Unfortunately I can't do a screenshot but here is some more detail.

If i do a search in IA for the server name say server1 i get results back for the windows event logs but not the file log I am monitoring.

If I have just a filter of "hostname contains server1" and do a blank search i get the windows event logs and the file log events.  Then say i have an event from the file log that shows up with this filter that contains error 108.  If i then search for error 108 with this filter I get no results.  If i highlight error 108 and right click and contains error 108 i get no results.  If i remove all filters and just search for error 108 i get no results.

I don't see this behavior with data coming from ESXi hosts through syslog or windows event logs just the data coming from a windows file log.  It's like it is not indexed or something maybe?

> If i do a search in IA for the server name say server1 i get results back for the windows event logs but not the file log I am monitoring.

This likely means that the file log you are monitoring does not contain server1 in the message. If so, this is expected.

> If I have just a filter of "hostname contains server1" and do a blank search i get the windows event logs and the file log events.

Makes sense as all events would be tagged with the same hostname

> Then say i have an event from the file log that shows up with this filter that contains error 108.  If i then search for error 108 with this filter I get no results.  If i highlight error 108 and right click and contains error 108 i get no results.  If i remove all filters and just search for error 108 i get no results.

Can you give me an example of what the event looks like? Is it something like "blah error 108 blah"? Or "blah error\n108 blah"? Or "blaherror 108 blah"? Or "blah error 108blah"? Unless it is like the first then again this would be expected. Ignoring the newline example, the other examples highlight the importance of Log Insight keywords. For more information see this post: Query Building in Log Insight - Search Bar | SFlanders.net. In short, query for *complete* keywords or if not a prefix to a keyword use globs.

Here's the exact event.

U.1684.3788: Jun 24 2014:17:30:08.274:  ERROR: svc_socket.c:  1741: 192.168.1.10: Failed to read data from socket. err: 108

Hmm, I cannot reproduce with that event. Are you running the 2.0 GA LI agent? The only thing I can think of is you have a filter with text contains: error 108, which will not work (it would need to be text contains: error, 108). See attachments and let me know if I am missing anything.

Yea that looks like exactly what i'm trying to do.  This is a brand new GA 2.0.3 install.

Hmm, time for logs. I would recommend opening a support case with VMware and uploading a support bundle from the LI instance as well as the logs from the LI agent (C:\ProgramData\VMware\Log Insight Agent\logs). Perhaps there are special characters being passed? Hard to tell without the logs.

Thanks for the help tracking this down Steve I'll report back if i find some combination of charset options that work but for now I've just changed the log file to be UTF-8 since it doesn't roll over that often.