Log Insight Agent: Windows Configurations for Common Applications

In my previous post, I discussed how to build Log Insight Windows agent configuration sections for monitoring log files, in this post I would like to provide some additional sample configurations for common Microsoft and VMware applications. I will be updating this post over time so be sure to check back from time to time!
li-heart-microsoft

NOTES:
– If you are running an agent version 2.5 or newer you do not need to restart the agent for changes to take effect. For version older than 2.5 you do need to restart the agent for changes to take effect.
– You can add configuration client-side via the liagent.ini file, server-side from /admin/agents or a combination of both.
– The configurations listed below are meant to be samples and may need to be adjusted for your specified environment.

Microsoft

Windows

IMPORTANT: If you are running Log Insight 3.0 or newer, install the content pack from the in-product marketplace and enable the included agent group(s) to get the latest configuration.

[winlog|WindowsFirewall]
channel=Microsoft-Windows-Windows Firewall With Advanced Security/Firewall
[winlog|UAC]
channel=Microsoft-Windows-UAC/Operational

To track logon events, you must enable both the “Success” and “Failure” Security Settings of the “Audit account logon events” policy in Group Policy.  To track UAC-related events, you must enable both the “Success” and “Failure” Security Settings of the “Audit privilege use” and “Audit process tracking” policies in Group Policy.
For the latest information, see Solution Exchange.

Active Directory

IMPORTANT: If you are running Log Insight 3.0 or newer, install the content pack from the in-product marketplace and enable the included agent group(s) to get the latest configuration.

[winlog|DirectoryService]
channel=Directory Service
[winlog|DNS_Server]
channel=DNS Server
[winlog|DFS_Replication]
channel=DFS Replication

To track logon events, you must enable both the “Success” and “Failure” Security Settings of the “Audit account management” and “Audit account logon events” policies in Group Policy.
For the latest information, see Solution Exchange.

DHCP

[filelog|win-dhcp-server]
directory=C:\Windows\Sysnative\dhcp
include=Dhcp*
tags={"ms_product":"dhcp"}

Exchange

IMPORTANT: If you are running Log Insight 3.0 or newer, install the content pack from the in-product marketplace and enable the included agent group(s) to get the latest configuration.

[winlog|MSExchange_Management]
channel=MSExchange Management

To track even more information from Exchange, see Solution Exchange.

IIS

IMPORTANT: If you are running Log Insight 3.0 or newer, install the content pack from the in-product marketplace and enable the included agent group(s) to get the latest configuration.

[filelog|IIS]
directory=C:\inetpub\logs\LogFiles\W3SVC1
event_marker=^\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}

SQL

IMPORTANT: If you are running Log Insight 3.0 or newer, install the content pack from the in-product marketplace and enable the included agent group(s) to get the latest configuration.

[filelog|SQL2008]
directory=C:\Program Files\Microsoft SQL Server\MYSQL10_50.MSSQLSERVER\MSSQL\Log\
include=ERRORLOG.log
exclude=*.trc
charset=UTF-16LE
event_marker=^\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}\.\d{2}
[filelog|SQL2012]
directory=C:\Program Files\Microsoft SQL Server\MYSQL11.MSSQLSERVER\MSSQL\Log\
include=ERRORLOG.log
exclude=*.trc
charset=UTF-16LE
event_marker=^\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}\.\d{2}

VMware

Dump Collector

[filelog|DumpCollector]
directory=C:\%PROGRAMDATA%\VMware\VMware ESXi Dump Collector\logs

Horizon View

[filelog|HorizonView]
directory=C:\ProgramData\VMware\VDM\logs
include=log-*.txt;debug-*.txt;pcoip_agent*.txt;pcoip_server*.txt
exclude=pcoip_perf*.txt;v4v*.log;wsnm_starts.txt

For the latest information, see Solution Exchange.

SRM

[filelog|vCenterSRM]
directory=C:\ProgramData\VMware\VMware vCenter Site Recovery Manager\Logs
include=vmware-dr-*.log
event_marker=^\d{4}-\d{2}-\d{2}[A-Z]\d{2}:\d{2}:\d{2}\.\d{3}

UM (Update Manager)

[filelog|vCenterUM]
directory=C:\ProgramData\VMware\VMware Update Manager\Logs
include=vmware-vum-server-log4cpp.log
event_marker=^\[\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}:\d{3}

vCAC

Covered in this postthis post and this post.

vCS

IMPORTANT: If you are running Log Insight 3.0 or newer, install the content pack from the in-product marketplace and enable the included agent group(s) to get the latest configuration.

[filelog|vCenterMain]
directory=C:\ProgramData\VMware\VMware VirtualCenter\Logs
include=vpxd.log
event_marker=^\d{4}-\d{2}-\d{2}[A-Z]\d{2}:\d{2}:\d{2}\.\d{3}
[filelog|vCenterAlert]
enabled=no
directory=C:\ProgramData\VMware\VMware VirtualCenter\Logs
include=vpxd-alert.log
event_marker=^\d{4}-\d{2}-\d{2}[A-Z]\d{2}:\d{2}:\d{2}\.\d{3}
[filelog|vCenterCIMLSStatsVCMSDS]
directory=C:\ProgramData\VMware\VMware VirtualCenter\Logs
include=cim-diag.log;vws.log;ls.log;stats.log;jointool.log
event_marker=^\[\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2},\d{3}
[filelog|vCenterEAM]
directory=C:\ProgramData\VMware\VMware VirtualCenter\Logs
include=eam.log
event_marker=^\s*[A-Z]+\s+\|
[filelog|vCenterCatalina]
directory=C:\ProgramData\VMware\VMware VirtualCenter\Logs
include=catalina.*.log;localhost.*.log
event_marker=^\d{2}-[A-Za-z]+-\d{4} \d{2}:\d{2}:\d{2}\.\d{3}
[filelog|vCenterInvSrv]
directory=C:\ProgramData\VMware\Infrastrcture\Inventory Service\Logs
include=ds.log;ds-perf.log
event_marker=^\[\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2},\d{3}
[filelog|vCenterPDStor]
directory=C:\ProgramData\VMware\Infrastructure\Profile-Driven Storage\Logs\
include=sps.log
event_marker=^\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2},\d{3}

Other

Apache

IMPORTANT: If you are running Log Insight 3.0 or newer, install the content pack from the in-product marketplace and enable the included agent group(s) to get the latest configuration.

[filelog|apache-windows]
directory=C:\Apache\logs
tags={"asf_product":"http"}

 

© 2014, Steve Flanders. All rights reserved.

4 comments on “Log Insight Agent: Windows Configurations for Common Applications

Hi Steve, thanks for expertise shared here. I’m using them, and things start appearing! I was wondering why before, spending hours figuring out what on earth I did wrong 🙂 Just adding a little note for your blog audience, no restart required!
BTW, instead of copying the config for each app, can we just copy all of them and have a big config file? In future, if we can just put the config file on the log insight server as mount point, so we just update at 1 place. Easier this way 🙂

Hey Iwan – Thanks for the comment! Yes, if you are running the 2.5 version of the agent then no restart is required. I covered this in a different post, but will add a note here. As for configuration consolidation, you can do that today! Go to /admin/agents and add your configuration 🙂

Sam says:

Hi, what are the logs that you will suggest for vCenter Server 6.0 ?

Hey Sam — Thanks for the comment! Starting with LI 3.0, the vSphere content pack comes with LI agent groups to configure vCenter Server. I would encourage you to use those. I hope this helps!

Leave a Reply

Your email address will not be published. Required fields are marked *

Back To Top