I am forwarding windows events collected by LI agent from Log Insight to Splunk using syslog protocol. , The box "Forward complementary tags" is not checked, but it seems to be always on. On the receiver side I see following additional stuff in the event: - - - [Originator@6876 eventid="326" task="General" keywords="Classic" level="Information" channel="Application" eventrecordid="2018" providername="ESENT"] Complementary ...more »
Administration of Log Insight
Initial deployment, user/group identity sync, backups, capacity changes, upgrades.
Log Insight's Forwarder supports Syslog and CFAPI (HTTP+JSON) today. The Forwarder should be extended with an additional serialization format, conforming to the Windows Events XML schema. Standard Windows Events' XML attributes should be reconstructed from standard Log Insight field=value pairs.
This aligns with http://loginsight.vmware.com/a/idea-v2/211076
Allow log insight to analyze internal (linux and application) logs in the same instance. Currently it is not supported to redirect log insight logs to itself.
Customer would like to see the list of users logged in currently and the log of user log-ins and past activities. This may be required as auditing feature (who looked at the logs, changed config and so on).
It would be nice if Log Insight could display the current log retention time and disk consumption rate (x GB/day) next to the live storage statistics in the System Monitor. I know you get this info through the Admin Alert mail, but why not show it in the System Monitor?
When Log Insight's local capacity to store messages is exhausted, messages are archived to a remote NFS location. It would be beneficial if this flow could be tiered such that data was available online as today but moved to a slower & higher-capacity tiered disks as it ages. Consider the use-case of keeping the most recent 50GB of data on SSD, migrating it to ~5TB of slower spindles over time while keeping it searchable, ...more »