You can add a Windows event channel to the Log Insight Windows Agent configuration. The Log Insight Windows Agent will collect the log events and send them to the vRealize Log Insight server.

Field names are restricted. The following names are reserved and cannot be used as field names.

  • event_type
  • hostname
  • source
  • text

Prerequisites

Log in to the Windows machine on which you installed the vRealize Log Insight Windows agent and start the Services manager to verify that the vRealize Log Insight agent service is installed.

Procedure

  1. Navigate to the program data directory of the vRealize Log Insight Windows agent.
    %ProgramData%\VMware\Log Insight Agent
  2. Open the liagent.ini file in any text editor.
  3. Add the following parameters and set the values for your environment.
    Parameter Description
    [winlog|section_name] A unique name for the configuration section.
    channel The full name of the event channel as shown in the Event Viewer built-in Windows application. To copy the correct channel name, right-click a channel in Event Viewer, select Properties and copy the contents of Full Name field.
    enabled An optional parameter to enable or deactivate the configuration section. The possible values are yes or no (case-insensitive). The default value is yes.
    tags

    Optional parameter to add custom tags to the fields of collected events. Define tags using JSON notation. Tag names can contain letters, numbers, and underscores. A tag name can only begin with a letter or an underscore and cannot exceed 64 characters. Tag names are not case-sensitive. For example, if you use tags={"tag_name1" : "tag value 1", "Tag_Name1" : "tag value 2" }, Tag_Name1 is ignored as a duplicate. You cannot use event_type and timestamp as tag names. Any duplicates within the same declaration are ignored.

    If the destination is a syslog server, tags can override the APP-NAME field. For example, tags={"appname":"VROPS"}.

    whitelist, blacklist Optional parameters to explicitly include or exclude log events.
    Note: The blacklist option only works for fields; it cannot be used to block text.
    exclude_fields (Optional) A parameter to exclude individual fields from collection. You can provide multiple values as a semicolon separated list. For example, exclude_fields=EventId; ProviderName 
    [winlog|section_name]
channel=event_channel_name
enabled=yes_or_no
tags={"tag_name1" : "Tag value 1", "tag_name2" : "tag value 2" }
  4. Save and close the liagent.ini file.

Example: Configurations

See the following [winlog| configuration examples. 

[winlog|Events_Firewall ]
channel=Microsoft-Windows-Windows Firewall With Advanced Security/Firewall 
enabled=no

[winlog|custom]
channel=Custom
tags={"ChannelDescription": "Events testing channel"}