Log Insight Agent: Static Fields

Back in the early Log Insight days, I wrote about the types of fields in Log Insight and which static fields were provided automatically (more in this post). Today, I would like to discuss the automatic static fields that the Log Insight agent provides. Read on to learn more!

li-agent-logo

By default, the agent provides one additional static field depending on the type of configuration section you are using:

  • Filelog: filepath (the absolute path of the file)
  • Winlog: channel (as defined in Windows Event Viewer)

This single piece of information is extremely valuable as it can tell you where on the client the event is stored — something that is missing from the syslog protocol given that syslog comes before the filesystem write operation (if applicable).

In the case of winlog, automatic parsing occurs, which gives you a variety of fields:

  • eventid
  • eventrecordid
  • eventsourcename (optional)
  • keywords
  • level
  • opcode (optional)
  • providername
  • task
  • userid (optional)

While filelog does not parse your events by default, a variety of content packs are available which can do the parsing for you (e.g. Linux gives you syslog parsing fields).

© 2016, Steve Flanders. All rights reserved.

Leave a Reply