Once a Windows Server has a Log Insight Agent deployed and configured and the System, Application and Security channels are being monitored does it send every event generated on the server back to Log Insight? My assumption is yes, however for some events generated on the server I can't find these in a search on the log Insight Server.
As Yogita mentioned, it is all by default. If you believe messaging are missing, have a look at the /admin/agents page to see if any drops are being reported.
You can add a tag in the liagent.ini file something like:
[winlog|custom]
channel=Custom
tags={"ChannelDescription": "Events testing channel"}
To the channels of interest to you and filter on these tags in Interactive Analytics to check if you are receiving the logs from these channels.
More info here - VMware vRealize Log Insight
Hi thanks, aware of that 😉 My question was more around the default behaviour of the System, App & Security channels. I'm assuming all events get sent (unless filtered) to Log Insight. I'm just not seeing them in Interactive Analytics, thus the query.
Yes they should all be there, I suggested tags to help narrow down the search when you look in Interactive Analytics, tags will allow to reduce the noise or the events that you do not need to see. Also check if your user name has any roles with data sets attached to it which might be filtering them out for you and hence you don't see it in Interactive analytics.
As Yogita mentioned, it is all by default. If you believe messaging are missing, have a look at the /admin/agents page to see if any drops are being reported.