Log Insight 4.6: Agent Enhancements

Log Insight 4.6 introduces a variety of enhancements to the Log Insight agent. Read on to learn more!

Raw Syslog

I recently covered that the Log Insight server now supports event forwarding over syslog in raw format. The agent now also supports raw syslog in the same manner — sending syslog events without enforcing RFC compliance. This option is configured in filelog and winlog sections as well as from the common section. By default, the option is disabled.

Filelog

[filelog|messages]
directory=/var/log
include=messages
raw_syslog=yes

Winlog

[winlog|application]
channel=Application
raw_syslog=yes

Common

[common|filelog]
raw_syslog=yes

Journald

Systemd’s journald is the de-facto new standard for logging in systemd based Linux platforms. The Log Insight 4.6 agent now supports journald. The journald configuration section supports two options:

  • journal_files — which journal files should be monitored
    • “all” – open and monitor all available journal files
    • “local” – monitor and read only journal files generated on the local machine
    • “runtime” – monitor and read only volatile journal files will be opened, excluding those which are stored on persistent storage
    • “system” – monitor and read only system services and the kernel journal files
    • “user” – monitor and read only journal files of the current LI agent user
  • fetch_fields — what fields should be fetched along with message from journal log entries; the option’s value is a case-insensitive list of field names separated by comma
    • Default = pri_severity,pri_facility,syslog_identifier
    • All = *
    • To disable = all
[journaldlog|syslog]
journal_files=all

UDP

The Log Insight agent has always supported sending events over syslog, but it required TCP. It is still common for legacy applications to only support UDP. To address this, the agent now supports sending syslog over UDP.

NOTE: UDP does not support SSL at this time. Any configured SSL settings will be ignored if UDP is configured

To configure UDP, just use the syslog_udp protocol:

[server]
hostname=10.27.74.155
proto=syslog_udp
port=514

When a configured server hostname destination address mentioned in the configuration is represented by a domain name, the agent will rely on the socket layer resolver to choose between IPv4 or IPv6. If the domain name is resolved to both IP addresses, the agent will use the first one. Due to UDP’s unreliable nature it’s not always possible to detect network issues on a particular stack. To address this, an ipv setting is also available and can be set to either 4 or 6:

[server]
hostname=10.27.74.155
proto=syslog_udp
port=514
ipv=6

Disk Buffer

The max disk buffer has been increased from 2GB to 8GB. For most people, the default (200MB is more than enough), but for some large-scale situations, a larger buffer is required.

Compression

By default, over the CFAPI protocol, events are compressed before being sent. This significantly limits the amount of bandwidth required to send events. With that said, some intermediary devices may not support compression. An example of this would be the AWS ELB. To address this, the Log Insight agent now has an option to disable compression. By default, I would not recommend disabling this, but it is available for situations such as the AWS ELB.

[server]
hostname=10.27.74.155
proto=syslog
port=514
compress=no

OS Support

Finally, VMware released Photon OS version 2 and the Log Insight 4.6 agent supports this new OS version.

Summary

Wow, the Log Insight 4.6 agent contains a ton of enhancements! In addition, it contains many bug fixes and security updates. I would strongly recommend upgrading when you have the chance.

© 2018, Steve Flanders. All rights reserved.

Leave a Reply

Your email address will not be published. Required fields are marked *

Back To Top