Greetings all--
I have vcsas & have LogInsight. I have the vcsa's VAMI configured to send syslog to our LogInisght. I've confirmed Im receiving vcenter-related events (ie, appname=vpxa, etc); however, I'm not seeing any of the vcsa appliance OS logs (like any bash/shell commands sent). I see shell commands from our esx hosts-- just not the vcsas.
Anyone know what additional setup is required for the OS itself? Do I need something special in the syslog config or liagent.conf?
Thanks in advance.
Alright so I think I figured it out but I'll post here my solution for others and open it up to additional conversation.
In a lab vcenter (7.x vcsa) and lab loginsight (8.10) environment I did the following:
This is not an exact/details list of commands/steps-- just high level what I did...
Log Insight > Management > Agents >
Selected vSphere 7.0 - vCenter (Linux) agent template and copied it
Reproduced the File Log "audit" section from the legacy "Linux - systemd" template into this new template (ie, added the /root/ directory and .bash_history sections with tag 'audit' & tag value 'bash_history'
Downloaded Log Insight Agent Version 8.10.0 rpm
Copied RPM to VCSA /tmp directory (used winscp)
Installed liagent rpm file (rpm -i filename.rpm)
That was it. Now I have all the bash_history commands of the vcsa sending to loginsight. Happy days.
It should be possible actually. Never had occasion to test it.
Alright so I think I figured it out but I'll post here my solution for others and open it up to additional conversation.
In a lab vcenter (7.x vcsa) and lab loginsight (8.10) environment I did the following:
This is not an exact/details list of commands/steps-- just high level what I did...
Log Insight > Management > Agents >
Selected vSphere 7.0 - vCenter (Linux) agent template and copied it
Reproduced the File Log "audit" section from the legacy "Linux - systemd" template into this new template (ie, added the /root/ directory and .bash_history sections with tag 'audit' & tag value 'bash_history'
Downloaded Log Insight Agent Version 8.10.0 rpm
Copied RPM to VCSA /tmp directory (used winscp)
Installed liagent rpm file (rpm -i filename.rpm)
That was it. Now I have all the bash_history commands of the vcsa sending to loginsight. Happy days.
thx for hint. Will write it down to my onenote for future