VMware Cloud Community
sroethlisberger
Contributor
Contributor

Filelog evtx to Loginsight Server

Hello Everyone

I have a little problem.
I want to forward evtx logs to my Loginsight Server.

The logs are stored on a networkdrive.

I temporary copied the log to a local path (Which the Loginsight agent is installed). but the logs dont' arrive to the loginsight server (I find no errors in the logs you can find it in the attachment  )

2018-01-22 11:29:56.008096 0x00000eb4 <trace> WinLogCollector:304| WinLogMonitor thread begin
2018-01-22 11:29:56.008096 0x00001bdc <trace> EventCollector:49  | Configuration of filelog is done
2018-01-22 11:29:56.008096 0x00001bdc <trace> EventCollector:56  | Starting filelog
2018-01-22 11:29:56.008096 0x00001ad0 <trace> Logger:147         | Thread "ThreadPool" has id 0x00001ad0
2018-01-22 11:29:56.008096 0x00001bdc <trace> FLogCollectorEx:477| Subscribed to channel <netapp>.
2018-01-22 11:29:56.008096 0x000044d0 <trace> Logger:147         | Thread "DirectoryMonitorEx" has id 0x000044d0
2018-01-22 11:29:56.008096 0x00001bdc <trace> EventCollector:59  | Started filelog
2018-01-22 11:29:56.008096 0x00005714 <trace> Logger:147         | Thread "FLogThreadPool" has id 0x00005714
2018-01-22 11:29:56.008096 0x00001bdc <trace> DataController:100 | Configuring transport...
2018-01-22 11:29:56.008096 0x00001bdc <trace> Config:297         | Configuration key [server].proto is not specified. Using default: cfapi
2018-01-22 11:29:56.008096 0x00001bdc <trace> DataController:163 | Creating cfapi transport
2018-01-22 11:29:56.008096 0x00003f88 <trace> Logger:147         | Thread "DirectoryMonitorEx Polling" has id 0x00003f88
2018-01-22 11:29:56.008096 0x00001bdc <trace> Config:287         | Read config param [server].hostname = loginsight.tdlz2.tankred.ch
2018-01-22 11:29:56.008096 0x00001bdc <trace> Config:346         | Configuration key [server].ssl is not specified. Using default: yes
2018-01-22 11:29:56.008096 0x00001bdc <trace> Config:252         | Configuration key [server].port is not specified. Using default: 9543
2018-01-22 11:29:56.008096 0x00001bdc <trace> Config:252         | Configuration key [server].reconnect is not specified. Using default: 30
2018-01-22 11:29:56.008096 0x00002d10 <trace> Logger:147         | Thread "FLogThreadPool" has id 0x00002d10
2018-01-22 11:29:56.008096 0x00003e58 <trace> Logger:147         | Thread "FLogThreadPool" has id 0x00003e58
2018-01-22 11:29:56.008096 0x00003598 <trace> Logger:147         | Thread "FLogThreadPool" has id 0x00003598
2018-01-22 11:29:56.039342 0x00001bdc <trace> DataController:104 | Starting transport...
2018-01-22 11:29:56.039342 0x00004bc0 <trace> Logger:147         | Thread "CFApiTransport" has id 0x00004bc0
2018-01-22 11:29:56.039342 0x00004bc0 <trace> CFApiTransport:130 | Connecting to server loginsight.tdlz2.tankred.ch:9543
2018-01-22 11:29:56.039342 0x00001bdc <trace> AgentDaemon:422    | AgentDaemon configured successfully
2018-01-22 11:29:56.039342 0x00001bdc <trace> AgentDaemon:367    | AgentDaemon started successfully
2018-01-22 11:29:56.242474 0x00004bc0 <trace> CFApiTransport:150 | Connection successfully established

Can anybody help me?

 

Kind regards

Steve

Reply
0 Kudos
1 Reply
RonnyNorway
Contributor
Contributor

The loginsight agent only sends NEW events, and as this is a file With OLD events you need to use the loginsight importer tool.

This link is for 3.6 but is still valid for the importer:

VMware vRealize Log Insight 3.6 Information Center

Reply
0 Kudos