As you probably know, Windows does not natively support syslog. Several third party syslog agents exist for Windows, but each come with a list of pros and cons (for examples see this post). In addition, getting support for a Window agent can be costly. To address these limitations, Log Insight has introduced a Windows agent. I would like to walk you through how to install and configure the agent.
The agent is available as a 2MB MSI file. The agent can be installed in two ways:
- By simply double clicking the executable in which case the installation happens silently
- Using the command line where customization flags can be passed and deployment automation is possible
The agent is meant to be as noninvasive as possible and as such installs itself as a service hidden from view. By default, the agent is configured to send events to a Log Insight instance called loginsight. If loginsight does not resolve (i.e. from DNS or local hosts file) from the Windows device it was installed on then no events will be forwarded. This can be addressed by installing via the CLI or editing the agent configuration file. An example of a CLI installation would be:
The agent configuration file is stored in C:\ProgramData\VMware\Log Insight Agent\liagent.ini. The default configuration collects the application, security, and system events from the Windows event viewer, but the configuration can be modified as desired. The configuration file supports four different types of sections that all follow the format of:
The four possible types of sections are outlined below.
The agent supports both Log Insight’s new RESTful ingestion API (available in the 2.0 beta) as well as the standard syslog protocol. By default the agent uses the ingestion API. The recommendation is to always use the ingestion API as additional features are possible that the syslog protocol does not support (more on this later). The server section does not contain a <sectionHeader>. For more information on the server section see this link.
The storage section is for advanced settings and in the beta changing the storage section should not be necessary. The storage section does not contain a <sectionHeader>. For more information on what the options in the storage section mean, see this link.
channel=Microsoft-Windows-Windows Firewall With Advanced Security/Firewall
Winlog sections are used to collect logs from Windows event viewer. The winlog section requires a unique <sectionHeader> for each channel to be monitored. The only required option in the winlog section is the channel option, which should point to the name of a valid Windows event viewer channel. For more information on the winlog settings see this link.
Filelog sections are used to collect logs on a filesystem in Windows. The filelog section requires a unique <sectionHeader> for each directory to be monitored. The directory specified must be an absolute path and does not support globs. In addition to the directory option, an include option must be specified to tell the agent what file(s) to collect from the directory. The include option does support globs. If desired, an exclude option can also be specified to remove some files that may be caught by the include option, but should not be forwarded. Also if desired, an event_marker can be specified, which is a regex value that denotes a new log entry within a file (more on this in a later post). For more information on the filelog settings see this link.
As you can see, the Log Insight Windows agent is a full featured agent that supports the ability to collect both Windows events logs as well as filesystem logs. The agent coupled with the Log Insight ingestion API will grant the agent additional abilities over the syslog protocol (more in this in a later post). The agent was built from scratch to be small and highly efficient. With a Windows agent, Log Insight can now support logging beyond the server-side. I would highly encourage you try the agent out!
UPDATE: Michael White pointed out that the vpxd filelog example in the documentation is not correct. This has been updated in this post and will be updated for the Log Insight 2.0 documentation. Thanks Michael!
© 2014, Steve Flanders. All rights reserved.