I recently covered that the Log Insight server now supports event forwarding over syslog in raw format. The agent now also supports raw syslog in the same manner — sending syslog events without enforcing RFC compliance. This option is configured in filelog and winlog sections as well as from the common section. By default, the option is disabled.
[filelog|messages] directory=/var/log include=messages raw_syslog=yes
[winlog|application] channel=Application raw_syslog=yes
Systemd’s journald is the de-facto new standard for logging in systemd based Linux platforms. The Log Insight 4.6 agent now supports journald. The journald configuration section supports two options:
- journal_files — which journal files should be monitored
- “all” – open and monitor all available journal files
- “local” – monitor and read only journal files generated on the local machine
- “runtime” – monitor and read only volatile journal files will be opened, excluding those which are stored on persistent storage
- “system” – monitor and read only system services and the kernel journal files
- “user” – monitor and read only journal files of the current LI agent user
- fetch_fields — what fields should be fetched along with message from journal log entries; the option’s value is a case-insensitive list of field names separated by comma
- Default = pri_severity,pri_facility,syslog_identifier
- All = *
- To disable = all
The Log Insight agent has always supported sending events over syslog, but it required TCP. It is still common for legacy applications to only support UDP. To address this, the agent now supports sending syslog over UDP.
NOTE: UDP does not support SSL at this time. Any configured SSL settings will be ignored if UDP is configured
To configure UDP, just use the syslog_udp protocol:
[server] hostname=10.27.74.155 proto=syslog_udp port=514
When a configured server hostname destination address mentioned in the configuration is represented by a domain name, the agent will rely on the socket layer resolver to choose between IPv4 or IPv6. If the domain name is resolved to both IP addresses, the agent will use the first one. Due to UDP’s unreliable nature it’s not always possible to detect network issues on a particular stack. To address this, an ipv setting is also available and can be set to either 4 or 6:
[server] hostname=10.27.74.155 proto=syslog_udp port=514 ipv=6
The max disk buffer has been increased from 2GB to 8GB. For most people, the default (200MB is more than enough), but for some large-scale situations, a larger buffer is required.
By default, over the CFAPI protocol, events are compressed before being sent. This significantly limits the amount of bandwidth required to send events. With that said, some intermediary devices may not support compression. An example of this would be the AWS ELB. To address this, the Log Insight agent now has an option to disable compression. By default, I would not recommend disabling this, but it is available for situations such as the AWS ELB.
[server] hostname=10.27.74.155 proto=syslog port=514 compress=no
Finally, VMware released Photon OS version 2 and the Log Insight 4.6 agent supports this new OS version.
Wow, the Log Insight 4.6 agent contains a ton of enhancements! In addition, it contains many bug fixes and security updates. I would strongly recommend upgrading when you have the chance.
© 2018, Steve Flanders. All rights reserved.