Expanding upon my last post on Log Insight server best practices, in this post I would like to discuss Log Insight agent — client-side and server-side — best practices.
- Use a FQDN for the hostname: The only piece of information the Log Insight agent needs is where to forward events. This is done by setting the hostname setting either during installation or post-installation via the liagent.ini file. Settings within the [server] section — like hostname — and [storage] section can only be set client-side. The reason to use a FQDN is to make it easier to change the remote destination in the future if desired.
- Use the cfapi protocol when forwarding events to a Log Insight instance especially when required by a content pack: The Log Insight agent defaults to the cfapi, however it also supports the syslog protocol. When forwarding events to a Log Insight instance, the cfapi should always be used to take advantage of features the syslog RFC does not provide. In addition, any content pack requiring the Log Insight agent also requires the cfapi protocol.
- Increase the max_buffer_size: By default the max_buffer_size is 200MB, but expandable to 2000MB. If you have the disk space, I would recommend setting this to the maximum size available. This minimizes the risk of network interruptions resulting in dropped events.
- Do not increase debug_level: Increasing the debug_level results in more logs being written to disk and also results in overhead to the agent. The additional overhead can actually impact the ingestion rate of the agent and could lead to dropped events. Unless troubleshooting an issue, the debug_level should not be changed. If it is changed, be sure to change it back once done troubleshooting.
- Leverage server-side configuration: While you can configure Log Insight agents client-side, the best practice is to do so server-side to get configuration management. Note that some options such as [server] and [storage] can only be set client-side. Also note that server-side configuration always wins over client-side configuration — a merge happens and the results are stored in liagent-effective.ini. In the case of conflict, server-side configuration wins over client-side configuration.
Other important notes:
- Client-side configuration must be done in the liagent.ini file not liagent-effective.ini
- When viewing configuration look at the liagent-effective.ini file — but do not edit this file — as it contains the merged configuration between server-side and client-side
- The name for filelog and winlog sections must be unique
- Always review the agent log file for errors
© 2015, Steve Flanders. All rights reserved.
