log include=analytics*.log* exclude=analytics*-gc.log* parser=auto [filelog|vrops-COLLECTOR-collector] directory=/data/vcops/log include=collector.log* event_marker=^\d{4}-\d{2}-\d{2}[\s]\d{2}:\d{2}:\d{2}\,\d{3} parser=auto [filelog|vrops-COLLECTOR-collector_wrapper] directory=/data/vcops/log include=collector-wrapper.log* event_marker=^\d{4}-\d{2}-\d{2} [\s]\d{2}:\d{2}:\d{2}\.\d{3} parser=auto
What to do next
You can configure additional SSL options for the vRealize Log Insight agent. See Configure SSL Connection Between the Server and the Log Insight Agents.