VMware Cloud Community
LSchultheis
Enthusiast
Enthusiast
Jump to solution

AD and Windows Content Packs

I'm trying to utilize both of these content packs simultaneously. I have the windows agent installed on all my domain controllers. However, the default widgets are not displaying any data under my Windows content pack. They are displaying on the "Security Overview" section of the AD content pack. I can view the logs in Interactive Analysis but they are not automatically being placed under the widgets.

I noticed this disclaimer for both content packs.

Important:The following Log Insight agent configuration is required for this content pack to work:

Add the following mandatory tag ms_product in liagent.ini file to get results in widgets-
tags={"ms_product":"activedirectory"}


Important:The following Log Insight agent configuration is required for this content pack to work:

Add the following mandatory tag ms_product in liagent.ini file to get results in widgets-

tags={"ms_product":"windows"}


How am I supposed to place this tag in my liagent.ini file? I'm not sure of the correct syntax. I'm also not sure how to use both of these tags on the agent as duplicates are not allowed.


Any help would be appreciated.

Labels (1)
Reply
0 Kudos
1 Solution

Accepted Solutions
sflanders
Commander
Commander
Jump to solution

Hmm, I think you are misunderstanding. Both content packs can and should be used at the same time. Each content pack requires a different agent configuration. It sounds like you would like to use the Windows and Active Directory content packs on the same domain controller, right? If so you need to use BOTH configurations on the agent on the domain controller. This means edit the liagent.ini and add all of the following (then both content packs will work -- I hope this helps!):

[winlog|Application]
channel=Application
tags={"ms_product":"windows"}

[winlog|Security]
channel=Security
tags={"ms_product":"windows"}

[winlog|System]
channel=System
tags={"ms_product":"windows"}

[winlog|DirectoryService]
channel=Directory Service
tags={"ms_product":"activedirectory"}

[winlog|DNS_Server]
channel=DNS Server
tags={"ms_product":"activedirectory"}

[winlog|DFS_Replication]
channel=DFS Replication
tags={"ms_product":"activedirectory"}


Hope this helps! === If you find this information useful, please award points for "correct" or "helpful". ===

View solution in original post

Reply
0 Kudos
8 Replies
sflanders
Commander
Commander
Jump to solution

Tags get added to appropriate configuration sections. If you look at the Tech Specs section of Solution Exchange you will see the real configuration. For example, for the Windows content pack you would use:

[winlog|Application]
channel=Application
tags={"ms_product":"windows"}

[winlog|Security]
channel=Security
tags={"ms_product":"windows"}

[winlog|System]
channel=System
tags={"ms_product":"windows"}

Hope this helps! === If you find this information useful, please award points for "correct" or "helpful". ===
Reply
0 Kudos
LSchultheis
Enthusiast
Enthusiast
Jump to solution

I understand that tags add these logs to the appropriate section. This is the issue I'm facing. I can't view the logs under both content packs.

This is what I'm trying to accomplish, but I understand I'm not allowed to have duplicate tags.

Example:

[winlog|Application]

channel=Application

tags={"ms_product":"windows"}

tags={"ms_product":"activedirectory"}

Am I unable use both content packs with a single agent installed on my domain controller?

Thanks for the reply!

Reply
0 Kudos
sflanders
Commander
Commander
Jump to solution

Ah, I understand now. The Tech Specs sections for the Windows and AD content packs are different. You are right you could not use the exact same tag, but the AD one should be:

[winlog|DirectoryService]
channel=Directory Service
tags={"ms_product":"activedirectory"}

[winlog|DNS_Server]
channel=DNS Server
tags={"ms_product":"activedirectory"}

[winlog|DFS_Replication]
channel=DFS Replication
tags={"ms_product":"activedirectory"}

Hope this helps! === If you find this information useful, please award points for "correct" or "helpful". ===
Reply
0 Kudos
LSchultheis
Enthusiast
Enthusiast
Jump to solution

So, just to clarify. I can only view my logs using one content pack? This seems like a big limitation. Am I the only one to have asked this question? I tried searching the forum before creating this topic but I couldn't find anything.

I apologize as I'm new to log insight.

Reply
0 Kudos
sflanders
Commander
Commander
Jump to solution

Hmm, I think you are misunderstanding. Both content packs can and should be used at the same time. Each content pack requires a different agent configuration. It sounds like you would like to use the Windows and Active Directory content packs on the same domain controller, right? If so you need to use BOTH configurations on the agent on the domain controller. This means edit the liagent.ini and add all of the following (then both content packs will work -- I hope this helps!):

[winlog|Application]
channel=Application
tags={"ms_product":"windows"}

[winlog|Security]
channel=Security
tags={"ms_product":"windows"}

[winlog|System]
channel=System
tags={"ms_product":"windows"}

[winlog|DirectoryService]
channel=Directory Service
tags={"ms_product":"activedirectory"}

[winlog|DNS_Server]
channel=DNS Server
tags={"ms_product":"activedirectory"}

[winlog|DFS_Replication]
channel=DFS Replication
tags={"ms_product":"activedirectory"}


Hope this helps! === If you find this information useful, please award points for "correct" or "helpful". ===
Reply
0 Kudos
LSchultheis
Enthusiast
Enthusiast
Jump to solution

I will give that a try tomorrow. Thanks again for all your help!

Reply
0 Kudos
sflanders
Commander
Commander
Jump to solution

No problem, let me know how it goes!

Hope this helps! === If you find this information useful, please award points for "correct" or "helpful". ===
Reply
0 Kudos
LSchultheis
Enthusiast
Enthusiast
Jump to solution

It looks like that did the trick. Thanks again for all your help!

Reply
0 Kudos