I'm trying to utilize both of these content packs simultaneously. I have the windows agent installed on all my domain controllers. However, the default widgets are not displaying any data under my Windows content pack. They are displaying on the "Security Overview" section of the AD content pack. I can view the logs in Interactive Analysis but they are not automatically being placed under the widgets.
I noticed this disclaimer for both content packs.
Important:The following Log Insight agent configuration is required for this content pack to work:
Add the following mandatory tag ms_product in liagent.ini file to get results in widgets-
tags={"ms_product":"activedirectory"}
Important:The following Log Insight agent configuration is required for this content pack to work:
Add the following mandatory tag ms_product in liagent.ini file to get results in widgets-
tags={"ms_product":"windows"}
How am I supposed to place this tag in my liagent.ini file? I'm not sure of the correct syntax. I'm also not sure how to use both of these tags on the agent as duplicates are not allowed.
Any help would be appreciated.
Hmm, I think you are misunderstanding. Both content packs can and should be used at the same time. Each content pack requires a different agent configuration. It sounds like you would like to use the Windows and Active Directory content packs on the same domain controller, right? If so you need to use BOTH configurations on the agent on the domain controller. This means edit the liagent.ini and add all of the following (then both content packs will work -- I hope this helps!):
[winlog|Application]
channel=Application
tags={"ms_product":"windows"}
[winlog|Security]
channel=Security
tags={"ms_product":"windows"}
[winlog|System]
channel=System
tags={"ms_product":"windows"}
[winlog|DirectoryService]
channel=Directory Service
tags={"ms_product":"activedirectory"}
[winlog|DNS_Server]
channel=DNS Server
tags={"ms_product":"activedirectory"}
[winlog|DFS_Replication]
channel=DFS Replication
tags={"ms_product":"activedirectory"}
Tags get added to appropriate configuration sections. If you look at the Tech Specs section of Solution Exchange you will see the real configuration. For example, for the Windows content pack you would use:
[winlog|Application]
channel=Application
tags={"ms_product":"windows"}
[winlog|Security]
channel=Security
tags={"ms_product":"windows"}
[winlog|System]
channel=System
tags={"ms_product":"windows"}
I understand that tags add these logs to the appropriate section. This is the issue I'm facing. I can't view the logs under both content packs.
This is what I'm trying to accomplish, but I understand I'm not allowed to have duplicate tags.
Example:
[winlog|Application]
channel=Application
tags={"ms_product":"windows"}
tags={"ms_product":"activedirectory"}
Am I unable use both content packs with a single agent installed on my domain controller?
Thanks for the reply!
Ah, I understand now. The Tech Specs sections for the Windows and AD content packs are different. You are right you could not use the exact same tag, but the AD one should be:
[winlog|DirectoryService]
channel=Directory Service
tags={"ms_product":"activedirectory"}
[winlog|DNS_Server]
channel=DNS Server
tags={"ms_product":"activedirectory"}
[winlog|DFS_Replication]
channel=DFS Replication
tags={"ms_product":"activedirectory"}
So, just to clarify. I can only view my logs using one content pack? This seems like a big limitation. Am I the only one to have asked this question? I tried searching the forum before creating this topic but I couldn't find anything.
I apologize as I'm new to log insight.
Hmm, I think you are misunderstanding. Both content packs can and should be used at the same time. Each content pack requires a different agent configuration. It sounds like you would like to use the Windows and Active Directory content packs on the same domain controller, right? If so you need to use BOTH configurations on the agent on the domain controller. This means edit the liagent.ini and add all of the following (then both content packs will work -- I hope this helps!):
[winlog|Application]
channel=Application
tags={"ms_product":"windows"}
[winlog|Security]
channel=Security
tags={"ms_product":"windows"}
[winlog|System]
channel=System
tags={"ms_product":"windows"}
[winlog|DirectoryService]
channel=Directory Service
tags={"ms_product":"activedirectory"}
[winlog|DNS_Server]
channel=DNS Server
tags={"ms_product":"activedirectory"}
[winlog|DFS_Replication]
channel=DFS Replication
tags={"ms_product":"activedirectory"}
I will give that a try tomorrow. Thanks again for all your help!
No problem, let me know how it goes!
It looks like that did the trick. Thanks again for all your help!
