You can set up filters for Windows Event Channels to explicitly include or exclude log events.

You use the whitelist and blacklist parameters to evaluate a filter expression. The filter expression is a Boolean expression that consists of Windows event fields and operators.

whitelist collects only log events for which the filter expression evaluates to non-zero. If you omit whitelist, the value is an implied 1.

blacklist excludes log events for which the filter expression evaluates to non-zero. The default value is 0.

For a complete list of Windows event fields and operators see Event Fields and Operators

Log in to the Windows machine on which you installed the Log Insight Windows Agent and start the Services manager to verify that the VMware vCenter Log Insight Agent service is installed.

1

Navigate to the program data folder of the Log Insight Windows Agent.

%ProgramData%\VMware\Log Insight Agent

2

Open the liagent.ini file in any text editor.

3

Add a whitelist or blacklist parameter in the [winlog|] section.

For example

[winlog|unique_section_name]
channel = event_channel_name
blacklist = filter_expression
4

Create a filter expression from Windows events fields and operators.

For example

whitelist = level > WINLOG_LEVEL_SUCCESS and level < WINLOG_LEVEL_INFO
5

Save and close the liagent.ini file.

6

Restart the VMware Log Insight Agent service.

Note

Any change you make to the liagent.ini file requires a restart of the VMware Log Insight Agent service for the configuration change to take effect.

Collect only error events

[winlog|Security-Error]
channel = Security
whitelist = Level == WINLOG_LEVEL_CRITICAL or Level == WINLOG_LEVEL_ERROR

Collect only VMware Network events from Application channel

[winlog|VMwareNetwork]
channel = Application
whitelist = ProviderName == "VMnetAdapter" or ProviderName == "VMnetBridge" or ProviderName == "VMnetDHCP"

Collects all events from Security channel except particular events

[winlog|Security-Verbose]
channel = Security
blacklist = EventID == 4688 or EventID == 5447