Modify a data input configuration in Health Log Analytics

  • Rversion finale: Australia
  • Mis à jour 12 mars 2026
  • 3 minutes de lecture

    • Change the configuration of a data input for Health Log Analytics by adding a new path to an existing data input configuration or modifying the data input's MID Server destination and port.

    Avant de commencer

    Role required: evt_mgmt_admin

    Procédure

    1. Navigate to All > Health Log Analytics > Data Input > Data Inputs.
    2. Open a record from the Data Inputs table.
    3. Modify the data input configuration.
      Column Description
      Name Name of the data input.
      Description Description of the data input.
      Port
      The port on the MID Server.
      Remarque :
      The port must not be occupied by another process. Make sure that your organization’s security team opens the selected port.
      MID The MID Server to which the logs stream.
      Remarque :
      • You can select only MID Servers with log ingestion capability that support basic authentication. MID Servers that support mTLS are not listed.
      • The default maximum number of data inputs streaming logs to a single MID Server is 10. You can modify this number in the MID Server properties.
      Tableau 1. Settings
      Column Description
      Path The full path from which to stream logs. You can use a wildcard.
      Remarque :
      This column is not available on Windows systems using Winlogbeat.
      Service instance The service instance to which to bind the log data.
      Remarque :
      If no relevant service instance exists, Create an service instance and add CIs to it. Set the status of the new service instance to Operational.
      Component The device type or stack layer as context for the logs that is used for anomaly detection and correlation. For example, Tomcat.

      Components typically represent CIs in the CMDB. Several components are often clustered together in a single service instance.
      Source Type The source type that defines how Health Log Analytics handles a specific application and parses the log data. For example: Tomcat Catalina.

      Each data input can have multiple source types depending on the diversity of its log formats. Service instances and components can have any number of source types.
      For handling multiline messages on Linux / Windows systems using Filebeat only:
      Match Specifies how Filebeat combines matching lines into an event, either after or before.
      Negate Boolean that defines whether the pattern identified in the log lines is negated. The default is false.
      Regex The regular expression to match.
      Remarque :
      You can modify the Rsyslog configuration file to make the agent ship system logs in addition to application logs. For more information, see the Shipping system logs using Rsyslog [KB0954507] article in the Now Support Knowledge Base.
    4. Select Update.
    5. For data inputs that use Rsyslog or Beats agents only, rebuild the server-side configuration file and install it on the endpoint device.
      1. Select Rebuild configuration file.

        Health Log Analytics rebuilds the file and saves it in the Manage Attachments section. Depending on the agent used, the rebuilt file is saved as either rsyslog.yml, filebeat.yml, or winlogbeat.yml.

        The system automatically renames the previous configuration file by adding a suffix with the date and time the file was rebuilt to the file name.

      2. Install the rebuilt configuration file on the endpoint according to your data input type.
        Data input type Action
        Rsyslog
        1. Download the file and install it on the endpoint device in the /etc/rsyslog.d/rsyslog.conf directory.
        2. Validate the configuration by running the rsyslogd -N1 command.
        3. Verify the output. If it contains errors, check the /var/log/messages system log file for error messages and fix the errors.
        4. Restart Rsyslog by running the sudo systemctl restart rsyslog command.
        Linux
        1. Download the file and install it on the endpoint device in the /etc/filebeat/ directory.
        2. Restart the agent service by running the sudo service filebeat restart command.
        Remarque :
        The generated configuration ignores files that were last changed more than six hours ago. If needed, you can change this setting in the configuration file.
        Windows using Beats (Filebeat or Winlogbeat):
        1. Download the file and install it on the endpoint device in the C:\Program Files\ directory.
        2. Restart the agent service by running the appropriate command in PowerShell:
          • Filebeat: PS > Restart-Service filebeat
          • Winlogbeat: PS > Restart-Service winlogbeat
        Remarque :
        The generated configuration ignores files that were last changed more than six hours ago. If needed, you can change this setting in the configuration file.