You can set up filters for Windows Event Channels to explicitly include or exclude log events.

You use the whitelist and blacklist parameters to evaluate a filter expression. The filter expression is a Boolean expression that consists of Windows event fields and operators.

whitelist collects only log events for which the filter expression evaluates to non-zero. If you omit whitelist, the value is an implied 1.

blacklist excludes log events for which the filter expression evaluates to non-zero. The default value is 0.

For a complete list of Windows event fields and operators see Event Fields and Operators

Log in to the Windows machine on which you installed the Log Insight Windows Agent and start the Services manager to verify that the VMware vCenter Log Insight Agent service is installed.


Navigate to the program data folder of the Log Insight Windows Agent.

%ProgramData%\VMware\Log Insight Agent


Open the liagent.ini file in any text editor.


Add a whitelist or blacklist parameter in the [winlog|] section.

For example

channel = event_channel_name
blacklist = filter_expression

Create a filter expression from Windows events fields and operators.

For example

whitelist = level > WINLOG_LEVEL_SUCCESS and level < WINLOG_LEVEL_INFO

Save and close the liagent.ini file.


Restart the VMware Log Insight Agent service.


Any change you make to the liagent.ini file requires a restart of the VMware Log Insight Agent service for the configuration change to take effect.

Collect only error events

channel = Security

Collect only VMware Network events from Application channel

channel = Application
whitelist = ProviderName == "VMnetAdapter" or ProviderName == "VMnetBridge" or ProviderName == "VMnetDHCP"

Collects all events from Security channel except particular events

channel = Security
blacklist = EventID == 4688 or EventID == 5447