Being stuck on the server-side, i thought i'd set the config on the client side. I edited the liagent.ini to what i want, restarted the agent and this results in the following "liagent-effective.ini"

; Dynamic file representing the effective configuration of VMware Log Insight Agent (merged server-side and client-side configuration)

;     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN

; Creation time: 2016-10-15T13:28:32.657655

[server]

hostname=syslog.domain.local

[winlog|Application]

channel=Application

enabled=no

[winlog|Security]

channel=Security

enabled=no

[winlog|System]

channel=System

enabled=no

[winlog|Custom]

channel=Veeam Backup

[winlog|com.microsoft.active-directory.win2012_DirectoryService]

channel=Directory Service

[winlog|com.microsoft.active-directory.win2012_DNS_Server]

channel=DNS Server

[winlog|com.microsoft.active-directory.win2012_DFS_Replication]

channel=DFS Replication

[winlog|com.microsoft.active-directory.win2012_Security]

channel=Security

[winlog|com.microsoft.active-directory.win2012_DNS_Server_Audit]

channel=Microsoft-Windows-DNSServer/Audit

[winlog|com.microsoft.windows.Custom]

channel=veeam backup

[update]

package_type=msi

[filelog|com.microsoft.active-directory.win2012_WindowsDNS]

directory=C:\Windows\Sysnative\dns\dns.log

tags={"ms_product":"activedirectory"}

[filelog|com.microsoft.sql.MSSQL]

; IMPORTANT: Change the directory as per the environment

directory=D:\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\Log

tags={"ms_product":"mssql"}

charset=UTF-16LE

exclude=*.trc

But LI still ingests EVERYTHING. It totally ignores the fact that i said "enabled=no" to [winlog|Security] for example. It sucks it all in.

The windows server is a 2008 R2 server by the way so I assume that those .win2012. entries do nothing (it is also not a domain controller)

What is going on. I can read blogs until hell freezes over bit LI simply does not do what I tell it to. Assuming the fault is with me, what am i'm doing wrong??

I don't want to edit client-side liagent.ini files as I want do it centrally. Edit the config client-side was an act of desperation. But neither works anyway.

Hey Steve,

It looks like you are experiencing three different issues. Let me start with the issue reported in your first message. It sounds like you are trying to create a custom agent group for your application and starting by trying to clone an existing agent group. Tip 1 would be, if the agent group you are cloning does not have the configuration you want do not clone it. Instead, just create a brand new agent group. When you do this, you can use the build tab on the lower part of the page and fill in the relevant sections to build your custom agent group. Now, in your case, you cloned an existing agent group, made some edits and tried to save. The error states that the names of the configuration sections are already in use and as such the save operation fails -- as seen in your screenshot. This means, you have another agent group configuration enabled on the system with the same exact configuration section names -- this is not allowed. You can verify this by selecting the "Microsoft - Windows Test (not saved)" drop-down, and selecting one of the other agent configurations you have enabled. To work around this issue, do what the message says -- rename the configuration sections to something else. For example, you have "[winlog|Application]" call it "[winlog|Application2]". Now this will solve your problem, however you already stated you do not want to collect the default Microsoft event viewer channels so I would again advise you just create a brand new agent group and use the builder.

Moving on to your second post, you switched to client-side configuration. Tip 2 would be, always use server-side configuration. There are many reasons for this including server-side overriding client-side, configuration management, etc. In your case, you edited the client side and checked liagent-effective.ini (good!). You are correct that you disabled the default channels, however the win2012 configuration sections DO apply. Why? "[winlog|com.microsoft.active-directory.win2012_DNS_Server_Audit]" is of the format "[winlog|<name of configuration section>]" sure the name of the configuration section has win2012 in it, however if that is not defined as part of the agent group filters server-side (clearly it is not as you see it on your Windows 2008 system) then it will still collect. Also, given that the name of the configuration section starts with com.microsoft.active-directory, I now know that you do have the AD agent group configured server-side. You should edit the server-side configuration since you have made it clear you do not want this.

Finally your third issue -- I think something else is going on, but there is not enough information to tell. Can you attach the liagent-effective.ini?

My apologies on all the problems you are experiencing -- I hope we can work this out for you quickly.