vRealize Log Insight – Windows and Linux Configuration
In the previous posts, I talked about how to install and set up Log Insight. Next, we configured the vSphere environment to send logs to Log Insight. In this post, I am going to talk about how to install the vRealize Log Insight agent on Linux and Windows operating systems to send their logs, and then customize logs so that the logs we need are sent to the Log Insight.
The vRealize Log Insight agent collects events from log files and forwards them to a vRealize Log Insight server. This agent support Syslog and the vRealize Log Insight ingestion API and can be used with Linux or Windows platforms. You configure agents through the web interface, with the liagent.ini file on the server and client-side, or as part of the installation. First, we install and configure the agent in the Windows operating system and then we go to Linux.
Install Log Insight Agent on Windows
Log in to the vRealize Log Insight and navigate to the Administration tab and in the Management section, click Agents and then scroll to the bottom of the screen and click Download Log Insight Agent.
Download an installation package by selecting it from the pop-up menu and clicking Save.
Then log in to the system (The system you want to collect logs from) and move the installation media to this system and double-click on the installation file (.msi), accept the terms of the License Agreement, and click Next.
Enter the IP address or hostname of the vRealize Log Insight server and click Test to verify your connectivity and then click Install. The wizard installs or updates the agent as an automatic Windows Service under the Local System service account.
All agent settings and configurations are stored on a file called “liagent.ini”.To edit pre-configured default settings, browse to this directory “C:\ProgramData\VMware\Log Insight Agent” and open the “liagent.ini” file with a text editor.
The Event logs are classified into few defaults such as Application, Security, System, etc. The file “liagent.ini” includes these default categories. You can modify the “liagent.ini” file to specify which logs should be received from the client. You can also configure efficiently these settings from the vRealize Log Insight. In the figure below, you can see the status of the agent, uptimes, and other information related to this agent.
Now let’s add a new category (Windows event channel) to this file so we can get new logs of this type. For example, we want to add the “Setup” to the configuration file.
First of all, we need to get information about this type of log. Open event view and right-click on the desired category (Setup), and select Properties to find the channel name.
Now navigate to the Administration tab of the vRealize Log Insight and from the Management section, click on the Agents and then scroll to the bottom of the screen. In the Build section, click on NEW in front of the Windows Event Log to add a new Windows event channel.
Provide a name and click on OK.
Enter the event log channel name (The one you found in the event log properties) and then click on SAVE AGENT GROUP.
I have added several other channels that were important to me in the same way.
Now if you go back to the server and go to the same path as the Agent’s configuration file. You will see a file with the name liagent-effective.ini that contains settings that are effectively applied to this agent. All the settings I made on the vRealize Log Insight can also be seen here.
Install Log Insight Agent on Linux
Now let’s go to installing the agent on the Linux operating system. Navigate to the Administration tab of the vRealize Log Insight and from the Management section, click Agents and then scroll to the bottom of the screen and click Download Log Insight Agent.
Download an installation package by selecting it from the pop-up menu based on Linux distribution and clicking Save.
|Linux RPM||Linux Red Hat, OpenSuse (32-bit/64-bit), or VMware Photon platform|
|Linux DEB||Linux Debian platform (32-bit/64-bit)|
|Linux BIN||Self-installing package for Linux (32-bit/64-bit).|
Log in to the Linux system as root permission or use sudo to run console commands. Move the installer rpm to a location on your destination server with software like WinSCP or a command like SCP. I copied the file to the tmp folder.
In order to install the vRealize Log Insight Linux agent with default configuration settings, run the following command.
To verify the installation run the following command
After installation, You need to edit liagent.ini to send the agent report to the Log Insight server back. The configuration file is located under /var/lib/loginsight-agent/.
To edit liagent.ini run the following command:
Edit the following value under the hostname to FQDN or IP address of the vRealize Log Insight server as shown in the following figure.
Uncomment the following line to send the logs of this directory to Log Insight server.
You have now fully installed and configured the agent on Windows and Linux versions, and by visiting the Log Insight dashboard you can check if the agent is working properly.
Now it’s time to go to vRealize Log Insight interactive analytics and look for a specific event log and see how vRealize log insight filters work. The interactive Analytics page lets you perform visual analysis on the results of your query. For example, consider the following scenario:
on a spring morning, your manager rushes to you and asks you to find the last time a specific server was shut down. The server administrator believes that his server has been shut down because the ping of the server has been down for a while. For further investigation, he wants to know if we have any event log about this downtime or not. So I have to look for a shutdown event log (Event id for shutdown is 1074) on the server in a specific time frame. I set the time interval to 7 days because they said it happened two or three days ago.
As you can see in the figure above, the server was restarted by the highlighted user, so the server was down for a few seconds during that time.