As I explained in an earlier post all systems push their data to the central server, or by an agent in the operating system.

li-collection

Just like the Windows agent you can download the Linux agent from the Log Insight interface. Go to the admin->Administration panel -> Agents.

li-admin

li-admin-interface2li-admin-interface

In the screenshot on the right you can see that I already added one Linux agent to Log Insight. At the bottom of the screen you can download the agent.

li-download-agents

Linux agent

The Linux agent is available in three distribution formats:

  • .rpm, for RHEL 5 Update 10 and RHEL 6 Update 5
  • .deb, for Ubuntu 12.04 LTS and 14.04 LTS
  • .bin, for SLES 11 SP3

Other systems may work, but not guaranteed, and are even not supported.

The Log Insight Linux Agent writes its own operation log files to /var/log/loginsight-agent/liagent_*.log. Log files are rotated when the Log Insight Linux Agent is restarted and when they reach a size of 10 MB. A combined limit of 50 MB are kept in rotation.

RPM installation

The vRealize Log Insight Linux agent for RedHat needs access to syslog and networking services to function. By default the installation makes sure the Log Insight agent runs in run levels 3 and 5. If you want the vRealize Log Insight Linux agent to work under other runlevels, you have to configure it yourself.

First off, log in as root or use sudo to run console commands.
Upload the file from the location you downloaded it to a location on your destination server with scp for example:

scp <file> <user>@<linuxhost>:

<user> is a user that has access to login via ssh/sftp. <linuxhost>

I’m assuming here that you didn’t allow your root user to connect via ssh/sftp. I think it really is bad practice to allow your root user to directly connect to your system. You don’t give out the master key to your building if someone only needs to be in a specific room.

After you copied the file to your machine log in (or connect) as a regular user that has rights to start programs as root (sudo).

ssh <user>@<linuxhost>
cd /home/<user>

and run the installation itself:

sudo rpm -i VMware-Log-Insight-Agent-3.0.0-2985111.noarch.rpm

The configuration file can be found as /etc/liagent.ini, which is a symbolic link to /var/lib/loginsight-agent/liagent.ini

DEB installation

The Debian installer can be downloaded from the GUI as well. In my case it was VMware-Log-Insight-Agent_3.0.0-2985111_<hostname>.deb, again with the hostname in the downloaded file.

Copy the file to your server by scp, or from a shared network location

scp <file> <user>@<linuxhost>:
ssh <user>@<linuxhost>
cd /home/<user>
sudo dpkg -i VMware-Log-Insight-Agent_3.0.0-2985111_<host>.deb

The configuration file can be found as /etc/liagent.ini, which is a symbolic link to /var/lib/loginsight-agent/liagent.ini

BIN installation

The binary installation can be used for systems that don’t have rpm or dpkg for package management. Installing the binary package includes changing the .bin file to an executable file and then installing the agent.

scp <file> <user>@<linuxhost>:
ssh <user>@<linuxhost>
cd /home/<user>
sudo chmod +x VMware-Log-Insight-Agent_3.0.0-2985111_<host>.bin
sudo ./VMware-Log-Insight-Agent_3.0.0-2985111_<host>.bin

The configuration file can be found as /var/lib/loginsight-agent/liagent.ini. I haven’t checked it, but I think there’s also a symlink to /etc/liagent.ini

 

Configuration

If you want to tinker with the configuration, you can do it in the places I mentioned above. The contents of liagent.ini is combined with settings from the Log Insight server to liagent-effective.ini. If you want to do it properly, it is better to do it from the Log Insight interface itself.

Checkout this VMware page for more help on the configuration.

Content Pack

li-contentpacks
Installation of the agent is only the first part of monitoring your Linux machines. The second part is adding a Linux specific Content Pack. You can download and install these directly from Log Insight.

li-managementpacks

li-linuxThe one we are going to use right now is the Windows Content Pack. This content pack gives you Windows specific configuration templates and graphs. Just click on the image and click on install.

From the install dialog:

The content pack for Linux provides you with information about key entities of any Linux operating system installation’s health using Log Insight’s ability to monitor filesystem logs.

Log Insight offers very intuitive graphical representation, especially with regards to log events. Spikes in the number and types of messages received can be flagged as events with external notifications. System administrators can drill into these events for looking at where and why these are being generated.

There are 12 pre-defined Linux OS specific dashboards, with total of 45 extracted field for helping to visualize, analyze and take meaningful action on Linux OS log information. It provides:

  • Security monitoring:Including SSH, su and sudo for auditing and incident management.
  • System application events: Including Cron and NTP for daemon process monitoring.
  • Email information: For Postfix and Sendmail making it possible to troubleshoot and manage mail servers.
  • Syslog information: For Rsyslog and Syslog-NG making it possible to troubleshoot and manage third-party syslog agents.

The Linux content pack requires the use of either a third party syslog agent such as Rsyslog or Syslog-NG or the Log Insight agent with the cfapi protocol (default) and the included agent group configuration.

Now that you have installed the content pack you can create groups with specific configurations. Go back to Administration->Agents and create your first group for Linux computers. Select Linux
in the pull-down menu and click on the copy template button (2 rectangles). Change the filter to OS, ‘start with’ ‘Linux’.

li-linux-groupli-linux-filter

 

Don’t forget to click the ‘Save new group’.

This adds the following to the configuration for the agent on your Linux machines:

[filelog|auth]
directory=/var/log
include=auth.log;auth.log.?
parser=syslog_parser

[filelog|messages]
directory=/var/log
include=messages;messages.?
parser=syslog_parser

[filelog|syslog]
directory=/var/log
include=syslog;syslog.?
parser=syslog_parser

[parser|syslog_parser]
base_parser=clf
format=%t %i %{appname}i: %M
field_decoder={"appname":"syslog_appname_parser"}
exclude_fields=log_message

[parser|syslog_appname_parser]
base_parser=clf
format=%{appname}i[%{thread_id}i]

More items can be added, but that’s something for another time.