You can configure the Log Insight Linux Agent to collect events from one or more log files.

Note

By default the Log Insight Linux Agent collects hidden files created by programs or editors such as VIM, CVS, SVN, GIT and so on. These hidden file names start with a period. If you do not want the Log Insight Linux Agent to collect hidden files, you must add an exclude exclude=^\.*.

Log in as root or use sudo to run console commands.

Log in to the Linux machine on which you installed the Log Insight Linux Agent, open a console and run pgrep liagent to verify that the VMware vRealize Log Insight Linux Agent is installed and running.

1

Open the /var/lib/loginsight-agent/liagent.ini file in any text editor.

2

Add configuration parameters and set the values for your environment.

Parameter

Description

[filelog|section_name]

A unique name for the configuration section.

directory

The full path to the log file directory.

include

(Optional) The name of a file name or a file mask (glob pattern) from which to collect data . You can provide values as a semicolon separated list. The default value is *, which means that all files are included. The parameter is case sensitive.

Note

By default .zip and .gz files are excluded from collection. If you want to collect .zip and .gz files, add them using the include parameter.

Important

If you are collecting a rotated log file, use the include and exclude parameters to specify a glob pattern that matches both the primary and the rotated file. If the glob pattern matches only the primary log file, the Log Insight Agents might miss events during rotation. The Log Insight Agents automatically determine the correct order of rotated files and sends events to the Log Insight server in the right order. For example, if your primary log file is named myapp.log and rotated logs are myapp.log.1, myapp.log.2 and so on you can use the following include pattern: include= myapp.log;myapp.log.*

exclude

(Optional) A file name or file mask (glob pattern) to exclude from collection. You can provide values as a semicolon separated list. The default value is empty, which means that no file is excluded.

event_marker

(Optional) A regular expression that denotes the start of an event in the log file. If omitted defaults to newline. The expressions you type must use the Perl regular expressions syntax.

enabled

(Optional) A parameter to enable or disable the configuration section. The possible values are yes or no. The default value is yes.

charset

(Optional) The character encoding of the log files that the agent monitors. The possible values are UTF-8, UTF-16LE, and UTF-16BE. The default value is UTF-8.

tags

(Optional) A parameter to add custom tags to the fields of collected events. Define tags using JSON notation. Tag names can contain letters, numbers, and underscores. A tag name can only begin with a letter or an underscore and cannot exceed 64 characters. Tag names are not case sensitive. For example, if you use tags={"tag_name1" : "tag value 1", "Tag_Name1" : "tag value 2" }, Tag_Name1 will be ignored as a duplicate. You cannot use event_type and timestamp as tag names. Any duplicates within the same declaration are ignored.

Tags can override the APP-NAME field, if the destination is a syslog server. For example, tags={"appname":"VROPS"}.

exclude_fields

(Optional) A parameter to exclude individual fields from collection. You can provide multiple values as a semicolon separated list. For example, exclude_fields=hostname; filepath

[filelog|section_name]
directory=path_to_log_directory
include=glob_pattern
3

Save and close the liagent.ini file.

[filelog|messages]
directory=/var/log
include=messages;messages.?

[filelog|syslog]
directory=/var/log
include=syslog;syslog.?

[filelog|Apache]
directory=/var/log/apache2
include=*