Log Insight can collect data from various sources as I explained earlier. All systems push their data to the central server, or by an agent in the operating system.
There are two agents available for deployment, a Linux agent and a Windows agent. Both agents can be downloaded right from the Log Insight interface. Got to the admin->Administration panel -> Agents. In this article I will be installing the Windows agent.
In the screenshot on the right you can see that I already added one Linux agent to Log Insight. At the bottom of the screen you can download the agent.
Windows agent
The Windows agent can be installed by hand, but it can also be installed by a group policy or other deployment method. You can use group policies for the deployment to your machines, or System Center, Automation Machine, or unattended during the creation of your image.
Install on multiple machines
The manual at at VMware tells you to use Orca to create a transform (.mst) file for the deployment to multiple machines. I noticed that, when you download the agent from the interface the Log Insight host is already entered. It took me a while before I realized that the Log Insight hostname is part of the downloaded agent from the GUI. Neat trick if you ask me.
You can configure the agent from command line as well. All parameters you can change with Orca you can also enter on the command line. My command line for the installation for example is:
msiexec/i VMware-Log-Insight-Agent-3.0.0-2985111.msi SERVERHOST="li.vmguru.local" /qn
Make sure you use all caps for the variable, otherwise it will not work. If you run this command, run it as an administrator, since the installation doesn’t ask for permission, nor does it pop up the privilege elevation window.
You can pass other parameters as well.
| Parameter | Description |
|---|---|
| SERVERHOST | IP address or host name of the vRealize Log Insight virtual appliance. |
| SERVERPROTO | Protocol that the agent uses to send events to the Log Insight server. The possible values are cfapi and syslog. Use the default cfapi setting. |
| SERVERPORT | Communication port that the agent uses to send events to the vRealize Log Insight server. The default values are 9543 for cfapi with SSL enabled, 9000 for cfapi with SSL disabled, 6514 for syslog with SSL enabled and 514 for syslog with SSL disabled. |
| SERVICEACCOUNT | User service account under which the Log Insight Windows Agent service will run. Note The account supplied in the SERVICEACCOUNT parameter must have the Log On As a Service privilege and write access to %ProgramData%\VMware\Log Insight Agent directory so that the installer runs correctly. If you do not specify a SERVICEACCOUNT parameter, the vRealize Log Insight Windows agent service is installed under the LocalSystem service account. |
| SERVICEPASSWORD | Password of the user service account. |
Configuration
In a default installation the service is installed in “%ProgramData%\VMware\Log Insight Agent\liwinsvc.exe”, the service itself is called “VMware vRealize Log Insight Agent” and is visible in the Services list on Windows.
If you want to tinker with the configuration, you can do it in “C:\ProgramData\VMware\Log Insight Agent\liagent.ini”. The contents of liagent.ini is combined with settings from the Log Insight server to liagent-effective.ini. If you want to do it properly, it is better to do it from the Log Insight interface itself.
Checkout this VMware page for more help on the configuration.
Content Pack
Installation of the agent is only the first part of monitoring your Windows machines. The second part is adding a Windows specific Content Pack. You can download and install these directly from Log Insight.
The one we are going to use right now is the Windows Content Pack. This content pack gives you Windows specific configuration templates and graphs. Just click on the image and click on install.
From the install dialog:
The content pack for Microsoft® Windows® provides you with information about key entities of any Windows operating system installation’s health using Log Insight’s ability to monitor Windows® Event Logs. Log Insight offers very intuitive graphical representation, especially with regards to log events.
Spikes in the number and types of messages received can be flagged as events with external notifications. System administrators can drill into these events for looking at where and why these are being generated.
There are eleven per-defined Windows OS specific dashboards, with total of 55 widgets, 5 query widgets and 6 alarms for helping to visualize, analyze and take meaningful action on Windows OS log information. It provides:
- Accurate monitoring of your Windows infrastructure: Focus on known problems through monitoring events raised in the Windows Event Log.
- Essential Windows categories are covered—Application, System, and Security: Eleven dashboards containing a total of 60 widgets are included from Application, System, and Security that go in depth to quantify your data in a multitude of manners to help diagnose problems in your infrastructure.
Now that you have installed the content pack you can create groups with specific configurations. Go back to Administration->Agents and create your first group for Windows computers. Select Microsoft – Windows in the pull-down menu and click on the copy template button (2 rectangles). Change the filter to OS, ‘start with’ ‘Microsoft Windows’.
This adds the following to the configuration for the agent on your Windows machines:
[winlog|Application]
channel=Application
[winlog|Security]
channel=Security
[winlog|System]
channel=System
[winlog|WindowsFirewall]
channel=Microsoft-Windows-Windows Firewall With Advanced Security/Firewall
[winlog|UAC]
channel=Microsoft-Windows-UAC/Operational
This setting will collect your event logs for Application, Security, System, Windows Fireawll and UAC.
For the Security – Object Auditing dashboard to work in the Microsoft – Windows content pack, Object Access Auditing must be enabled on all Windows clients sending events. To enable object auditing you need to alter the local security policy and enable auditing on the desired object. To alter the local security policy:
- Open up Administrative Tools > Local Security Policy, or runsecpol.msc
- Open Local Policies > Audit Policy
- Right-click on Object Access Audit and select Properties
- Ensure “Success” and “Failure” are checked
- Click on OK, and then close the Local Security Policy window
Note: You can also create Group Policy to enable object access auditing on multiple systems easily.
Once object auditing is enabled, you need to enable auditing for a specific folder (and all its sub-folders and files):
- Open up the File Explorer by right-clicking and selecting Run as Administrator
- Browse to the folder you want to turn auditing on
- Right-click on the folder and select Properties
- Select the Security tab
- Click on Advanced, then Auditing
- Click on Add
- Enter the name of the users you wish auditing, click on Find Now to ensure it is registered, and then click on OK
- Check the Successful and Failed boxes, and then click onOK
- Close the windows by clicking OK
You should however do this only for a select few objects, since a lot of information is generated.
More items can be added, but that’s for another time.