You can add a Windows event channel to the Log Insight Windows Agent configuration. The Log Insight Windows Agent will collect the events and send them to the Log Insight server.

Log in to the Windows machine on which you installed the Log Insight Windows Agent and start the Services manager to verify that the VMware vCenter Log Insight Agent service is installed.

1

Navigate to the program data folder of the Log Insight Windows Agent.

%ProgramData%\VMware\Log Insight Agent

2

Open the liagent.ini file in any text editor.

3

Add the following parameters and set the values for your environment.

Parameter

Description

[winlog|section_name]

A unique name for the configuration section.

channel

The full name of the event channel as shown in the Event Viewer built-in Windows application. To copy the correct channel name, right-click a channel in Event Viewer, select Properties and copy the contents of Full Name field.

enabled

An optional parameter to enable or disable the configuration section. The possible values are yes or no. The default value is yes.

tags

An optional parameter to add custom tags to the fields of collected events. Define tags using JSON notation. Tag names can contain letters, numbers, and underscores. A tag name can only begin with a letter or an underscore and cannot exceed 64 characters. Tag names are not case sensitive. For example, if you use tags={"tag_name1" : "tag value 1", "Tag_Name1" : "tag value 2" }, Tag_Name1 will be ignored as a duplicate. You cannot use event_type and timestamp as tag names. Any duplicates within the same declaration are ignored.

whitelist, blacklist

Optional parameters to explicitly include or exclude log events.

[winlog|section_name]
channel=event_channel_name
enabled=yes_or_no
tags={"tag_name1" : "Tag value 1", "tag_name2" : "tag value 2" }
4

Save and close the liagent.ini file.

5

Restart the VMware Log Insight Agent service.

Note

Any change you make to the liagent.ini file requires a restart of the VMware Log Insight Agent service for the configuration change to take effect.

[winlog|Events_Firewall ]
channel=Microsoft-Windows-Windows Firewall With Advanced Security/Firewall 
enabled=no
[winlog|custom]
channel=Custom
tags={"ChannelDescription": "Events testing channel"}