Red Hat Summit Red Hat SummitSupportConsoleDéveloppeursCommencer un essaiContact

Ce contenu n'est pas disponible dans la langue sélectionnée.

Client configuration guide for Red Hat Lightspeed

Red Hat Lightspeed 1-latest

Configuration options and use cases for the Red Hat Lightspeed client

Red Hat Customer Content Services

Abstract

This guide is for Red Hat Lightspeed users who want to configure Red Hat Lightspeed client features on their Red Hat Enterprise Linux systems. The Red Hat Lightspeed client configuration settings on your system affect the interaction with Red Hat Lightspeed.

Chapter 1. Red Hat Lightspeed client overview
Copier lien

The Red Hat Lightspeed client (insights-client) is the client for Red Hat Lightspeed. Run insights-client from the command line.

1.1. Red Hat Lightspeed client distribution
Copier lien

Red Hat Lightspeed client is available for the following releases of Red Hat Enterprise Linux (RHEL).

Expand
RHEL releaseComments

RHEL 10

Distributed with Red Hat Lightspeed client pre-installed.

RHEL 9

Distributed with Red Hat Lightspeed client pre-installed.

RHEL 8

Distributed with Red Hat Lightspeed client pre-installed, unless RHEL 8 was installed as a minimal installation.

RHEL 7

Distributed with the Red Hat Lightspeed client RPM package loaded but not installed.

Note

Red Hat Lightspeed client installation on older versions

RHEL versions 6 and 7 do not come with the Red Hat Lightspeed client pre-installed. If you have one of these versions, run the following commands in your terminal: 

[root@server ~]# yum install insights-client
Copy to Clipboard Toggle word wrap

Then, register the system to Red Hat Lightspeed: 

[root@server ~]# insights-client --register
Copy to Clipboard Toggle word wrap

Additional resources

Chapter 2. Installing insights-client
Copier lien

You can install Red Hat Lightspeed on an existing system that is managed by Red Hat infrastructure, or you can install it on a minimal installation of Red Hat Enterprise Linux.

After you install the Red Hat Lightspeed client, you need to register your system. For more information about registering systems, refer to: Configuring authentication

Use these instructions to deploy Red Hat Lightspeed on an existing Red Hat Enterprise Linux (RHEL) system connected to Red Hat Cloud Access.

Prerequisites

  • Root-level access for the system.

Procedure

  • Enter the following command to install the current version of the Red Hat Lightspeed client package:

    RHEL versions 6 and 7 

    [root@server ~]# yum install insights-client
    Copy to Clipboard Toggle word wrap

    RHEL version 8 and later 

    [root@server ~]# dnf install insights-client
    Copy to Clipboard Toggle word wrap
Note

Red Hat Lightspeed client installation on older versions

RHEL versions 6 and 7 do not come with the Red Hat Lightspeed client pre-installed. If you have one of these versions, run the following commands in your terminal: 

[root@server ~]# yum install insights-client
Copy to Clipboard Toggle word wrap

Verification step

Run the following command to confirm successful installation of the Red Hat Lightspeed client: 

[root@server ~]# insights-client --version
Copy to Clipboard Toggle word wrap

Additional Resources

Red Hat Cloud Access program overview

Use these instructions to deploy the Red Hat Lightspeed client (insights-client) on an existing, cloud marketplace-purchased Red Hat Enterprise Linux system managed by Red Hat Update Infrastructure (RHUI).

Prerequisites

  • Root-level access for the system.

Procedure

  • Enter the following command to install the current version of the Red Hat Lightspeed client package:

    RHEL versions 6 and 7 

    [root@server ~]# yum install insights-client
    Copy to Clipboard Toggle word wrap

    RHEL version 8 and later 

    [root@server ~]# dnf install insights-client
    Copy to Clipboard Toggle word wrap

    Verification step

    Run the following command to confirm successful installation of the Red Hat Lightspeed client: 

    [root@server ~]# insights-client --version
    Copy to Clipboard Toggle word wrap

The Red Hat Lightspeed client runs automatically, according to its scheduler settings. By default, it runs every 24 hours. To run the client interactively, enter the insights-client command.

When you run insights-client, the following values and settings determine the results:

  1. Values that you enter when you run insights-client from the CLI temporarily override the preset configuration file settings and system environment settings. Any values that you enter for options in the insights-client command are used only for that instance of Red Hat Lightspeed client.
  2. Settings in the configuration file (/etc/insights-client/insights-client.conf) override system environment settings.
  3. Values of any system environment variables (printenv) are not affected by the CLI or the client configuration files.

The Red Hat Lightspeed client is not automatically installed on systems running the minimal installation of Red Hat Enterprise Linux 8.

For more information about minimal installations, see Customizing the system in the installer and Interactively installing RHEL from installation media.

Prerequisites

  • Root-level access to the system.
  • You have already started the Anaconda installer as part of a RHEL install and are ready to install software packages. For more information, see Installing Using Anaconda and Software Selection

Procedure

  1. Select Minimal Install from the RHEL Software Selection options in the Anaconda installer.
  2. Select the Standard checkbox in the Additional Software for Selected Environment section. The Standard option includes the insights-client package in the RHEL installation.

If you do not select the Standard checkbox, RHEL installs without the insights-client package. If that happens, you can use dnf install to install the Red Hat Lightspeed client at a later time.

Verification

  • Run the following command to confirm the successful installation of the Red Hat Lightspeed client: 

    [root@server ~]# insights-client --version
    Copy to Clipboard Toggle word wrap

You will see the client and core versions. 

Client: 3.10.1
Core: 3.6.3
Copy to Clipboard Toggle word wrap

The Red Hat Lightspeed client (insights-client) executes a number of commands that collect data on your system. Therefore, it has a configuration restriction that limits its CPU usage to no more than 30%. This restriction is defined in the configuration file:

insights-client-boot.service: CPUQuota=30%

This configuration prevents the Red Hat Lightspeed client from creating a CPU spike on your system. This spike could interfere with other applications running on your system. Specifically, it could prevent applications that depend on real-time scheduling from initiating.

If you need to enable real-time scheduling, you can disable the CPU quota restriction. The risk of removing this configuration is minimal. However, it is possible that when the Red Hat Lightspeed client runs, the CPU usage may become unusually high. If this situation occurs and negatively impacts other services on your system, please contact Red Hat support for assistance.

Additional resources

How to Remove the CPU quota.

How do I open and manage a support case on the Customer Portal?

Chapter 3. Configuring authentication
Copier lien

Important

Basic Authentication has been deprecated. If you are using Basic Authentication, you must change to one of the currently supported authenticated methods. For more information about changing from Basic Authentication to certificate-based authentication for user access, refer to How to switch from Basic Auth to Certificate Authentication for Red Hat Lightspeed.

3.1. Authentication methods
Copier lien

Depending on how you use Red Hat Lightspeed, you must use one of the following authentication methods:

  • Certificate-based authentication (CERT)

    Certificate-based authentication is the default authentication method. Certificates are generated when you register a system with Red Hat Subscription Manager (RHSM), or when Red Hat Satellite system management manages your system. The client configuration file includes authmethod=CERT by default. There are no additional configuration change requirements.

  • Activation keys

    The preferred authentication method uses activation keys, along with the Organization ID, to register a system with Red Hat hosted services such as RHSM or remote host configuration (RHC).

    A list of the activation keys for your organization are on the Activation Keys page in the Red Hat Hybrid Cloud Console. You can use an activation key as an authentication token to register a system with Red Hat-hosted services, such as Red Hat Subscription Manager (RHSM) or remote host configuration (RHC). Administrators can create, edit, and delete activation keys for your organization.

  • Service accounts

    Service accounts authenticate applications and services, whereas user accounts authenticate human users. Use service account authentication when:

Additional resources

3.2. Using activation keys for authentication
Copier lien

An activation key is a preshared authentication token that enables authorized users to register and configure systems. It eliminates the need to store, use, and share a personal username and password combination, which increases security and facilitates automation.

You can use an activation key and a numeric organization identifier (organization ID) to register a system with Red Hat hosted services, such as Red Hat Subscription Manager (RHSM) or remote host configuration (rhc). Your organization’s activation keys and organization ID are displayed on the Activation Keys page in the Hybrid Cloud Console.

For more information about how to create and manage activation keys for your systems, see Creating and managing activation keys in the Red Hat Hybrid Cloud Console.

3.3. Registering systems with Red Hat Hosted Services
Copier lien

After you install the Red Hat Lightspeed client, you need to register your system. This requires two steps:

  • Registering with Red Hat hosted services, such as Red Hat Subscription Manager (RHSM) or remote host configuration (rhc).
  • Registering the system with the Red Hat Lightspeed client.

For more information about registering the system with Red Hat Lightspeed client, refer to:

Prerequisites

  • Admin login access to each system
  • Activation key
  • Organization ID

Procedure

RHEL 7 and 8

  1. To register a system running Red Hat Enterprise Linux version 7 or 8, use an activation key and your Organization ID to register with RHSM. 

    # subscription-manager register --activationkey=_activation_key_name_ --org=_organization_ID_
    Copy to Clipboard Toggle word wrap

RHEL 9

  1. To register a system running RHEL 9 or later, use an activation key to register with the rhc client. If you do not want to run rhc management services on your system, use the same commands for RHEL 9 systems as you would for RHEL 7 or RHEL 8. 

    # rhc connect --activation-key example_key --organization your_org_ID
    Copy to Clipboard Toggle word wrap

Additional resources

Chapter 4. Configuring insights-client
Copier lien

After you install Red Hat Lightspeed client, you must register your system with Red Hat Lightspeed. Registration enables you to use Red Hat Lightspeed services.

4.1. Registering your system with Red Hat Lightspeed
Copier lien

You can use the insights-client command to register a system with Red Hat Lightspeed.

You can assign a different display name for your host when you register your system by appending the --display-name option to the command. The display name identifies the system in the Red Hat Lightspeed UI. If you do not assign a display name when you register the system, Red Hat Lightspeed uses the default hostname for the system.

Prerequisites

You have completed the following steps on your system:

  • Logged in with root-level permissions
  • Installed the Red Hat Lightspeed client

Procedure

  1. Run the following subscription-manager commands in the CLI: 

    [root@rhlightspeed]# subscription-manager register
[root@rhlightspeed]# subscription-manager status
    Copy to Clipboard Toggle word wrap

  2. Run the following insights-client registration commands as follows: 

    [root@rhlightspeed]# insights-client --register
[root@rhlightspeed]# insights-client --status
    Copy to Clipboard Toggle word wrap

Examples

  • The following example shows how you can register a system with a display name that is different from the hostname: 

    [root@rhlightspeed01]# insights-client --register --display-name ITC-4
    Copy to Clipboard Toggle word wrap

    • Resulting output: 

      Successfully registered host rhlightspeed01-rhel9 as ITC-4 in group None
Automatic scheduling for Red Hat Lightspeed has been enabled.
Starting to collect Red Hat Lightspeed data for ITC-4
Writing RHSM facts to /etc/rhsm/facts/insights-client.facts ...
Uploading Red Hat Lightspeed data.
Successfully uploaded report from ITC-4 to account 1234567.
View the Red Hat Lightspeed console at https://console.redhat.com/insights/
      Copy to Clipboard Toggle word wrap

  • The following example shows how you can change the display name of a system that is already registered for Red Hat Lightspeed. 

    [root@rhlightspeed01]# insights-client --display-name ITC-5
    Copy to Clipboard Toggle word wrap

    • Resulting output: 

      System display name changed from ITC-4 to ITC-5
      Copy to Clipboard Toggle word wrap

For more information about the insights-client command options, see the Additional resources section.

Result

You can now access the cloud-based Red Hat Lightspeed services.

Important
  • It can take up to 15 minutes for your newly registered system to be listed on the Red Hat Lightspeed inventory page on the console.
  • Red Hat Satellite users: After registering a Satellite system with Red Hat Lightspeed, if you subsequently upgrade or rebuild your Satellite system by doing a fresh install, you must re-register the system in Red Hat Lightspeed. For more information about how to do that, see Re-registering your system with Red Hat Lightspeed.

Additional resources

This issue affects Red Hat Satellite users. If you are a Satellite user registering a host with Red Hat Lightspeed, after you run insights-client --register, the following output might display on the CLI:

Telemetry is not enabled for this host

This error can occur because the host_registration_insights parameter is set to false during host registration. It must be set to true for Satellite to accept the Red Hat Lightspeed client upload. To resolve this error message, you must do the following:

  • Change the host_registration_insights parameter to true
  • Run the insights-client --register command in the command line again after the parameter has been updated.

Additional resources

For detailed information about this issue and its resolution, see the following:

You can register a CentOS Linux 7 system to a RHEL 7 system, in order to convert to RHEL and leverage Red Hat Lightspeed. Before you begin the conversion process, it is recommended that you back up your system, satisfy prerequisites, and perform a pre-conversion analysis. Once that is complete, see the following for instructions on registering and converting:

Note

Conversions from CentOS Linux 8 and other Linux distributions must be performed in the command line interface or in Satellite.

Additional Resources

4.3. Unregistering your system with Red Hat Lightspeed
Copier lien

You can unregister your system with Red Hat Lightspeed. When you do so, your system information is no longer uploaded to Red Hat Lightspeed.

Prerequisites

  • Root-level access to your system.
  • Your system is registered with Red Hat Lightspeed.

Procedure

  1. Enter the insights-client command with the --unregister option. 

    [root@rhlightspeed]# insights-client --unregister
    Copy to Clipboard Toggle word wrap

Verification

Enter the following command to confirm the status and verify that the system has been successfully unregistered:

+ 

[root@rhlightspeed]# insights-client --status
Copy to Clipboard Toggle word wrap

If the command is successful, you will see the following output: 

This host is unregistered.
Copy to Clipboard Toggle word wrap

4.4. Re-registering your system with Red Hat Lightspeed
Copier lien

There are instances when you might need to re-register a system in Red Hat Lightspeed.

Re-registering a system in Red Hat Lightspeed by using the correct steps can help to prevent and fix duplicate host entries in the Red Hat Lightspeed inventory service. For example, one reason you might re-register a system in Red Hat Lightspeed is to clean up entries for a previously registered system that has been rebuilt with a clean install.

Important

If you are a Red Hat Satellite user and you plan to upgrade or rebuild your Satellite system by doing a fresh install, you must re-register that system in Red Hat Lightspeed. Ensure that you unregister the system in Red Hat Lightspeed before you begin the upgrade. After you have reinstalled the Satellite system, register it again with the Red Hat Lightspeed client. Otherwise, you might see duplicate host entries or other unexpected results.

To re-register a system in Red Hat Lightspeed, run the insights-client command twice by using the following two options:

  1. --unregister
  2. --register

Prerequisites

You have completed the following steps on your system:

  • Logged in with root-level permissions
  • Installed the Red Hat Lightspeed client

Procedure

  1. On the command line, enter the insights-client command with the --unregister option. 

    [root@rhlightspeed]# insights-client --unregister
    Copy to Clipboard Toggle word wrap

  2. Enter the insights-client command with the --register option. 

    [root@rhlightspeed]# insights-client --register
    Copy to Clipboard Toggle word wrap

Verification

When a system has been successfully re-registered by using the insights-client command with the —-unregister option followed by the insights-client command with the —-register option, a new Red Hat Lightspeed profile gets created and the following output is displayed: 

[root@rhlightspeed]# Successfully uploaded report for <machine name>
View the Red Hat Lightspeed console at https://console.redhat.com/insights/
Copy to Clipboard Toggle word wrap

4.5. Changing the host display name
Copier lien

You can change the host display name as it appears in the GUI. Make this change either when you register the system with Red Hat Lightspeed, or after registration. If you do not assign a display name when you register the system, Red Hat Lightspeed uses the value in /etc/hostname.

This procedure is optional. Determine if you want to use a display name in addition to the default hostname.

Note

Using the insights-client command to set the display name takes effect immediately, but does not run the Red Hat Lightspeed client.

Note

If you obfuscate the hostname, the hostname configured in /etc/hostname is obfuscated. Assign a display name so that you can identify a host even when its hostname is obfuscated.

Prerequisites

  • Root-level access to the system.

Procedure

  • Enter the insights-client command with the --display-name option and specify a display name. 

    [root@rhlightspeed]# insights-client --display-name ITC-4
System display name changed from None to ITC-4
    Copy to Clipboard Toggle word wrap

  • To create a display name that contains spaces, use double quotes. 

    [root@rhlightspeed]# insights-client --display-name "ITC-4 B9 4th floor"
System display name changed from None to ITC-4 B9 4th floor
    Copy to Clipboard Toggle word wrap

4.6. Displaying the client version
Copier lien

You can display the Red Hat Lightspeed client version and client core version.

Prerequisites

  • Root-level access to your system.

Procedure

  • Enter the insights-client command with the --version option. 

    [root@rhlightspeed]# insights-client --version
Client: 3.0.6-0
Core: 3.0.121-1
    Copy to Clipboard Toggle word wrap

Additional resources

Chapter 5. Red Hat Lightspeed client data obfuscation
Copier lien

IP addresses, Media Access Control (MAC) addresses, and hostnames are used to uniquely define a device on the internet. Red Hat Lightspeed has optional controls for excluding the IP address, Media Access Control (MAC) address, and hostname from the data file transmitted to Red Hat and to obfuscate the values within the user interface. This helps to protect the privacy of your systems and users by masking sensitive information.

5.1. Obfuscation overview
Copier lien

The Red Hat Lightspeed client obfuscation feature uses a Python data cleaning process, which you can optionally enable to replace the hostname, IP address, or MAC address with preset values when it processes the Red Hat Lightspeed archive. The processed archive file containing the obfuscated values is then sent to Red Hat Lightspeed. Obfuscation is disabled by default.

Note
  • The Python data cleaning process automatically generates the masked values. You cannot choose the values for obfuscation.
  • The Red Hat Lightspeed compliance service uses OpenSCAP tools to generate compliance reports based on information from the host system. The collaboration with OpenSCAP prevents the compliance service’s ability to completely obfuscate or redact hostname and IP address data. Also, host information is sent to Red Hat Lightspeed when a compliance data collection job launches on the host system. Red Hat Lightspeed is working to improve obfuscation options for host information.

For information about how Red Hat Lightspeed handles data collection, see Red Hat Lightspeed Data & Application Security.

5.2. Enabling obfuscation in Red Hat Satellite
Copier lien

For more information about enabling obfuscation in Satellite, see the Red Hat Cloud settings chapter of the Administering Red Hat Satellite guide.

Important

Double obfuscation is required if you use Red Hat Satellite to manage clients and register them on console.redhat.com. This means you must enable obfuscation in both the insights-client.conf file and on the Satellite web UI.

5.3. Obfuscating hostnames, IP addresses, and MAC addresses
Copier lien

Red Hat Lightspeed supports the obfuscation of the following internet connectivity protocols:

  • IPv4
  • IPv6
  • Hostname
  • MAC address

You can mask the IP address of a host in the archive file before it is sent to Red Hat Lightspeed by setting the obfuscation configuration option, obfuscation_list, in the /etc/insights-client/insights-client.conf file. You can also set a custom display name for the identification of obfuscated hosts to help you identify the host in the Red Hat Hybrid Cloud Console UI.

The following sections describe how to obfuscate the hostname, IP address, and MAC address of a system in Red Hat Lightspeed.

5.3.1. Obfuscating IPv6 IP addresses
Copier lien

If your hosts use IPv6 IP addresses, you can enable obfuscation of this data in the archive file before it is sent to Red Hat Lightspeed by setting an option in the insights-client configuration file. This helps to protect the privacy of your systems and users by masking sensitive information.

When you enable obfuscation, the original IP address of the host is replaced with a generated value in the archive file. This obfuscated value is used in the Red Hat Hybrid Cloud Console UI, logs, and any archive data files that Red Hat collects. However, you will still see the original IP address in the command-line output of some insights-client commands.

Important

The obfuscation process uses a Python data cleaning process to generate a unique value for each host. You cannot configure the value provided for obfuscation. You also cannot obfuscate or select the portion of the host IP address to obfuscate.

Prerequisites

  • If you are using Red Hat Satellite to manage clients and register them on console.redhat.com, you must also configure the Red Hat Cloud settings before you can enable obfuscation in Red Hat Lightspeed:

    • In the Satellite web UI, navigate to Administer > Settings > Red Hat Cloud and enable the required obfuscation settings that apply to your environment.

Procedure

  1. Open the /etc/insights-client/insights-client.conf file with an editor.

  2. Locate the following section: 

    # Specify which will be obfuscated in the data collection,
# empty by default, and supported options are: ipv4, ipv6, hostname, mac
# (comma separated list)
# obfuscation_list=
    Copy to Clipboard Toggle word wrap

  3. Remove the preceding hash (#) character, before obfuscation_list= and add the following line: 

    obfuscation_list=ipv6
    Copy to Clipboard Toggle word wrap

  4. If your configuration file contains the older obfuscate=True or obfuscate=False Red Hat Lightspeed obfuscation setting, remove that line of configuration.

    Important

    The obfuscate and obfuscate_hostname options are deprecated and will be removed in a future release of Red Hat Lightspeed. If your configuration file contains obfuscation_list and the deprecated obfuscation options, the obfuscation_list configuration takes precedence and you will see a warning message in the output.

  5. Save and close the /etc/insights-client/insights-client.conf file.

Result

When obfuscation is successfully enabled, the original IPv6 address is masked in the console UI, logs, and in any archive data files that Red Hat collects, as shown in the following example.

Important

After you enable obfuscation, you will continue to see the original IP address in the command-line output of some insights-client commands.

Example

  • Original host system IPv6 addresses: 

    ff00:f800:f801:f802::f806
ff00:f800:f801:f802:f00:f803:f804:f805
ff01::f00:f803:f804:f805
    Copy to Clipboard Toggle word wrap

  • Obfuscated host IPv6 addresses: 

    fc47:d0f1:5ae7:e4e9::0477,
fc47:d0f1:5ae7:e4e9:fee:3939:5b4a:2c55,
70f1::fee:3939:5b4a:2c55,
    Copy to Clipboard Toggle word wrap

  • The following image shows a screen capture of the example obfuscated IPv6 IP addresses in the Red Hat Hybrid Cloud Console UI:

    An example of an obfuscated IP addresses in the Red Hat Hybrid Cloud Console UI

Note

When you enable obfuscation on multiple systems, the same obfuscated IP address gets generated. Therefore, in the scenario provided, when you search or filter by IP address in the Red Hat Lightspeed UI on the Hybrid Cloud Console you might see several instances of 70f1::fee:3939:5b4a:2c55. This is because the Python data cleaning process that the Red Hat Lightspeed obfuscation feature uses, can generate the same obfuscated IP address in the archive file.

5.3.2. Obfuscating IPv4 IP addresses
Copier lien

If your hosts use IPv4 IP addresses, you can enable obfuscation of this data in the archive file before it is sent to Red Hat Lightspeed by setting an option in the insights-client configuration file. This helps to protect the privacy of your systems and users by masking sensitive information.

When you enable obfuscation, the original IP address of the host is replaced with a generated value in the archive file. This obfuscated value is used in the Red Hat Hybrid Cloud Console UI, logs, and any archive data files that Red Hat collects. However, you will still see the original IP address in the command-line output of some insights-client commands.

Important

The obfuscation process uses a Python data cleaning process to generate a unique value for each host. You cannot configure the value provided for obfuscation. You also cannot obfuscate or select the portion of the host IP address to obfuscate.

Prerequisites

  • If you are using Red Hat Satellite to manage clients and register them on console.redhat.com, you must also configure the Red Hat Cloud settings before you can enable obfuscation in Red Hat Lightspeed:

    • In the Satellite web UI, navigate to Administer > Settings > Red Hat Cloud and enable the required obfuscation settings that apply to your environment.

Procedure

  1. Open the /etc/insights-client/insights-client.conf file with an editor.

  2. Locate the following section: 

    # Specify which will be obfuscated in the data collection,
# empty by default, and supported options are: ipv4, ipv6, hostname, mac
# (comma separated list)
# obfuscation_list=
    Copy to Clipboard Toggle word wrap

  3. Remove the preceding hash (#) character, before obfuscation_list= and add the following line: 

    obfuscation_list=ipv4
    Copy to Clipboard Toggle word wrap

  4. If your configuration file contains the older obfuscate=True or obfuscate=False Red Hat Lightspeed obfuscation setting, remove that line of configuration.

    Important

    The obfuscate and obfuscate_hostname options are deprecated and will be removed in a future release of Red Hat Lightspeed. If your configuration file contains obfuscation_list and the deprecated obfuscation options, the obfuscation_list configuration takes precedence and you will see a warning message in the output.

  5. Save and close the /etc/insights-client/insights-client.conf file.

Result

When obfuscation is successfully enabled, the original IPv4 address is masked in the console UI, logs, and in any archive data files that Red Hat collects, as shown in the following example.

Important

After you enable obfuscation, you will continue to see the original IPv4 address in the command-line output of some insights-client commands.

Example

  • The original host system IP address: 

    192.168.0.24
    Copy to Clipboard Toggle word wrap

  • The obfuscated host IP address 

    10.230.230.1
    Copy to Clipboard Toggle word wrap

  • The following screenshot provides an example of an obfuscated IPv4 IP address in the Red Hat Hybrid Cloud Console UI:

    An example of an obfuscated IPv4 IP address in the Red Hat Hybrid Cloud Console UI

Note

When you enable obfuscation on multiple systems, the same obfuscated IP address gets generated. Therefore, in the example scenario provided, when you search or filter by IP address in the Red Hat Lightspeed UI on the Hybrid Cloud Console you might see several instances of 10.230.230.1. This is because the Python data cleaning process that the Red Hat Lightspeed obfuscation feature uses, can generate the same obfuscated IP address in the archive file.

5.3.3. Obfuscating MAC addresses
Copier lien

You can mask the Media Access Control (MAC) addresses of your hosts in the archive file before it is sent to Red Hat Lightspeed by enabling obfuscation.

Important

The obfuscation process uses a Python data cleaning process to generate a unique value for each host. You cannot configure the value provided for obfuscation. You also cannot obfuscate or select the portion of the host MAC address to obfuscate.

Prerequisites

  • If you are using Red Hat Satellite to manage clients and register them on console.redhat.com, you must also configure the Red Hat Cloud settings before you can enable obfuscation in Red Hat Lightspeed:

    • In the Satellite web UI, navigate to Administer > Settings > Red Hat Cloud and enable the required obfuscation settings that apply to your environment.

Procedure

  1. Open the /etc/insights-client/insights-client.conf file with an editor.

  2. Locate the following section: 

    # Specify which will be obfuscated in the data collection,
# empty by default, and supported options are: ipv4, ipv6, hostname, mac
# (comma separated list)
# obfuscation_list=
    Copy to Clipboard Toggle word wrap

  3. Remove the preceding hash (#) character, before obfuscation_list= and add the following line: 

    obfuscation_list=mac
    Copy to Clipboard Toggle word wrap

  4. If your configuration file contains the older obfuscate=True or obfuscate=False Red Hat Lightspeed obfuscation setting, remove that line of configuration.

    Important

    The obfuscate and obfuscate_hostname options are deprecated and will be removed in a future release of Red Hat Lightspeed. If your configuration file contains obfuscation_list and the deprecated obfuscation options, the obfuscation_list configuration takes precedence and you will see a warning message in the output.

  5. Save and close the /etc/insights-client/insights-client.conf file.

Result

When obfuscation is successfully enabled, the original MAC address is masked in the console UI, logs, and in any archive data files that Red Hat collects, as shown in the following example.

Important

After you enable obfuscation, you will continue to see the original MAC address in the command-line output of some insights-client commands.

Example

  • The original host system MAC address: 

    08:00:27:7c:fc:0f
    Copy to Clipboard Toggle word wrap

  • The obfuscated host MAC address 

    1e:fb:bc:2e:4a:6d
    Copy to Clipboard Toggle word wrap

  • The following image shows a screen capture of the example obfuscated MAC address in the Red Hat Hybrid Cloud Console UI:

    An example of an obfuscated MAC address in the Red Hat Hybrid Cloud Console UI

Note

When you enable obfuscation on multiple systems, the same obfuscated MAC address gets generated. Therefore, in the example scenario provided, when you search or filter by MAC address in the Red Hat Lightspeed UI on the Hybrid Cloud Console you might see several instances of 1e:fb:bc:2e:4a:6d. This is because the Python data cleaning process that the Red Hat Lightspeed obfuscation feature uses, can generate the same obfuscated MAC address in the archive file.

5.3.4. Obfuscating hostnames
Copier lien

When you obfuscate the hostnames of your systems in Red Hat Lightspeed, the value of the hostname configured in /etc/hostname is masked in the console GUI and in the archive file before it is sent to Red Hat. When obfuscation is enabled, the hostname value in /etc/hostname changes to a 12-character UUID that is automatically generated by the Python data cleaning process.

Tip

An obfuscated hostname can be difficult to recognize. Setting a display name can help you to more easily identify your obfuscated hosts. The display name does not get obfuscated and displays in the Red Hat Lightspeed console UI. Only the value of /etc/hostname gets obfuscated.

Prerequisites

  • If you are using Red Hat Satellite to manage clients and register them on console.redhat.com, you must also configure the Red Hat Cloud settings before you can enable obfuscation in Red Hat Lightspeed:

    • In the Satellite web UI, navigate to Administer > Settings > Red Hat Cloud and enable the required obfuscation settings that apply to your environment.

Procedure

  1. Open the /etc/insights-client/insights-client.conf file with an editor.

  2. Locate the following section: 

    obfuscation_list=
    Copy to Clipboard Toggle word wrap

  3. Add the following line to the obfuscation_list section to enable hostname obfuscation: 

    obfuscation_list=hostname
    Copy to Clipboard Toggle word wrap
    Note

    To add multiple obfuscation options, separate them with commas. For example, to obfuscate the hostname and an IPv6 IP address, you would add: 

    obfuscation_list=hostname,ipv6
    Copy to Clipboard Toggle word wrap

  4. If your configuration file contains the older obfuscate_hostname=True or obfuscate_hostname=False Red Hat Lightspeed obfuscation setting, remove that line of configuration.

    Important

    The obfuscate and obfuscate_hostname options are deprecated and will be removed in a future release of Red Hat Lightspeed. If your configuration file contains obfuscation_list and the deprecated obfuscation options, the obfuscation_list configuration takes precedence and you will see a warning message in the output.

  5. Optional: Assign a display name to your system so that you can more easily find and manage your obfuscated hosts in the Red Hat Lightspeed console UI by adding the following line: 

    display_name=example-display-name
    Copy to Clipboard Toggle word wrap
    Note

    You can also set a display name by using the following command: 

    [root@rhlightspeed]# insights-client --display-name ITC-4
    Copy to Clipboard Toggle word wrap
  6. Save and close the /etc/insights-client/insights-client.conf file.

Result

When obfuscation is successfully enabled, the hostname gets masked in the Red Hat Lightspeed console UI, logs, and any archive data files that Red Hat collects.

Note
  • If you configure hostname obfuscation on more than one system, you might see multiple systems with the same hostname in the Red Hat Lightspeed GUI as a result of obfuscation.
  • After you enable obfuscation, there might be instances where the original hostname displays in the command-line output of some insights-client commands.

Example

  • The original hostname of the system in /etc/hostname: 

    RTP.data.center.01
    Copy to Clipboard Toggle word wrap

  • The obfuscated /etc/hostname as it displays in Red Hat Lightspeed: 

    90f4a9365ce0.example.com
    Copy to Clipboard Toggle word wrap

  • The following screenshot of the Red Hat Hybrid Cloud Console UI shows an example of a system whose hostname and IP address are obfuscated:

    An example of an obfuscated hostname in the Red Hat Hybrid Cloud Console UI

Chapter 6. Red Hat Lightspeed client data redaction
Copier lien

Red Hat Lightspeed handles data collection by using Red Hat Lightspeed core collection. For redaction purposes, core collection replaces a limited JSON-file (.cache.json and .uploader.json) and shell script data collection method. In addition, core collection:

  • Is compatible with the Red Hat Lightspeed client 3.0 and later.
  • Uses YAML files to determine which commands and files to redact.
  • Uses robust Python data cleaning processes.
  • Supports complex data collection by using datasources and avoids the possible limitations of using JSON files, such as uploader.json and shell scripts.
  • Allows you to use more easily maintained datasources to know which datasources that are part of insights-core.

For more information about the Red Hat Lightspeed client core collection, datasources, and collection rules, see the following resources:

Important

Using .cache.json and uploader.json files to redact data is no longer supported by Red Hat. Use Datasources instead.

Preventing the collection of Personally Identifiable Information (PII)

Red Hat Lightspeed collects a minimal amount of data, including data that might contain personally identifiable information (PII). To prevent PII (or other configuration data) from being collected, apply data redaction.

For information about how Red Hat Lightspeed handles data collection, see Red Hat Lightspeed data and application security.

To redact data in Red Hat Lightspeed, you need Red Hat Lightspeed client 3.0 and the following YAML configuration files to control the redaction actions:

  • file-redaction.yaml
  • file-content-redaction.yaml

You can use one or both files, depending on the content you want to redact.

To find the items to redact, Red Hat Lightspeed client uses the default configuration of the insights-client.conf configuration file to call the file-redaction.yaml and file-content-redaction.yaml files. The following example shows an example of the default configuration for redaction in the insights-client.conf file: 

# Location of the redaction file for commands, files, and components
#redaction_file=/etc/insights-client/file-redaction.yaml

# Location of the redaction file for patterns and keywords
#content_redaction_file=/etc/insights-client/file-content-redaction.yaml
Copy to Clipboard Toggle word wrap

While you do not need to change the configuration of the insights-client.conf file, you do need to create the YAML files.

Important

Red Hat no longer supports the use of the remove.conf configuration file to redact data.

How the YAML files work

The Red Hat Lightspeed client /etc/insights-client/file-redaction.yaml file lists commands and files that you want to redact. A Python data cleaning process runs on the file-redaction.yaml file and redacts the listed commands and files.

Note

When the Python data cleaning process runs, it redacts the specified content before adding it to the archive file.

The /etc/insights-client/file-content-redaction.yaml defines pattern redaction and keyword replacement. For pattern redaction, the process redacts patterns or regular expressions that match those specified in the YAML file. For keyword replacement, the process replaces the specified keywords with generic identifiers.

You can create the /etc/insights-client/file-redaction.yaml file and include a list of commands and system files that you want redacted. When the data redaction takes place, a Python data cleaning process runs, and analyzes the contents of the YAML file.

Note

The output of the listed commands or files does not get included in the uploaded archive file.

Prerequisites

  • You must be familiar with the basics of YAML syntax. For more information about YAML, see yaml.org.
  • You must have root-level access to the system.

Procedure

  1. Use an editor to create the /etc/insights-client/file-redaction.yaml file.

  2. Enter the strings, files: and commands:, on separate lines in the YAML file. 

    files:


commands:
    Copy to Clipboard Toggle word wrap

  3. Specify the files and commands you want to redact:

    1. On the line following files:, enter the files that you want to redact. Use the information in the Datasources catalog to identify which files and commands to specify. For example, if you want to redact the auditd.conf file, this is how it would look: 

      files:
  - /etc/audit/auditd.conf
      Copy to Clipboard Toggle word wrap

    2. On the line following commands:, enter the commands that you want to redact. Use the information in the Datasources catalog to identify which commands to specify. For example, if you want to redact the ethtool -i command, this is how it would look: 

      commands:
  - ethtool_i
      Copy to Clipboard Toggle word wrap
  4. Save the YAML file in /etc/insights-client/.

  5. Verify that the file-redaction.yaml file permissions are root owner only by running ll file-redaction.yaml as root, on the command line. 

    [root@rhlightspeed]# ll file-redaction.yaml
-rw-------. 1 root root 145 Sep 25 17:39 file-redaction.yaml
    Copy to Clipboard Toggle word wrap

Example file-redaction.yaml file with comments

The following example shows a sample file-redaction.yaml file that includes commands and files to redact. Comments, which are lines preceded by a hash symbol (#), also offer guidance to help you configure the YAML file. 

# file-redaction.yaml
---
# Redact the entire output of commands
# Specify commands by either full command or by the "symbolic_name" like “ethtool_i.”
# Refer to the “Datasource Catalog” and “General Datasources” at https://insights-core.readthedocs.io/en/latest/specs_catalog.html#general-datasource for a full list of available symbolic_names, and the commands and files they correspond to.

 commands:
- /bin/rpm -qa
- /bin/ls
- ethtool_i

# Redact the entire output of files
# Specify files either by full filename or
by the "symbolic_name" for example, “cluster_conf.”
# Refer to the “Datasource Catalog” and “General Datasources” at https://insights-core.readthedocs.io/en/latest/specs_catalog.html#general-datasource for a full list of available symbolic_names, and the commands and files they correspond to.

files:
- /etc/audit/auditd.conf
- cluster_conf
Copy to Clipboard Toggle word wrap

Verification step

To verify that your redaction file is working, you can run the insights-client command with the --no-upload option, then review the output messages on your console or terminal.

  1. On the command line, enter the insights-client command with the --no-upload option, and press Return. 

    [root@rhlightspeed]# insights-client --no-upload
    Copy to Clipboard Toggle word wrap

  2. The command runs and displays informational messages. The following example shows the redaction of the dmesg command and the cluster.conf file. 

    WARNING: Excluding data from files
Starting to collect Red Hat Lightspeed data for I-HOST
WARNING: Skipping command /bin/dmesg
WARNING: Skipping file /etc/cluster/cluster.conf
Archive saved at /var/tmp/qsINM9/rhlightspeed-ITC-4-20190925180232.tar.gz
    Copy to Clipboard Toggle word wrap

The generated archive file gets saved to /var/tmp but the file is not uploaded to Red Hat.

6.1.2. Configuring YAML pattern and keyword redaction
Copier lien

The /etc/insights-client/file-content-redaction.yaml file redacts files using two methods: pattern redaction and keyword replacement. Pattern redaction uses either a pattern match or regular expression match. In keyword replacement, a Python data cleaning process replaces the keyword with a generic identifier.

Prerequisites

  • You must be familiar with the basics of YAML syntax. Explaining YAML is beyond the scope of this procedure.
  • You must have root-level access to the system.

Procedure

  1. Use an editor to create the /etc/insights-client/file-content-redaction.yaml file.

    Example

    # file-content-redaction.yaml
---
# Pattern redaction per matching line
#  Lines that match a pattern are excluded from files and command output.
#  Patterns are processed in the order that they are listed.
# Example

patterns:
 - "a_string_1"
 - "a_string_2"

# Regular expression pattern redaction per line
#  Use "regex:" to wrap patterns with regular expressions"
# Example

patterns:
 regex:
 - "abc.*def"
 - "localhost[[:digit:]]"


# Keyword replacement redaction
#  Replace keywords in files and command output with generic identifiers
#  Keyword does not support regex
# Example

keywords:
- "1.1.1.1"
- "My Name"
- "a_name"
    Copy to Clipboard Toggle word wrap

  2. Make sure the file-content-redaction.yaml file permissions are set for root owner only. 

    [root@rhlightspeed]# ll file-content-redaction.yaml
-rw-------. 1 root root 145 Sep 25 17:39 file-content-redaction.yaml
    Copy to Clipboard Toggle word wrap

6.2. Verifying the Red Hat Lightspeed client archive
Copier lien

You can verify the contents of the archive file. By inspecting the archive file, you can confirm what data is sent to Red Hat.

If you use obfuscation or redaction, you can inspect the archive before it uploads. If you want to preserve the archive file, you can keep it on your system.

6.2.1. Verifying the archive before uploading
Copier lien

To inspect the archive before the Python data cleaning script uploads it to Red Hat Lightspeed, run the insights-client command with the --no-upload option, and then save the file without uploading it. This allows you to view the information that the client sends to Red Hat Lightspeed, and to verify your obfuscation or redaction settings.

The archive file is stored in the /var/tmp/ directory. When insights-client completes, it displays the file name.

Prerequisites

  • Make sure the /etc/insights-client/insights-client.conf file is correctly configured.

Procedure

  1. Enter the insights-client command with the --no-upload option. 

    [root@rhlightspeed]# insights-client --no-upload
    Copy to Clipboard Toggle word wrap

    The command displays informational messages when redaction or obfuscation is applied. 

    WARNING: Excluding data from files
Starting to collect Red Hat Lightspeed data for ITC-4
WARNING: Skipping patterns found in remove.conf
WARNING: Skipping command /bin/dmesg
WARNING: Skipping command /bin/hostname
WARNING: Skipping file /etc/cluster/cluster.conf
WARNING: Skipping file /etc/hosts
Archive saved at /var/tmp/qsINM9/rhlightspeed-ITC-4-20190925180232.tar.gz
    Copy to Clipboard Toggle word wrap

  2. Navigate to the temporary storage directory as shown in the Archive saved at message. 

    [root@rhlightspeed]# cd /var/tmp/qsINM9/
    Copy to Clipboard Toggle word wrap

  3. Unpack the compressed tar.gz file. 

    [root@rhlightspeed]# tar -xzf rhlightspeed-ITC-4-20190925180232.tar.gz
    Copy to Clipboard Toggle word wrap

    The script creates a new directory that contains the files.

To keep a copy of the archive for inspection after the Python data cleaning script uploads it to Red Hat Lightspeed, run insights-client and then save the file. This allows you to verify the information that the client sends to Red Hat Lightspeed, and to verify your obfuscation or redaction settings.

Prerequisites

  • Make sure the /etc/insights-client/insights-client.conf file is correctly configured.

Procedure

  1. Enter the insights-client command with the --keep-archive option. 

    [root@rhlightspeed]# insights-client --keep-archive
    Copy to Clipboard Toggle word wrap

    The command displays informational messages. 

    Starting to collect Red Hat Lightspeed data for ITC-4
Uploading Red Hat Lightspeed data.
Successfully uploaded report from ITC-4 to account 6229994.
Red Hat Lightspeed archive retained in /var/tmp/ozM8bY/rhlightspeed-ITC-4-20190925181622.tar.gz
    Copy to Clipboard Toggle word wrap

  2. Navigate to the temporary storage directory displayed in the Red Hat Lightspeed archive retained in message. 

    [root@rhlightspeed]# cd /var/tmp/ozM8bY/
    Copy to Clipboard Toggle word wrap

  3. Unpack the compressed tar.gz file. 

    [root@rhlightspeed]# tar -xzf rhlightspeed-ITC-4-20190925181622.tar.gz
    Copy to Clipboard Toggle word wrap

    The script creates a new directory that contains the files.

Chapter 7. System filtering and groups
Copier lien

Red Hat Lightspeed enables you to filter systems in inventory, as well as by individual service. Red Hat Lightspeed also allows you to filter groups of systems by three criteria:

  • Groups running SAP workloads
  • Satellite host groups
  • Custom filters that you define in a YAML file

Use the global Filter Results box to filter by SAP workloads, Satellite host groups, or custom filters added to the Red Hat Lightspeed client configuration and file filters added to the Red Hat Lightspeed client configuration file.

Prerequisites

You have completed the following steps on your system:

  • Logged in with root-level permissions
  • Installed the Red Hat Lightspeed client

7.1. SAP workloads
Copier lien

As Linux becomes the mandatory operating system for SAP ERP workloads in 2025, Red Hat Enterprise Linux and Red Hat Lightspeed are working to make Red Hat Lightspeed the management tool of choice for SAP administrators.

As part of this ongoing effort, Red Hat Lightspeed automatically tags systems running SAP workloads and by SAP ID (SID), without any customization needed by administrators. To filter those workloads throughout the Red Hat Lightspeed application, use the global Filter Results drop-down menu.

7.2. Satellite host groups
Copier lien

Satellite host groups are configured in Satellite and automatically recognized by Red Hat Lightspeed.

7.3. Custom system tagging
Copier lien

You can apply custom grouping and tagging to your systems registered to Red Hat Lightspeed. This is a way for you to add contextual markers to individual systems, filter by those tags in the Red Hat Lightspeed application, and more easily focus on related systems. Custom tags can be especially valuable when deploying Red Hat Lightspeed at scale, with hundreds or thousands of systems under management.

In addition to the ability to add custom tags to several Red Hat Lightspeed services, you can add predefined tags. The advisor service can use these tags to create targeted recommendations for your systems that might require more attention, such as those systems that require a higher level of security.

7.3.1. Filter structure
Copier lien

Filters use a namespace=value or key=value paired structure.

  • Namespace. The namespace is the name of the ingestion point, insights-client. This value cannot be changed. The tags.yaml file is abstracted from the namespace, which is injected by the client before upload.
  • Key. You can create the key or use a predefined key from the system. You can use a mix of capitalization, letters, numbers, symbols and whitespace.
  • Value. You can define your own descriptive string value. You can use a mix of capitalization, letters, numbers, symbols and whitespace.

7.3.2. Creating a custom group and the tags.yaml file
Copier lien

To create and add tags to /etc/insights-client/tags.yaml, use insights-client with the --group=<name-you-choose> option. Running this command on your systems that are registered to Red Hat Lightspeed, completes the following actions:

  • Creates the etc/insights-client/tags.yaml file
  • Adds the group= key and <name-you-choose> value to tags.yaml
  • Uploads a fresh archive from the system to the Red Hat Lightspeed application making the new tag immediately visible along with your latest results

Prerequisites

  • Root-level access to your system.

Procedure

  1. Run the following command as root, adding your custom group name in place of <name-you-choose>: 

    [root@server ~]# insights-client --group=<name-you-choose>
    Copy to Clipboard Toggle word wrap
  2. Optional: To add additional tags, edit the /etc/insights-client/tags.yaml file.
  3. Navigate to Inventory > Systems and log in if necessary.
  4. Click the Filter by tags drop-down menu. You can also use the search box to enter all or part of the tag’s name to automatically show systems with that text in the tags.
  5. Scroll up or down the list to locate the tag.
  6. Click the tag to filter by it.

  7. Verify that your system is among the results on the advisor systems list.

    1. Navigate to Inventory > Systems and log in if necessary.
    2. Activate the Name filter and begin typing the system name until you see your system, then select it.
    3. The tag symbol is a darker color, and the number beside it shows the correct number of tags applied.

After you create the group tag, you can edit the contents of tags.yaml to add or modify tags.

The following procedure shows how to edit the /etc/insights-client/tags.yaml file, then verify the tag exists in the Red Hat Lightspeed > RHEL > Inventory > Systems.

Prerequisites

  • Root-level access to your system.

Procedure

  1. Open the tag configuration file, tags.yaml, in an editor. 

    [root@server ~]# vim /etc/insights-client/tags.yaml
    Copy to Clipboard Toggle word wrap

  2. Edit the file contents or add additional key=value pairs. Add additional key=value pairs if needed. Use a mix of capitalization, letters, numbers, symbols, and whitespace. The following example shows how to organize tags.yaml when adding more than one tag to a system. 

    group: _group-name-value_
location: _location-name-value_
description:
- RHEL8
- SAP
key 4: value
    Copy to Clipboard Toggle word wrap
  3. Save your changes and close the editor.

  4. Generate an upload to Red Hat Lightspeed. 

    [root@server ~]# insights-client
    Copy to Clipboard Toggle word wrap
  5. Navigate to Inventory > Systems and log in if necessary.

  6. In the Filter Results box, click the down arrow and select one of the filters or enter the name of the filter and select it.

    Note

    You can search by the tag key or by its value.

  7. Find your system among the results.
  8. Verify that the filter icon is darkened and shows a number representing the number of filters applied to the system.

Red Hat Lightspeed advisor service recommendations treat every system equally. However, some systems might require more security than others, or require different networking performance levels. In addition to the ability to add custom tags, Red Hat Lightspeed provides predefined tags that the advisor service can use to create targeted recommendations for your systems that might require more attention.

To opt in and get the extended security hardening and enhanced detection and remediation capabilities offered by predefined tags, you need to configure the tags. After configuration, the advisor service provides recommendations based on tailored severity levels, and preferred network performance that apply to your systems.

To configure the tags, use the /etc/insights-client/tags.yaml file to tag systems with predefined tags in a similar way that you might use it to tag systems in the inventory service. The predefined tags are configured using the same key=value structure used to create custom tags. Details about the Red Hat-predefined tags are in the following table.

Expand
Table 7.1. List of Supported Predefined Tags
KeyValueNote

security

normal (default) / strict

With the normal (default) value, the advisor service compares the system’s risk profile to a baseline derived from the default configuration of the most recent version of RHEL and from often-used usage patterns. This keeps recommendations focused, actionable, and low in numbers. With the strict value, the advisor service considers the system to be security-sensitive, causing specific recommendations to use a stricter baseline, potentially showing recommendations even on fresh up-to-date RHEL installations.

network_performance

null (default) / latency / throughput

The preferred network performance (either latency or throughput according to your business requirement) would affect the severity of an advisor service recommendation to a system.

Note

The predefined tag keys names are reserved. If you already use the key security, with a value that differs from one of the predefined values, you will not see a change in your recommendations. You will only see a change in recommendations if your existing key=value is the same as one of the predefined keys. For example, if you have a key=value of security: high, your recommendations will not change because of the Red Hat-predefined tags. If you currently have a key=value pair of security: strict, you will see a change in the recommendations for your systems.

Additional resources

7.4.1. Configuring predefined tags
Copier lien

You can use the Red Hat Lightspeed advisor service’s predefined tags to adjust the behavior of recommendations for your systems to gain extended security hardening and enhanced detection and remediation capabilities. You can configure the predefined tags by following this procedure.

Prerequisites

  • You have root-level access to your system
  • You have Red Hat Lightspeed client installed
  • You have systems registered within the Red Hat Lightspeed client
  • You have created the tags.yaml file. For information about creating the tags.yaml file, see Creating a tags.yaml file and adding a custom group.

Procedure

  1. Using the command line, and your preferred editor, open /etc/insights-client/tags.yaml. (The following example uses Vim.) 

    [root@server ~]# vi /etc/insights-client/tags.yaml
    Copy to Clipboard Toggle word wrap

  2. Edit the /etc/insights-client/tags.yaml file to add the predefined key=value pair for the tags. This example shows how to add security: strict and network_performance: latency tags. 

    # cat /etc/insights-client/tags.yaml
group: redhat
location: Brisbane/Australia
description:
- RHEL8
- SAP
security: strict
network_performance: latency
    Copy to Clipboard Toggle word wrap
  3. Save your changes.
  4. Close the editor.

  5. Optional: Run the insights-client command to generate an upload to Red Hat Lightspeed, or wait until the next scheduled Red Hat Lightspeed upload. 

    [root@server ~]# insights-client
    Copy to Clipboard Toggle word wrap

Confirming that predefined tags are in your production area

After generating an upload to Red Hat Lightspeed (or waiting for the next scheduled Red Hat Lightspeed upload), you can find out whether the tags are in the production environment by accessing Red Hat Lightspeed > RHEL > Inventory > Systems. Find your system and look for the newly created tags. You see a table that shows:

  • Name
  • Value
  • Tag Source (for example, insights-client).

The following image shows an example of what you see in inventory after creating the tag.

highlighted information that shows current name and value and the tag source
View larger image
highlighted information that shows current name and value and the tag source

Example of recommendations after applying a predefined tag

The following image of the advisor service shows a system with the network_performance: latency tag configured.

shows a recommendation that has a higher Total Risk that is Important and another recommendation that has a Total Risk of Moderate
View larger image
shows a recommendation that has a higher Total Risk that is Important and another recommendation that has a Total Risk of Moderate

The system shows a recommendation with a higher Total Risk level of Important. The system without the network_performance: latency tag has a Total Risk of Moderate. You can make decisions about prioritizing the system with higher Total Risk.

Chapter 8. Changing the insights-client schedule
Copier lien

You can disable, enable, and modify the schedule that controls when the Red Hat Lightspeed client runs. By default, the Red Hat Lightspeed client runs every 24 hours. The timers in the default schedules vary so that all systems do not run the client at the same time.

8.1. Disabling the Red Hat Lightspeed client schedule
Copier lien

You must disable the client schedule before you can change the default Red Hat Lightspeed client settings and create a new schedule.

The procedure you use to disable the insights-client schedule depends on your Red Hat Enterprise Linux and client versions.

Additional resources

8.1.1. Disabling the client schedule
Copier lien

Prerequisites

  • Root-level access to your system

  • Red Hat Lightspeed client version 3.x and later

    • NOTE: The --no-schedule option is deprecated in Client 3.x and later.

Procedure

  1. Enter the insights-client command with the --version option to verify you have the required client version installed. 

    [root@rhlightspeed]# insights-client --version
Client: 3.0.6-0
Core: 3.0.121-1
    Copy to Clipboard Toggle word wrap

  2. Enter the insights-client command with the --disable-schedule option to disable the client schedule. 

    [root@rhlightspeed]# insights-client --disable-schedule
    Copy to Clipboard Toggle word wrap

8.2. Enabling the Red Hat Lightspeed client schedule
Copier lien

When you first enable the client schedule, it runs using its default settings. If you make changes to the schedule, those settings take precedence.

When you run insights-client from the command line, Red Hat Lightspeed client runs using the settings you specify for only that session. When the next scheduled run takes place, it uses the default settings.

You can enable the client schedule so that it runs on its default settings. If you change the default schedule settings, the changed settings take precedence.

Prerequisites

  • Root-level access to your system.
  • The client schedule is disabled.
  • (Optional) You modified the default schedule.

Procedure

  1. To verify the client version, enter the insights-client command with the --version option. 

    [root@rhlightspeed]# insights-client --version
Client: 3.0.6-0
Core: 3.0.121-1
    Copy to Clipboard Toggle word wrap

  2. Enter the insights-client command with the --enable-schedule option to enable the client schedule. 

    [root@rhlightspeed]# insights-client --enable-schedule
    Copy to Clipboard Toggle word wrap

8.3. Modifying the Red Hat Lightspeed client schedule
Copier lien

To change when the Red Hat Lightspeed client runs, modify the schedule. The method that you use depends on the RHEL release and client version that your system is running.

Select the procedure that matches your version of RHEL.

  • For Red Hat Enterprise Linux 7.4 and earlier, use cron to modify the system schedule.
  • For Red Hat Enterprise Linux 7.5 and later, update the systemd settings and the insights-client-timer file.

8.3.1. Scheduling insights-client using systemd settings
Copier lien

Note

Use this for systems running RHEL 7.5 and later with Client 3.x.

You can change the default schedule for running insights-client by updating the system systemd settings and the insights-client.timer file.

Prerequisites

  • Root-level access to your system.

Procedure

  1. To edit the settings in the insights-client.timer file, enter the systemctl edit command and the file name. 

    [root@rhlightspeed]# systemctl edit insights-client.timer
    Copy to Clipboard Toggle word wrap

    This action opens an empty file with the default system editor, on RHEL 6, 7, and 8. On RHEL 9 and later, running the command opens a file with a template that includes the original systemd service file as a reference.

  2. Enter different settings to modify the schedule. The values in this example are the default settings for systemd. 

    [Timer]
OnCalendar=daily
RandomizedDelaySec=14400
    Copy to Clipboard Toggle word wrap

  3. Enable the insights-client schedule. 

    [root@rhlightspeed]# insights-client --enable-schedule
    Copy to Clipboard Toggle word wrap

Additional resources

Red Hat Lightspeed now provides the optional --build-packagecache command to provide accurate reporting for applicable updates on Satellite-managed systems. This option rebuilds the yum/dnf package caches for insights-client, and creates a refreshed list of applicable updates for the system.

You can run the command manually to rebuild the package caches immediately, or you can edit the client configuration file (/etc/insights-client/insights-client.conf) to rebuild the package caches automatically each time the system checks in to Red Hat Lightspeed.

Additional resources

By default, automatic collection rule updates are enabled for Red Hat Lightspeed. You can edit the client configuration file to disable them or re-enable them.

9.1. Disabling automatic rule updates for Red Hat Lightspeed
Copier lien

You can disable the automatic collection rule updates for Red Hat Lightspeed. If you do so, you risk using outdated rule definition files and not getting the most recent validation updates.

Prerequisites

  • Root-level access to your system.
  • Automatic rule updates are enabled.

Procedure

  1. Open the /etc/insights-client/insights-client.conf file with an editor.

  2. Locate the line that contains 

    #auto_update=True
    Copy to Clipboard Toggle word wrap

  3. Remove the # and change True to False. 

    auto_update=False
    Copy to Clipboard Toggle word wrap
  4. Save and close the /etc/insights-client/insights-client.conf file.

9.2. Enabling automatic rule updates for Red Hat Lightspeed
Copier lien

You can re-enable the automatic collection rule updates for Red Hat Lightspeed, if you previously disabled updates. By default, automatic rule update is enabled.

Prerequisites

  • Root-level access to your system.
  • Automatic rule collection is disabled.

Procedure

  1. Open the /etc/insights-client/insights-client.conf file with an editor.

  2. Locate the line that contains 

    auto_update=False
    Copy to Clipboard Toggle word wrap

  3. Change False to True. 

    auto_update=True
    Copy to Clipboard Toggle word wrap
  4. Save and close the /etc/insights-client/insights-client.conf file.

Chapter 10. Creating a diagnostic log for support
Copier lien

If you need help from the Red Hat support team, you can create and share diagnostic log files. These log files can help the support team to troubleshoot issues with insights-client.

10.1. Creating a diagnostic log
Copier lien

You can create a diagnostic log to share with the support team.

Prerequisites

  • You have root-level access to your system.
  • You have installed the Red Hat Lightspeed client on your system.

Procedure

  1. Enter the insights-client command with the --support option. 

    [root@rhlightspeed]# insights-client --support
    Copy to Clipboard Toggle word wrap

    The command displays informational messages while creating the support file. 

    Collecting logs...
Red Hat Lightspeed version: insights-core-3.0.121-1
Registration check:
status: True
unreachable: False
. . . .
Copying Red Hat Lightspeed logs to archive...
Support information collected in /var/tmp/H_Y43a/insights-client-logs-20190927144011.tar.gz
    Copy to Clipboard Toggle word wrap

  2. Navigate to the collection directory as shown in the Support information collected in message. 

    [root@rhlightspeed]# cd /var/tmp/H_Y43a
    Copy to Clipboard Toggle word wrap

  3. Unpack the compressed tar.gz file. 

    [root@rhlightspeed]# tar -xzf insights-client-logs-20250912112824.tar.gz
    Copy to Clipboard Toggle word wrap

    Extracting the tar.gz copies the log files into your current directory. You can share the tar.gz file with the support team if requested.

Appendix A. Command options for insights-client
Copier lien

As a system administrator with root privileges, you can use the insights-client command and its options to control the Red Hat Lightspeed client operation on your system. Because the insights-client.rpm is updated less frequently than individual components in Red Hat Lightspeed, the man page might not include the most recent information about insights-client.

Each time you enter the insights-client command, the client collects data and sends it to Red Hat Lightspeed.

Note

Using the insights-client --display-name command to set the display name takes effect immediately, but does not run the Red Hat Lightspeed client.

A.1. Options for the Red Hat Lightspeed client
Copier lien

Expand
Table A.1. insights-client user command options
OptionDescription

--help

-h

Display help information

--register

Register the host to Red Hat Lightspeed by using the information in /etc/hostname. Will automatically enable the nightly cron job unless --disable-schedule is set.

--unregister

Unregister the host from Red Hat Lightspeed.

--display-name=DISPLAY_NAME

Set or change the host display name in the GUI. Use with --register to set the value of display_name when the host is registered if you want to use a different name than the one specified in /etc/hostname. You can also use the --display-name option after registration to override the name shown for this host in Red Hat Lightspeed inventory.

--group=GROUP

Add host to GROUP during registration. Group names are defined in /etc/insights-client/tags.yaml.

--retry=RETRIES

Set the number of times to retry an upload. The default is 1. The retry interval is 180 seconds, which is how long the Red Hat Lightspeed client waits until retrying the upload.

NOTE: In the scheduler, the number of retries is 3.

--validate

Validate /etc/insights-client/tags.yaml, /etc/insights-client/file-redaction.yaml, and /etc/insights-client/file-content-redaction.yaml files.

--quiet

Only log error messages to the console.

--silent

Log nothing to the console.

--enable-schedule

Enable the job schedule. By default, the Red Hat Lightspeed client runs daily, at or near midnight.

NOTE: If you are using Client 1.x, use the --register option to enable the schedule.

--disable-schedule

Disable the nightly job schedule.

--conf=CONF

-c=CONF

Use a custom configuration file CONF instead of the default /etc/insights-client/insights-client.conf file.

NOTE: This option is NOT available for RHEL 10 systems.

--no-upload

Runs the client but does not upload the archive to Red Hat Lightspeed. The archive is stored in the /var/tmp/ directory. The file name displays when the insights-client command completes.

--offline

Run the client without using network functionality. Implies --no-upload.

--logging-file=LOGFILE

Output the log data to the specified log file (LOGFILE). The default log file is /var/log/insights-client/insights-client.log

NOTE: This option is NOT available for RHEL 10 systems.

--diagnosis

Fetch diagnostic information from the API. You need to ensure that the system has been registered and uploaded at least once before you can use --diagnosis.

--compliance

Scan the system with OpenSCAP and upload the report.

--compliance-policies

Lists all the policies that the system can be assigned to and provides useful information in the output table for the following categories:

  • Assigned: Lists the status of the policy as False (system does not have the policy assigned) or True (system has the policy assigned)
  • ID: Lists the unique ID (UUID) for the policy.
  • Title: Lists the name of the Security Content Automation Protocol (SCAP) policy to which you can add your system.

--compliance-assign

Assigns the system to the policy by using the ID that is output from insights-client --compliance-policies.

--compliance-unassign

Unassigns the system from the policy by using the ID that is output from insights-client --compliance-policies.

--payload=PAYLOAD

Upload a specific archive payload file to Red Hat Lightspeed. Requires --content-type to be set.

--content-type=TYPE

Set the content type for PAYLOAD. Type can be gz, bz2, xz, or none. The value of TYPE must match the --compressor used with the payload file.

--show-results

Display analysis results fetched by --check-results.

--output-dir=DIR

Write the collection to a specified directory instead of uploading.

--output-file=FILE

Write the collection to a specified archive instead of uploading.

--ansible-host=ANSIBLE_HOST

Set or change the Ansible hostname in Red Hat Lightspeed inventory. Use this option during registration when you want to set a different name than the one specified in /etc/hostname or the configuration file. You can also use this option to override the hostname injected into playbooks targeting this host as generated by Red Hat Lightspeed remediations.

--list-specs

Show insights-client collection specs.

--build-packagecache

Refresh the system package manager cache.

--manifest=MANIFEST

The specified manifest YAML file that defines what Red Hat Lightspeed Core should collect.

--checkin

Do a lightweight check-in instead of a full upload.

--collector=APP

Run the specified app and upload its results archive.

For example, specify:

  • --collector malware-detection to use Red Hat Lightspeed to help detect the presence of malware. For more information, see the Additional resources section.
  • --collector compliance to instruct Red Hat Lightspeed to scan the system with OpenSCAP and upload the report. This action can also be achieved by using the`--compliance` option instead.

Additionally, use the following insights-client command options when you need to debug Red Hat Lightspeed client operations:

Expand
Table A.2. insights-client debug options
OptionDescription

--version

Print the versions of insights-client Client and Core.

--test-connection

Test connectivity to the Red Hat Lightspeed services.

--verbose

Log all debug output to the console.

--no-upload

Runs the client but does not upload the archive. The archive gets stored in the /var/tmp/ directory. The file name displays when insights-client completes.

--keep-archive

Store the archive in the /var/cache/insights-client/ directory after upload.

--support

Generate a diagnostic log for support.

--status

Display host registration status.

--net-debug

Log network calls to the console.

Additional resources

You can use the settings in the /etc/insights-client/insights-client.conf configuration file to change how the Red Hat Lightspeed client operates on your system.

When the configuration file and the CLI have similar options, the CLI option is executed when you enter the insights-client command. When the scheduler runs the client, the configuration file options are executed.

Note

You must enter the choices exactly as shown. True and False use initial capital letters.

The changes initiated by the options take effect either at the next scheduled run, or when you enter the insights-client command. The options should be formatted as key=value pairs.

Expand
Table B.1. insights-client.conf configuration options
OptionDescription

ansible_host

Use this option if you want a different hostname when running Ansible playbooks.

authmethod=CERT

Set the authentication method. Valid option is CERT. The default value is CERT.

auto_config=True

Use this to auto configure with Satellite server. Values can be True (default) or False.

NOTE: When auto_config=True (default), the authentication method used is CERT.

auto_update=True

Automatically update the dynamic configuration. The default is True. Change to False if you do not want to automatically update.

base_url=cert-api.access.redhat.com:443/r/insights

This is the base URL for the API.

cmd_timeout=120

This is for commands run during collection and is measured in seconds. The command processes are terminated when the timeout value is reached.

content_redaction_file

Use this to omit lines or keywords from files and commands in the core collection. The core collection is a more comprehensive result set.

You do not need to change the default configuration. The content_redaction_file option uses the /etc/insights-client/file-content-redaction.yaml file by default.

display_name

Use this as the display name for registration. The default is to use /etc/hostname.

NOTE: This value interacts with the insights-client --display-name command. If you use the CLI to change the display name but a different display name is enabled in the configuration file, the display name reverts to the configuration file value when the scheduler runs the Red Hat Lightspeed client.

http_timeout=120

This is for HTTP calls and is measured in seconds. The command processes terminate when the timeout value is reached.

[insights-client]

This is a required first line of the configuration file, even if you specify a different location or name for the client configuration file.

loglevel=DEBUG

Use this to change the log level. Options are: DEBUG, INFO, WARNING, ERROR, and CRITICAL. The default is DEBUG. The default log file location is /var/log/insights-client/insights-client.log.

obfuscation_list=<ipaddress_type>

Use this to specify which IP connectivity protocol for the addresses to be obfuscated in the data collection. The default is empty, which means no obfuscation. Supported options are: ipv4, ipv6, hostname, and mac. For example, to obfuscate the IP address (IPv6) and the hostname, set obfuscation_list=ipv6,hostname.

IMPORTANT: The obfuscate and obfuscate_hostname options are deprecated and will be removed in a future release of Red Hat Lightspeed. If your configuration file contains obfuscation_list and the deprecated obfuscation options, the obfuscation_list configuration takes precedence and you will see a warning message in the output. Remove the deprecated options from your configuration file.

proxy

Use this for the URL for your proxy. Example: http://user:pass@192.168.100.50:8080

redaction_file

Use this to omit files or commands from the core collection. The core collection is a more comprehensive result set.

You do not need to change the default configuration. The redaction_file option uses /etc/insights-client/file-redaction.yaml by default.

Providing feedback on Red Hat documentation
Copier lien

We appreciate and prioritize your feedback regarding our documentation. Provide as much detail as possible, so that your request can be quickly addressed.

Prerequisites

  • You are logged in to the Red Hat Customer Portal.

Procedure

To provide feedback, perform the following steps:

  1. Click the following link: Create Issue
  2. Describe the issue or enhancement in the Summary text box.
  3. Provide details about the issue or requested enhancement in the Description text box.
  4. Type your name in the Reporter text box.
  5. Click the Create button.

This action creates a documentation ticket and routes it to the appropriate documentation team. Thank you for taking the time to provide feedback.

Legal Notice
Copier lien

Copyright © 2025 Red Hat, Inc.
The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at http://creativecommons.org/licenses/by-sa/3.0/. In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, Red Hat Enterprise Linux, the Shadowman logo, the Red Hat logo, JBoss, OpenShift, Fedora, the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
Java® is a registered trademark of Oracle and/or its affiliates.
XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.
MySQL® is a registered trademark of MySQL AB in the United States, the European Union and other countries.
Node.js® is an official trademark of Joyent. Red Hat is not formally related to or endorsed by the official Joyent Node.js open source or commercial project.
The OpenStack® Word Mark and OpenStack logo are either registered trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United States and other countries and are used with the OpenStack Foundation's permission. We are not affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community.
All other trademarks are the property of their respective owners.
Retour au début
Red Hat logoGithubredditYoutubeTwitter

Apprendre

Essayez, achetez et vendez

Communautés

À propos de la documentation Red Hat

Nous aidons les utilisateurs de Red Hat à innover et à atteindre leurs objectifs grâce à nos produits et services avec un contenu auquel ils peuvent faire confiance. Découvrez nos récentes mises à jour.

Rendre l’open source plus inclusif

Red Hat s'engage à remplacer le langage problématique dans notre code, notre documentation et nos propriétés Web. Pour plus de détails, consultez le Blog Red Hat.

À propos de Red Hat

Nous proposons des solutions renforcées qui facilitent le travail des entreprises sur plusieurs plates-formes et environnements, du centre de données central à la périphérie du réseau.

Theme

© 2025 Red Hat