Log Insight 3.6: Agent Common Configuration

The Log Insight agent is extremely powerful — for more information see this post — and recommended whether you are using the Log Insight server or not. In Log Insight 3.6, a common configuration section has been added, which makesĀ agent configuration even easier. Read on to learn more!
li-agent

Background

The Log Insight agent allows for collection of events through filelog and winlog configuration sections. These sections support a variety of options. Prior to Log Insight 3.6, all of these options had to be defined in every single configuration section. For example, if you wanted to collect and tag events from ten different directories then this would require ten different configuration sections each with the exact same tag defined. This, of course, means if you needed to change the tag in the future, you would need to change it in ten times.

Common Configuration

In Log Insight 3.6 and newer, you can now define a common configuration section. This section accepts one of the following “names”:

  • global — applies to all sections by default
  • filelog — applies to filelog sections only; overrides global
  • winlog — applies to winlog sections only; overrides global

The common configuration section accepts the following options:

  • charset
  • event_marker
  • exclude
  • exclude_fields
  • incude
  • parser
  • tags

Example

So let’s see the common configuration section in action. Let’s say I have the following configuration:

[common|global]
include=*.log
tag={"name":"global"}
[common|filelog]
include=*.txt
tag={"name":"filelog"}
[filelog|test]
directory=/var/log/test
tag={"name":"test"}

What happens? Well, after merging, the configuration looks like:

[filelog|test]
directory=/var/log/test
tag={"name":"test"}

In short:

  • Options whose values represent a list of values (e.g. tags, include, exclude, and exclude_tags) are merged
  • In the case of tags, values from sections with a higher priority override the value of the same tag from a section with lower priority — priority is determined by how specific the section is with more specific getting a higher priority
  • The value of options that can have a single value (e.g. event_marker, charset, and parser) are overridden by values from sections with higher priority

Notes:

  • Like filelog and winlog sections, invalid values in common sections are skipped and not merged
  • Common configuration is only possible client-side as of Log Insight 3.6

© 2016, Steve Flanders. All rights reserved.

Leave a Reply

Your email address will not be published. Required fields are marked *

Back To Top