Log Insight 2.0 Beta: Windows Agent

As you probably know, Windows does not natively support syslog. Several third party syslog agents exist for Windows, but each come with a list of pros and cons (for examples see this post). In addition, getting support for a Window agent can be costly. To address these limitations, Log Insight has introduced a Windows agent. I would like to walk you through how to install and configure the agent.
microsoft-logo_1

Installation

The agent is available as a 2MB MSI file. The agent can be installed in two ways:

  1. By simply double clicking the executable in which case the installation happens silently
  2. Using the command line where customization flags can be passed and deployment automation is possible

The agent is meant to be as noninvasive as possible and as such installs itself as a service hidden from view. By default, the agent is configured to send events to a Log Insight instance called loginsight. If loginsight does not resolve (i.e. from DNS or local hosts file) from the Windows device it was installed on then no events will be forwarded. This can be addressed by installing via the CLI or editing the agent configuration file. An example of a CLI installation would be:

liagent.msi SERVERHOST=myliserver.domain.com

Configuration

The agent configuration file is stored in C:\ProgramData\VMware\Log Insight Agent\liagent.ini. The default configuration collects the application, security, and system events from the Windows event viewer, but the configuration can be modified as desired. The configuration file supports four different types of sections that all follow the format of:

[<sectionHeader>[|<sectionName>]]
<key1>=<value1>
<key2>=<value2>
...

The four possible types of sections are outlined below.

Server

[server]
proto=<cfapi|syslog>
hostname=<loginsightFQDN>
port=<9000|514|1514>

The agent supports both Log Insight’s new RESTful ingestion API (available in the 2.0 beta) as well as the standard syslog protocol. By default the agent uses the ingestion API. The recommendation is to always use the ingestion API as additional features are possible that the syslog protocol does not support (more on this later). The server section does not contain a <sectionHeader>. For more information on the server section see this link.

Storage

[storage]
max_disk_buffer=200

The storage section is for advanced settings and in the beta changing the storage section should not be necessary. The storage section does not contain a <sectionHeader>. For more information on what the options in the storage section mean, see this link.

Winlog

[winlog|Events_Firewall]
channel=Microsoft-Windows-Windows Firewall With Advanced Security/Firewall

Winlog sections are used to collect logs from Windows event viewer. The winlog section requires a unique <sectionHeader> for each channel to be monitored. The only required option in the winlog section is the channel option, which should point to the name of a valid Windows event viewer channel. For more information on the winlog settings see this link.

Filelog

[filelog|vCenterMain]
directory=C:\ProgramData\VMware\VMware VirtualCenter\Logs
include=vpxd-*.log
exclude=vpxd-alert-*.log;vpxd-profiler-*.log
event_marker=^\d{4}-\d{2}-\d{2}[A-Z]\d{2}:\d{2}:\d{2}\.\d{3}

Filelog sections are used to collect logs on a filesystem in Windows. The filelog section requires a unique <sectionHeader> for each directory to be monitored. The directory specified must be an absolute path and does not support globs. In addition to the directory option, an include option must be specified to tell the agent what file(s) to collect from the directory. The include option does support globs. If desired, an exclude option can also be specified to remove some files that may be caught by the include option, but should not be forwarded. Also if desired, an event_marker can be specified, which is a regex value that denotes a new log entry within a file (more on this in a later post). For more information on the filelog settings see this link.

Summary

As you can see, the Log Insight Windows agent is a full featured agent that supports the ability to collect both Windows events logs as well as filesystem logs. The agent coupled with the Log Insight ingestion API will grant the agent additional abilities over the syslog protocol (more in this in a later post). The agent was built from scratch to be small and highly efficient. With a Windows agent, Log Insight can now support logging beyond the server-side. I would highly encourage you try the agent out!
UPDATE: Michael White pointed out that the vpxd filelog example in the documentation is not correct. This has been updated in this post and will be updated for the Log Insight 2.0 documentation. Thanks Michael!

© 2014, Steve Flanders. All rights reserved.

4 comments on “Log Insight 2.0 Beta: Windows Agent

Peter Boguszewski says:

I am trying to log DHCP data which lives in the C:\Windows\System32\dhcp directory. I keep getting an error:
2014-06-18 12:11:32.064285 0x00000f58 FLogCollector:213 | Invalid path specification was obtained. Channel [filelog|windowsAuditDHCP] will stay dormant until properly configured.
I assume this is a permissions issue because I do not get the error when pointing to a newly created c:\tmp directory.
2014-06-18 12:07:29.607531 0x00000a4c EventCollector:27 | ConfigureAndStart invoked for collector: FLogCollector
2014-06-18 12:07:29.607531 0x00000a4c EventCollector:52 | Configuring FLogCollector
2014-06-18 12:07:29.607531 0x00000a4c EventCollector:54 | FLogCollector configured
2014-06-18 12:07:29.607531 0x00000a4c EventCollector:61 | Starting FLogCollector
2014-06-18 12:07:29.607531 0x00000ef4 WinLogCollector:203| WinLogCollector thread begin
I tried enabling “Allow service to interact with desktop” in the service but did not seem to work. Should I log in as a different user for the service as apposed to the default of “Local System account”? Thanks for any feedback!

Hey Peter, this has to do with 32 vs 64 bit systems. The workaround is to move the DHCP logs outside of the system32 directory.

Charles says:

Does this work in Windows Server 2003 environment? And forward application level specify log such as AD or SQL to LI?

Hey Charles — Thanks for the comment! It does not. I cover the supported versions here: https://sflanders.net/2014/06/30/deploying-log-insight-2-0-windows-agent/ (during the beta the versions supported were not finalized)

Leave a Reply

Your email address will not be published. Required fields are marked *

Back To Top