You've designed and deployed your vRLI Cluster, you've configured it to collect logs from your vCenters and ESXi Hosts, but you want more. Specifically, you want to collect logs from your Linux VMs. Well, we can do that with the vRLI Linux Agent.
In a previous blog, we discussed the vRLI Windows Agent and how to use that to collect Windows Events. This blog will be the Linux analog to that one. Before getting into the details, let's take a look from above.
Your vRLI Cluster is made up of Primary Nodes and Worker Nodes. It is backed by disk called Live Storage which stores the active logs. Those logs are then compressed and moved to Archived Storage based on your archival schedule.
vRLI Agents and Agent Binaries are self-aware, upon deployment they know which vRLI Cluster to log into. For mass deployments, I'd probably add them to the VM Template, but for the purposes of this blog, I'll install one locally. As an aside, for mass Windows vRLI Agent deployments go here.
vRLI Agents are supported on the following Operating Systems, documented here.
The vRLI Agents for Linux are offered in three different formats: RPM, DEB, and BIN. Details can be found here.
I've chosen to download the BIN from the vRLI UI.
SCP the BIN up to your VM, chmod +x it, then run it. Formal documentation can be found here.
The commands (for copying) are here, the scp of course will change for you.
scp ./VMware-Log-Insight-Agent-8.6.0-18673036_10.216.176.179.bin medora@ubuntu-logs-1.tvs.vmware.com:/tmp/VMware-Log-Insight-Agent-8.6.0-18673036_10.216.176.179.bin
chmod +x VMware-Log-Insight-Agent-8.6.0-18673036_10.216.176.179.bin
./VMware-Log-Insight-Agent-8.6.0-18673036_10.216.176.179.bin
Immediately upon installation, it will log into your vRLI Cluster.
There is a default configuration file (liagent.ini) that gets installed with the Agent, it's located in /var/lib/loginsight-agent and is documented here.
If you are centrally managing the vRLI Agent Configurations via the UI, this file will be merged with liagent.ini to create a new configuration file called liagent-effective.ini. I'm doing this in my lab, so my liagent-effective.ini looks like this:
You'll notice the vRLI cluster hostname, the package type, and pointers to the logs the Agent is capturing. While you can edit the vRLI Agent configuration file locally on each VM, it is far easier and more efficient to manage it from the vRLI UI. I've created two Groups for my Agents: Linux Agents and Windows Agents. Each Group has its own Agent Configuration.
The UI allows you to define the File Logs you're capturing, in this case:
/var/log/auth.log
/var/log/vmware-*.log
/var/log/faillog
/var/log/lastlog
The UI also gives you the ability to parse and filter based on things like Event Markers, Fields, and Expressions. Documentation can be found here.
Based on my configuration, you'll notice that I'm collecting the desired logs.
Located within the UI, there is another location for vRLI Agent documentation, installation steps, configuration guidance, and sample configuration files. It can be found at the top via Log Sources.
For more information on vRLI, go here.