Log Insight Agent: Windows Configurations for Common Applications

In my previous post, I discussed how to build Log Insight Windows agent configuration sections for monitoring log files, in this post I would like to provide some additional sample configurations for common Microsoft and VMware applications. I will be updating this post over time so be sure to check back from time to time!

NOTES:
– If you are running an agent version 2.5 or newer you do not need to restart the agent for changes to take effect. For version older than 2.5 you do need to restart the agent for changes to take effect.
– You can add configuration client-side via the liagent.ini file, server-side from /admin/agents or a combination of both.
– The configurations listed below are meant to be samples and may need to be adjusted for your specified environment.

Microsoft

Windows

IMPORTANT: If you are running Log Insight 3.0 or newer, install the content pack from the in-product marketplace and enable the included agent group(s) to get the latest configuration.

[winlog|WindowsFirewall]
channel=Microsoft-Windows-Windows Firewall With Advanced Security/Firewall
[winlog|UAC]
channel=Microsoft-Windows-UAC/Operational

To track logon events, you must enable both the “Success” and “Failure” Security Settings of the “Audit account logon events” policy in Group Policy.  To track UAC-related events, you must enable both the “Success” and “Failure” Security Settings of the “Audit privilege use” and “Audit process tracking” policies in Group Policy.
For the latest information, see Solution Exchange.

Active Directory

IMPORTANT: If you are running Log Insight 3.0 or newer, install the content pack from the in-product marketplace and enable the included agent group(s) to get the latest configuration.

[winlog|DirectoryService]
channel=Directory Service
[winlog|DNS_Server]
channel=DNS Server
[winlog|DFS_Replication]
channel=DFS Replication

To track logon events, you must enable both the “Success” and “Failure” Security Settings of the “Audit account management” and “Audit account logon events” policies in Group Policy.
For the latest information, see Solution Exchange.

DHCP

[filelog|win-dhcp-server]
directory=C:\Windows\Sysnative\dhcp
include=Dhcp*
tags={"ms_product":"dhcp"}

Exchange

IMPORTANT: If you are running Log Insight 3.0 or newer, install the content pack from the in-product marketplace and enable the included agent group(s) to get the latest configuration.

[winlog|MSExchange_Management]
channel=MSExchange Management

To track even more information from Exchange, see Solution Exchange.

IIS

IMPORTANT: If you are running Log Insight 3.0 or newer, install the content pack from the in-product marketplace and enable the included agent group(s) to get the latest configuration.

[filelog|IIS]
directory=C:\inetpub\logs\LogFiles\W3SVC1
event_marker=^\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}

SQL

IMPORTANT: If you are running Log Insight 3.0 or newer, install the content pack from the in-product marketplace and enable the included agent group(s) to get the latest configuration.

[filelog|SQL2008]
directory=C:\Program Files\Microsoft SQL Server\MYSQL10_50.MSSQLSERVER\MSSQL\Log\
include=ERRORLOG.log
exclude=*.trc
charset=UTF-16LE
event_marker=^\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}\.\d{2}
[filelog|SQL2012]
directory=C:\Program Files\Microsoft SQL Server\MYSQL11.MSSQLSERVER\MSSQL\Log\
include=ERRORLOG.log
exclude=*.trc
charset=UTF-16LE
event_marker=^\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}\.\d{2}

VMware

Dump Collector

[filelog|DumpCollector]
directory=C:\%PROGRAMDATA%\VMware\VMware ESXi Dump Collector\logs

Horizon View

[filelog|HorizonView]
directory=C:\ProgramData\VMware\VDM\logs
include=log-*.txt;debug-*.txt;pcoip_agent*.txt;pcoip_server*.txt
exclude=pcoip_perf*.txt;v4v*.log;wsnm_starts.txt

For the latest information, see Solution Exchange.

SRM

[filelog|vCenterSRM]
directory=C:\ProgramData\VMware\VMware vCenter Site Recovery Manager\Logs
include=vmware-dr-*.log
event_marker=^\d{4}-\d{2}-\d{2}[A-Z]\d{2}:\d{2}:\d{2}\.\d{3}

UM (Update Manager)

[filelog|vCenterUM]
directory=C:\ProgramData\VMware\VMware Update Manager\Logs
include=vmware-vum-server-log4cpp.log
event_marker=^\[\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}:\d{3}

vCAC

Covered in this post, this post and this post.

vCS

IMPORTANT: If you are running Log Insight 3.0 or newer, install the content pack from the in-product marketplace and enable the included agent group(s) to get the latest configuration.

[filelog|vCenterMain]
directory=C:\ProgramData\VMware\VMware VirtualCenter\Logs
include=vpxd.log
event_marker=^\d{4}-\d{2}-\d{2}[A-Z]\d{2}:\d{2}:\d{2}\.\d{3}
[filelog|vCenterAlert]
enabled=no
directory=C:\ProgramData\VMware\VMware VirtualCenter\Logs
include=vpxd-alert.log
event_marker=^\d{4}-\d{2}-\d{2}[A-Z]\d{2}:\d{2}:\d{2}\.\d{3}
[filelog|vCenterCIMLSStatsVCMSDS]
directory=C:\ProgramData\VMware\VMware VirtualCenter\Logs
include=cim-diag.log;vws.log;ls.log;stats.log;jointool.log
event_marker=^\[\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2},\d{3}
[filelog|vCenterEAM]
directory=C:\ProgramData\VMware\VMware VirtualCenter\Logs
include=eam.log
event_marker=^\s*[A-Z]+\s+\|
[filelog|vCenterCatalina]
directory=C:\ProgramData\VMware\VMware VirtualCenter\Logs
include=catalina.*.log;localhost.*.log
event_marker=^\d{2}-[A-Za-z]+-\d{4} \d{2}:\d{2}:\d{2}\.\d{3}
[filelog|vCenterInvSrv]
directory=C:\ProgramData\VMware\Infrastrcture\Inventory Service\Logs
include=ds.log;ds-perf.log
event_marker=^\[\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2},\d{3}
[filelog|vCenterPDStor]
directory=C:\ProgramData\VMware\Infrastructure\Profile-Driven Storage\Logs\
include=sps.log
event_marker=^\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2},\d{3}

Other

Apache

IMPORTANT: If you are running Log Insight 3.0 or newer, install the content pack from the in-product marketplace and enable the included agent group(s) to get the latest configuration.

[filelog|apache-windows]
directory=C:\Apache\logs
tags={"asf_product":"http"}

© 2014, Steve Flanders. All rights reserved.