You can add a Windows event channel to the Log Insight Windows Agent configuration. The Log Insight Windows Agent will collect the events and send them to the vRealize Log Insight server.

Log in to the Windows machine on which you installed the Log Insight Windows Agent and start the Services manager to verify that the VMware vRealize Log Insight Agent service is installed.


Navigate to the program data folder of the Log Insight Windows Agent.

%ProgramData%\VMware\Log Insight Agent


Open the liagent.ini file in any text editor.


Add the following parameters and set the values for your environment.




A unique name for the configuration section.


The full name of the event channel as shown in the Event Viewer built-in Windows application. To copy the correct channel name, right-click a channel in Event Viewer, select Properties and copy the contents of Full Name field.


An optional parameter to enable or disable the configuration section. The possible values are yes or no. The default value is yes.


An optional parameter to add custom tags to the fields of collected events. Define tags using JSON notation. Tag names can contain letters, numbers, and underscores. A tag name can only begin with a letter or an underscore and cannot exceed 64 characters. Tag names are not case sensitive. For example, if you use tags={"tag_name1" : "tag value 1", "Tag_Name1" : "tag value 2" }, Tag_Name1 will be ignored as a duplicate. You cannot use event_type and timestamp as tag names. Any duplicates within the same declaration are ignored.

whitelist, blacklist

Optional parameters to explicitly include or exclude log events.


(Optional) A parameter to exclude individual fields from collection. You can provide multiple values as a semicolon separated list. For example, exclude_fields=EventId; ProviderName

tags={"tag_name1" : "Tag value 1", "tag_name2" : "tag value 2" }

Save and close the liagent.ini file.

See the following [winlog| configuration examples.

[winlog|Events_Firewall ]
channel=Microsoft-Windows-Windows Firewall With Advanced Security/Firewall 
tags={"ChannelDescription": "Events testing channel"}