Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Registering RHEL systems and configuring client tools with Red Hat Lightspeed

Red Hat Lightspeed 1-latest

This document provides information on registering RHEL systems and configuring Red Hat Lightspeed with client tools.

Red Hat Customer Content Services

Abstract

Chapter 1. Client tools and components
Copy link

Red Hat Enterprise Linux (RHEL) client tools are a collection of utilities that you can use to connect, register, and manage RHEL systems. These tools, such as the insights-client, subscription-manager, and the remote host configuration client (rhc), facilitate system registration, entitlement management, and proactive remediation. By integrating RHEL and the correct User Access permissions for your needs with Red Hat Lightspeed and other Red Hat services, these clients streamline the deployment, troubleshooting, and optimization of your hybrid cloud environment.

1.1. Understanding the client tools and components
Copy link

Before you register or manage your system, you should understand the client tools that are available. Red Hat Enterprise Linux (RHEL) includes several client tools:

  • The rhc client
  • The subscription-manager
  • The insights-client

Learning the purpose of each tool helps you understand how they integrate to connect your RHEL system to Red Hat services. After learning about the clients and their components, make sure that you have the correct Hybrid Cloud Console User Access roles and permissions required for a successful connection. After you complete the steps, you can register your systems.

1.1.1. The rhc client
Copy link

The rhc client is the recommended tool to register and manage your RHEL systems that are connected to the Red Hat Hybrid Cloud Console. Use the rhc client to register and connect systems directly to Red Hat services.

Note

To register and connect systems with Red Hat Satellite or Capsule, see Red Hat Satellite product documentation.

The rhc client works in conjunction with insights-client and subscription-manager to offer a unified client experience including the registration of the system to Red Hat, and the configuration of feature levels and the remote management capabilities.

The remote host configuration service includes the following two main components:

  • The rhc client remote host configuration client (a client-side daemon)
  • The remote host configuration manager (a server-side service)

The remote host configuration (rhc) client enables the following capabilities:

  • Easy registration. With the rhc client, you can register systems to Red Hat Subscription Management (RHSM) and Red Hat Lightspeed.
  • Remediations and Tasks from Red Hat Lightspeed. When you connect systems to Red Hat Lightspeed with the rhc client, you can manage the end-to-end experience of finding and fixing issues. Registered systems can directly use tasks and remediation playbooks that are automatically generated from remediation plans and executed from within the Red Hat Lightspeed Automation Toolkit.

RHC client components and support. The rhc client is preinstalled and fully supported with all Red Hat Enterprise Linux (RHEL) 8.6 and later installations, with the exception of minimal installations. The rhc client consists of the following utility programs:

  • The yggdrasil (rhcd on version RHEL 9 and earlier) daemon runs on the system and listens for messages from the Hybrid Cloud Console. On properly configured systems, the yggdrasil daemon can receive and execute playbooks that are generated by Red Hat Lightspeed remediation plans.
  • The rhc command-line utility for RHEL.

Remote remediation using the remote host configuration manager. To enable or disable Red Hat Lightspeed remediation capabiliities for systems that connect using the rhc client and that are also running the yggdrasil daemon, use the remote host configuration manager.

You can access the remote host configuration manager, by logging in to the Red Hat Hybrid Cloud Console as a user with RHC user privileges. To make changes to settings in the remote host configuration manager, located at Red Hat Hybrid Cloud Console > Red Hat Lightspeed > Inventory > System Configuration > Remote Host Configuration (RHC), you need RHC administrator privileges.

1.1.2. The subscription-manager client
Copy link

As an option, you can use the subscription-manager client to directly register your RHEL systems, but the available RHSM features will be limited with Red Hat Lightspeed. Registering with only the subscription-manager client will establish your system’s identity and provide access to the Red Hat Content Delivery Network (CDN) for updates and packages. For additional features provided by Red Hat Lightspeed, consider using the rhc client.

1.1.3. The insights-client
Copy link

The insights-client is mainly responsible for collecting data for analytics provided by Red Hat Lightspeed. The insights-client relies on the subscription-manager client to establish the identity of the system.

The insights-client is available for the following releases of Red Hat Enterprise Linux (RHEL).

Expand
RHEL releaseComments

RHEL 10

Distributed with insights-client pre-installed.

RHEL 9

Distributed with insights-client pre-installed.

RHEL 8

Distributed with insights-client pre-installed, unless RHEL 8 was installed as a minimal installation.

RHEL 7

Distributed with the insights-client RPM package loaded but not installed.

Additional resources

Red Hat uses role-based access control (RBAC) to manage user permissions on the Red Hat Hybrid Cloud Console. You can use the User Access feature of Hybrid Cloud Console to control which Red Hat Lightspeed applications on the Hybrid Cloud Console your users can view, operate, and administer. Red Hat provides predefined groups and a set of predefined roles to make it easier for Organization Administrators to assign, restrict, and remove user permissions to Red Hat Lightspeed services.

1.2.1. User Access overview
Copy link

The User Access feature is based on managing roles, rather than on individually assigning permissions to specific users. In User Access, each role has a specific set of permissions. For example, a role might allow read permission for an application. Another role might allow write permission for an application.

You can also create custom groups and roles to provide more fine-tuned control over specific features of Red Hat Lightspeed to suit the needs of your organization.

If you are an Organization Administrator, you can use the User Access feature under Identity & Access Management in the Hybrid Cloud Console to:

  • Control user permissions and organize roles.
  • Create groups that include roles and their corresponding permissions.
  • Assign users to these groups, allowing them to inherit the permissions associated with their group’s roles.

1.2.2. Predefined groups in User Access
Copy link

To make groups and roles easier to manage, the Red Hat Hybrid Cloud Console provides two predefined groups: Default access and Default admin access. You can also create your own custom groups to align with specific personas, job functions, or teams in your organization.

1.2.2.1. The Default access group
Copy link

By default, the Default access group is assigned many granular predefined roles, such as Remediations viewer and Inventory Hosts viewer, so that group members have basic visibility. Because all users in your organization are members of the Default access group, they inherit all permissions assigned to that group. The Default access group is automatically updated by Red Hat.

Important

If your Organization Administrator modifies the Default access group, for example, by removing roles to restrict access to specific applications or to use the consolidated roles, the group is automatically renamed to Custom default access. Once converted, this group is no longer automatically updated by Red Hat.

1.2.2.2. The Default admin access group
Copy link

The Default admin access group contains only users who have Organization Administrator permissions. This group is automatically maintained, and users and roles in this group cannot be changed.

The Default admin access group includes many (but not all) predefined roles that provide update and delete permissions. The roles in this group usually include administrator in their names.

1.2.3. Predefined roles assigned to groups
Copy link

The Red Hat Hybrid Cloud Console provides predefined roles that bundle permissions across multiple Red Hat Lightspeed applications to align with common user personas. Use the predefined roles if you want to reduce the administrative effort required to manage user permissions, and your use case aligns with the permissions included in these roles.

If you want to have more control over specific features of Red Hat Lightspeed and your use case does not align with the permissions included in the predefined roles, you can create custom roles.

You can also use the predefined roles as a starting point to create custom roles that are tailored to your specific use case. For example, you can use the predefined granular roles to create custom roles that provide more fine-tuned control over specific features of Red Hat Lightspeed.

By default, Red Hat provides a set of consolidated roles and a set of granular roles in the Red Hat Hybrid Cloud Console User Access UI. The consolidated roles significantly reduce the administrative effort required to manage user permissions, while the granular roles provide more fine-tuned control over specific features of Red Hat Lightspeed.

You can use the predefined consolidated and granular roles in User Access simultaneously, but using consolidated roles can significantly reduce the administrative effort.

The Red Hat Hybrid Cloud Console provides three predefined, consolidated User Access roles to help you manage user permissions to Red Hat Lightspeed applications and services that run on registered Red Hat Enterprise Linux systems. These roles help simplify how the Organization Administrator creates groups and permissions for various levels of access to the Red Hat Lightspeed services. If you want to reduce the administrative effort required to manage user permissions and your use case aligns with the permissions included in these roles, select from the consolidated roles library.

The consolidated roles are as follows:

RHEL viewer: The RHEL viewer role provides users visibility without the ability to make changes. It allows read-only access to Red Hat Lightspeed. You can view system configurations, compliance reports, inventory data, patch information, vulnerabilities, and overall resource states and activities. The only action permitted with this role is to generate activation keys.

RHEL operator: The RHEL operator role allows active management of your Red Hat Lightspeed environment. With this role, you can edit system configurations, inventory details, policies, and notification/integration settings. The RHEL operator role allows many of the RHEL administrator role functions, but it is restricted from editing compliance policies, content source templates, policies, or tasks. In addition, the RHEL operator role cannot execute remediation plans.

RHEL administrator: The RHEL administrator role provides comprehensive administrative privileges across your RHEL systems and Red Hat Lightspeed. With this role, you can manage system configurations, inventory, compliance policies, notifications, patch management, remediations, malware detection, and advisor recommendations. The role can also view and modify all vulnerability settings.

Important

To use the consolidated roles effectively, you might need to remove the granular RHEL roles from the Default access group to prevent permission conflicts. This action automatically changes the name of the predefined Default access group to Custom default access group, after which, it is no longer automatically updated by Red Hat.

See Predefined User Access roles for a list of the roles included in the Default admin access group and a reference table that lists most of the predefined groups and roles that are available in the Red Hat Hybrid Cloud Console and the permissions included in each role.

1.2.3.2. Granular roles
Copy link

The granular roles are specific roles for individual services that allow for fine-tuned control over specific features of Red Hat Lightspeed, for example, Inventory Hosts administrator or Compliance viewer. If you want to have more control over specific features of Red Hat Lightspeed and your use case does not align with the permissions included in the consolidated roles, use the granular predefined roles.

Tip

Across the Red Hat Lightspeed product documentation, the Prerequisites section for each procedure lists which predefined roles provide the permissions needed to use the features in that procedure. For example, if a procedure requires permissions to view and manage remediations, the Prerequisites section for that procedure lists the Remediations administrator or other valid role as a recommended predefined role to use for that procedure.

1.2.4. Check your permissions
Copy link

If you try to access Red Hat Lightspeed applications in the Red Hat Hybrid Cloud Console and see a message stating you do not have permission, you can verify your current permissions and the roles or groups you are assigned to.

Note

Only users with the Organization Administrator role can view the permissions of other users in the User Access settings and manage user permissions to Red Hat Lightspeed services. For more information, see the Configure user permissions section.

Prerequisites

  • You are logged in to the Red Hat Hybrid Cloud Console.

Procedure

  1. In the Hybrid Cloud Console, click the Settings icon (⚙), then navigate to My User Access.
  2. Optional: If you require additional permissions, use the Red Hat Hybrid Cloud Console Virtual Assistant to ask "Contact my Organization Administrator". The assistant sends an email to the Organization Administrator on your behalf.

Results

All of the applications that you have permissions to access are listed on this page and are grouped by product, for example, RHEL, OpenShift Container Platform, and Ansible Automation Platform.

You can also filter your permissions by application, for example, by advisor, cost management, inventory, and remediations.

1.2.5. Configure user permissions
Copy link

If you are an Organization Administrator, you can view and manage the permissions of all users in your organization to Red Hat Lightspeed and other Red Hat Hybrid Cloud Console services in the User Access section of the Identity & Access Management feature in the Hybrid Cloud Console.

Important

If you are not an Organization Administrator, you will be unable to complete this task. However, you can check your own permissions for different applications by navigating to My User Access. Contact your Organization Administrator to request more permissions.

Prerequisites

  • You are logged in to the Red Hat Hybrid Cloud Console as an Organization Administrator, or you have the required administrator User Access role permissions.

Procedure

  1. In the Hybrid Cloud Console, click the Settings icon (⚙), then navigate to Identity & Access Management > User Access.

Results

From here, you can create and manage:

  • Roles to determine permissions to Red Hat Lightspeed services and features
  • Groups to include one or more roles to align with a specific persona, job function, or team in your organization
  • Users and their assignment to groups to inherit permissions from the roles assigned to those groups

Understand the predefined roles that enable you to manage and remediate your RHEL systems remotely by using the remote host configuration manager with Red Hat Lightspeed.

The following User Access roles enable standard or enhanced access to the remote host configuration manager in the Red Hat Hybrid Cloud Console:

Expand
Table 1.1. Permissions provided by the User Access roles
User Access roleGrants permissions to …​Included in Default access group

RHC administrator

  • Do any operations in the remote host configuration manager.
 

RHC user

  • View the current status of remote host configuration.

X

RHEL administrator

  • Do everything that a RHEL operator can do.
  • Administer RHEL system configs, inventory, compliance, notifications, patch management, execute remediation plans, malware detection, and advisor.
  • View and modify vulnerability settings.
 

RHEL operator

  • Do everything that a RHEL viewer can do.
  • Edit system configs, inventory, policies, notifications, and integrations.
  • View compliance reports, patch info, malware detections, and recommendations.
  • Create remediation plans, manage stale data, and change vulnerability settings.

Note: The RHEL operator role is restricted from editing compliance policies, content source templates, policies, or tasks. Also, the RHEL operator role cannot execute remediation plans.

 

RHEL viewer

  • Read all available data across Red Hat Lightspeed services and features.

    • View system configs, compliance reports, inventory data, patch info, vulnerabilities, and more to observe the state of resources or activities.
Note

Cannot perform actions other than generating activation keys.

 

See also the following information about the required User Access roles for remotely executing remediation plans in the Red Hat Hybrid Cloud Console:

1.3. Install the insights-client
Copy link

The insights-client is automatically installed when you install a new RHEL system with the default settings. Certain types of RHEL deployments, such as minimal installation or RHEL instances deployed from pre-built images provided by the Red Hat Certified Cloud and Service Providers (CCSP), might not install the insights-client. Installation steps vary slightly depending on your RHEL version and installation type, either standard or minimal.

After you install the insights-client, register your system. Registering your system might require activation keys. For more information about registering systems and activation keys, see: Getting started with activation keys on the Hybrid Cloud Console.

You can install insights-client on an existing Red Hat Enterprise Linux (RHEL) system connected to Red Hat Cloud Access to get automated system health checks and other services to find and fix problems before they cause problems with systems in your organization.

Additional resources

You can install the insights-client on an existing, cloud marketplace-purchased Red Hat Enterprise Linux system that is managed by Red Hat Update Infrastructure (RHUI) to get automated system health checks and other services to find and fix issues before they cause problems with systems in your organization.

Prerequisites

  • Root-level access for the system.

Procedure

  • Enter the following command to install the current version of the insights-client package:

    RHEL versions 6 and 7 

    [root@server ~]# yum install insights-client

    RHEL version 8 and later 

    [root@server ~]# dnf install insights-client

    Verification step

    Run the following command to confirm successful installation of the insights-client: 

    [root@server ~]# insights-client --version

The insights-client runs automatically based on its scheduler settings. By default, it runs every 24 hours. To run the client interactively, enter the insights-client command.

When you run insights-client, the following values and settings determine the results:

  1. Values that you enter when you run insights-client from the command line temporarily override the preset configuration file settings and system environment settings. Any values that you enter for options in the insights-client command are used only for that instance of insights-client.
  2. Settings in the configuration file (/etc/insights-client/insights-client.conf) override system environment settings.
  3. Values of any system environment variables (printenv) are not affected by the commands entered on the command line or the client configuration files.

To register your RHEL system to Red Hat services, you must establish your system’s identity in the Hybrid Cloud Console. One of the ways that you can do that is by using the recommended rhc client.

2.1. System registration with the rhc client
Copy link

Before configuring your system to connect using the rhc client, review the configuration in Red Hat Hybrid Cloud Console > Red Hat Lightspeed > Inventory > System Configuration > Remote Host Configuration (RHC). The remote host configuration manager settings affect how Red Hat Lightspeed remediations function with the system.

Additional resources

2.2. Register RHEL 10 systems
Copy link

You can register your RHEL 10 system by using the remote host configuration (rhc) client to connect to Red Hat services with the default feature levels.

This connection enables all available features: access to Red Hat content, analytics for Red Hat Lightspeed, and remote management. You can also disable any of the default feature levels.

Prerequisites

Procedure

  1. Open a terminal window.

  2. To register the system with the default feature levels and ensure the system can execute remediations and tasks from Red Hat Lightspeed, enter the following commands: 

    # rhc connect --activation-key=<activation_key> --organization=<organization_ID>
     
    # dnf install -y rhc-worker-playbook

  3. Optional: To disable any of the features while you register your system, enter the following command: 

    # rhc connect --activation-key=<activation_key_name> --organization=<organization_ID> --disable-feature <feature>

    • Where you can replace feature with:

      • content - Provides access to Red Hat CDN repositories.
      • analytics - Enables data collection for Red Hat Lightspeed.

      • remote-management - Establishes an additional MQTT network connection to Red Hat services for remote execution of certain actions from the Red Hat Hybrid Cloud Console.

        Example

        To register your system with remote management disabled, but allow the system access to RHEL content and data for Red Hat Lightspeed analytics, enter: 

        # rhc connect --activation-key=<activation_key_name> --organization=<organization_ID> --disable-feature remote-management

Verification

  • To confirm the active features when registering with default options: 

    # rhc status
     
    Connection status for hostname.example.com:
✓ Connected to Red Hat Subscription Manager
✓ Content ... Red Hat repository file generated
✓ Analytics ... Connected to Red Hat Lightspeed
✓ Remote Management ... The yggdrasil service is active

  • To confirm the active features with remote-management disabled: 

    # rhc status
     
    Connection status for hostname.example.com:
✓ Connected to Red Hat Subscription Manager
✓ Content ... Red Hat repository file generated
✓ Analytics ... Connected to Red Hat Lightspeed
[ ] Remote Management ...  The yggdrasil service is inactive
    Important

    To use remote management, you must enable the yggdrasil daemon. When yggdrasil is inactive, remote management is also inactive.

If you have a RHEL 10 system, you can use remote host configuration (rhc) to set feature levels when registering with the Red Hat Hybrid Cloud Console.

By default, rhc connects your systems with the remote management feature level. This feature level includes access to RHEL content, analytics for Red Hat Lightspeed, and remote management (remediations and tasks services). If you want to opt out of any of these features, you can disable them when you register your systems.

Note

Customizing feature levels functionality is only available with Red Hat Enterprise Linux version 10.

See the following table for more details about feature levels:

Expand
Feature LevelFeature Level Name in the Command Line InterfaceDescription

Access to Red Hat content

Content

This feature level provides access to content in the Red Hat Content Delivery Network (CDN). With this feature level enabled, you can install and update packages.

Analytics for Red Hat Lightspeed

Analytics

This feature level collects data from your system using the insights-client and sends it to the Red Hat Hybrid Cloud Console. Then, Red Hat Lightspeed analyzes your data and returns recommendations. You must have the content feature enabled to use the analytics feature.

Remote Management (Default)

remote-management

With this feature level enabled, you can use the remediations and tasks services. You must have the content and analytics features enabled to use the remote management feature.

2.3. Register RHEL 9 systems
Copy link

If you have a Red Hat Enterprise Linux version 9 system, you can use remote host configuration (rhc) to register your system:

Prerequisites

Procedure

  • Open your command-line interface (CLI), and run the following commands on your client system: 

    # rhc connect --activation-key=<activation_key_name> --organization=<organization_ID>
     
    # dnf install -y rhc-worker-playbook

Verification

Enter the following command in your CLI: 

# rhc status

  • If the procedure is successful, you will see the following output: 

    Connection status:
✓ Connected to Red Hat Lightspeed
✓ Connected to Red Hat Subscription Manager
✓ The remote host configuration daemon is active

2.4. Register RHEL 8 systems
Copy link

If you have a Red Hat Enterprise Linux 8 system, you can use remote host configuration (rhc) to register your system.

Prerequisites

Procedure

  • Open your command-line interface (CLI), and run the following commands on your client system: 

    # rhc connect --activation-key=<activation_key_name> --organization=<organization_ID>
     
    # dnf install -y rhc-worker-playbook

  • Run the following command: 

    # rhc status

  • If the registration is successful, you will see the following output: 

    Connection status:
✓ Connected to Red Hat Subscription Manager
✓ Connected to Red Hat Lightspeed
✓ The remote host configuration daemon is active

Additional Resources

2.5. Handle legacy and conversion registrations
Copy link

Register and connect RHEL 8.7 and earlier systems, or convert specialized systems like CentOS 7 to RHEL, by using legacy clients (subscription-manager, insights-client). You can still ensure all your non-standard hosts are reporting to Red Hat Services without using the rhc client.

The main reason to use the legacy client to register a RHEL system to Red Hat Services is to have more control over the features and the data collected from the system. With RHEL 10.0, the rhc client has a concept of “feature level” that allows it to control the level of information collected from the system. However, for RHEL 8.0 and RHEL 9.0, achieving a registration by using the rhc client enables all the features with no command-line options needed to make adjustments. Using only the subscription-manager or a combination of subscription-manager and insights-client remains a supported route.

To register a system running a version of RHEL 8.7 or earlier, or to manually control feature levels by using Red Hat Lightspeed, use the following two-step process:

  • Register to Red Hat Subscription Manager (RHSM) with the subscription-manager client.
  • Register the system with insights-client.

Prerequisites

Procedure

  1. To register a system running Red Hat Enterprise Linux version 7 or 8, use an activation key and your Organization ID to register with RHSM. 

    # subscription-manager register --activationkey=_activation_key_name_ --org=_organization_ID_

  2. Enter the insights-client command to complete registration for the Red Hat Lightspeed service. 

    # insights-client --register

To convert a CentOS Linux 7 system to a RHEL, first register it with Red Hat to connect to Red Hat Lightspeed. After completing backups and other prerequisites, perform a pre-conversion analysis to identify risks for the conversion. You can then use the Red Hat Lightspeed conversion task for converting the system to a fully-supported RHEL 7 environment.

Additional resources

To prepare your RHEL system to automatically run tasks and remediation plans, you must use both the rhc client and the insights-client. Together, these tools allow Red Hat Lightspeed to automatically generate and execute Ansible Playbooks to address identified issues. To enable your system with automated remediation, install and activate core components, complete system registration and enable remote management with the yggdrasil daemon. Your systems can directly use tasks and remediation playbooks from the Red Hat Lightspeed Automation Toolkit after registration.

Additional resources

Chapter 3. Unregister systems
Copy link

Unregister your systems to stop uploading data to Red Hat services. You can use the insights-client to disconnect specifically from Red Hat Lightspeed, or use the rhc client client to perform a comprehensive unregistration from both Red Hat Lightspeed and the Red Hat Customer Portal.

You can unregister your system with Red Hat Lightspeed. When you do so, your system information is no longer uploaded to Red Hat Lightspeed.

Prerequisites

  • Root-level access to your system.
  • Your system is registered with Red Hat Lightspeed.

Procedure

  • Enter the insights-client command with the --unregister option. 

    [root@rhlightspeed]# insights-client --unregister

Verification

  • Enter the following command to confirm the status and verify that the system has been successfully unregistered: 

    [root@rhlightspeed]# insights-client --status

    If the command is successful, you will see the following output: 

    This host is unregistered.

Re-registering a system is not a recommended practice because it may lead to duplicate host entries in the Red Hat Lightspeed inventory service. If a re-registration of the system is needed, using the correct steps to unregister and register the system again helps to prevent duplicate host entries in the Red Hat Lightspeed inventory service. One of the main reasons you might need to re-register a system is to change the feature level associated with a registered RHEL 10 system.

Important

If you are a Red Hat Satellite user and you plan to upgrade or rebuild your Satellite system by doing a fresh install, you must re-register that system in Red Hat Lightspeed. Ensure that you unregister the system in Red Hat Lightspeed before you begin the upgrade. After you have reinstalled the Satellite system, register it again with the insights-client. Otherwise, you might see duplicate host entries or other unexpected results.

To re-register a system in Red Hat Lightspeed, use the insights-client --unregister and --register commands.

Prerequisites

You have completed the following steps on your system:

  • Logged in with root-level permissions
  • Installed the insights-client

Procedure

  1. On the command line, enter the insights-client command with the --unregister option. 

    [root@rhlightspeed]# insights-client --unregister

  2. Enter the insights-client command with the --register option. 

    [root@rhlightspeed]# insights-client --register

    Verification

    • Successfully re-registering a system by using the insights-client command, creates a new Red Hat Lightspeed profile, and results in the display of following output in your terminal: 

      [root@rhlightspeed]# Successfully uploaded report for <machine name>
View the Red Hat Lightspeed console at https://console.redhat.com/insights/

If you already registered a RHEL 10 system and want to change its feature levels, you have two options:

  • Change features manually without using the rhc client commands that are available only during the initial registration process.
  • Unregister and then register the system again with the feature levels that you want.

3.3.1. Change feature levels manually
Copy link

You cannot change the feature level by using the rhc client after the initial registration phase is completed. If you already registered a system and want to change the feature level, you must manually enable and disable features. For example, to change how a system is managed remotely, manually enable or disable the remote management feature.

Prerequisites

  • You have logged in to the system as root or have sudo permissions.

Procedure

  • To enable the remote management feature manually:

    1. Enable the insights-client by entering the following command: 

      # insights-client --register

    2. Install the rhc-worker-playbook by entering the following command: 

      # dnf install -y rhc-worker-playbook

    3. Start and enable the yggdrasil service by entering the following commands: 

      # systemctl start yggdrasil
# systemctl enable yggdrasil

  • To disable the remote management service manually:

    1. Enter the following command to stop the yggdrasil service: 

      # systemctl stop yggdrasil

    2. Enter the following command to disable the yggdrasil service: 

      # systemctl disable yggdrasil

Verification

  • Verify that the yggdrasil service is active and enabled, or inactive and disabled by running the following on a command line: 

    # systemctl status yggdrasil

    The log message indicates that the service is active or inactive.

Additional resources

3.3.2. Re-register to change feature levels
Copy link

You might need to change the feature levels on a system to do a something such as restricting remote access. One of the ways to change the feature level on an already registered system is to unregister and then re-register the system by using the rhc client command.

Important

It is important to properly unregister the system before you re-register. Re-registering a system will delete your customized configuration settings and also create a duplicate system record in your Inventory > Systems.

Disconnecting by using the rhc client unregisters your system from both the Red Hat Customer Portal and Red Hat Lightspeed and disables the yggdrasil service.

Prerequisites

  • You have logged in to the system as root or have sudo permissions
  • You have an activation key and an organization ID to register your system

Procedure

  1. On the command line, enter the following command to unregister the system: 

    # rhc disconnect
  2. After you unregister the system, re-register the system with the needed feature level enabled. For more information see Registering Red Hat Enterprise Linux 10 systems.

To ensure that your RHEL systems are maintaining connectivity and reporting accurate data to Red Hat Lightspeed, perform routine maintenance by using both rhc and insights-client. With rhc and insights-client, you can edit global settings, adjust connection settings, and change features after registering systems to Red Hat Lightspeed.

4.1. Use remote host configuration manager
Copy link

You can use the rhc client using remote host configuration manager to control the global remote host configuration (rhc) settings for Red Hat Enterprise Linux systems connecting to Red Hat Lightspeed. You can enable or disable the execution of remediations playbooks, which affects the execution of the remediation plan. To access the remote host configuration manager, log in to the Red Hat Hybrid Cloud Console as a user with RHC user privileges. The remote host configuration manager is located at Red Hat Hybrid Cloud Console > Red Hat Lightspeed > Inventory > System Configuration > Remote Host Configuration (RHC).

You can use the remote host configuration manager to edit remote host configuration connection settings to enable and disable permissions to run remediation playbooks on rhc-connected systems.

Prerequisites

  • You must be logged into the Red Hat Hybrid Cloud Console.
  • You must have RHC administrator privileges.

Procedure

Maintain a strong connection between the remote host configuration (rhc) and Red Hat Hybrid Cloud Console, by optionally setting the recommended option for a 10-second reconnect delay. This involves adding the line, mqtt-reconnect-delay = "10s" to the /etc/rhc/config.toml file and restarting the rhcd.service to ensure uninterrupted remote management and monitoring.

Prerequisites

  • You have root-level access to the system or sudo permissions.
  • You have an rhc version that is between 0.2.4 and version 0.3.

Procedure

  1. Open the following file: /etc/rhc/config.toml
  2. Add this option to the file mqtt-reconnect-delay = "10s"
  3. Save your changes.

  4. Type the following command in the terminal: 

    # systemctl restart rhcd.service

Verification

  • Type the following command in the terminal: 

    # systemctl status rhcd.service

  • If the command completed successfully, you should see the following statement returned: 

    # `Active: active (running)`

    The statement also includes a timestamp.

4.2. Manage system connectivity and networking
Copy link

To successfully connect your RHEL systems to Red Hat Lightspeed for registration and data transfer, make sure your network configuration and firewall allow necessary outbound traffic. If your network uses a proxy, configure your RHEL systems to use the proxy for outbound connections. Review the required prerequisites and configurations to configure your network correctly and ensure your firewall is open. This helps ensure your RHEL clients can register and send data to Red Hat Lightspeed using the client tools.

Additionally, to use remote management capabilities, verify that connections to required Red Hat systems on standard ports and the MQTT port are open.

For subscription-manager, the system must be able to reach the following destination and TCP ports:

  • subscription.rhn.redhat.com:443 (https)
  • subscription.rhsm.redhat.com:443 (https)
  • cdn.redhat.com:443 (https)
  • *.akamaiedge.net:443 (https)
  • *.akamaitechnologies.com:443 (https)

Additional resources

4.2.2. The insights-client destinations and ports
Copy link

For Red Hat Lightspeed to collect data, the system must be able to reach the following destination and TCP ports:

  • api.access.redhat.com:443 (https)
  • cert-api.access.redhat.com:443 (https)

Additional resources

For the rhc daemon (rhcd) to communicate with the MQTT message broker, the system must be able to reach reach connect.cloud.redhat.com:443 (https).

  • connect.cloud.redhat.com:443 (https)

4.2.4. Add a proxy for rhc
Copy link

When you run rhc on your RHEL systems, the system attempts to establish connections to several Red Hat endpoints. If these are blocked, the registration will fail, so you will need to add a proxy for rhc to connect to Red Hat.

Prerequisites

  • You have root-level access to your system

Procedure

  1. On a command line, run the following commands to add a proxy for rhc to use to connect to Red Hat.

  2. Use the following commands to add a proxy for rhc to use to connect to Red Hat. 

    # mkdir -p /etc/systemd/system/rhcd.service.d
     
    # cat /etc/systemd/system/rhcd.service.d/proxy.conf
     
    [Service]
Environment=HTTPS_PROXY=http://proxy.corp.com:8888
     
    # systemctl daemon-reload
     
    # systemctl restart rhcd

4.3. Manage system display and status
Copy link

To maintain an accurate inventory and ensure reliable management of your Red Hat Enterprise Linux (RHEL) systems, you can manage system identity and connection status. Performing management tasks such as, renaming a host, checking the client version, and unregistering or re-registering systems helps prevent duplicate entries in your inventory, which can lead to confusion, inaccurate reporting, and potential configuration errors.

4.3.1. Change the host display name
Copy link

You can change the host display name as it appears in the graphical user interface (GUI) to help streamline identifying your inventory, meet organizational naming conventions, or other reasons. Make this change either when you register the system with Red Hat Lightspeed, or after registration. If you do not assign a display name when you register the system, Red Hat Lightspeed uses the value in /etc/hostname. Changing the display name is optional, so you need to decide if you want to use a display name in addition to the default hostname.

Note

Using the insights-client command to set the display name takes effect immediately, but does not run the client.

Note

If you obfuscate the hostname, the hostname configured in /etc/hostname is obfuscated. Assign a display name so that you can identify a host even when its hostname is obfuscated.

Prerequisites

  • Root-level access to the system.

Procedure

  • Enter the insights-client command with the --display-name option and specify a display name. 

    [root@rhlightspeed]# insights-client --display-name ITC-4
System display name changed from None to ITC-4

  • To create a display name that contains spaces, use double quotes. 

    [root@rhlightspeed]# insights-client --display-name "ITC-4 B9 4th floor"
System display name changed from None to ITC-4 B9 4th floor

Additional resources:

4.3.2. Display the client version
Copy link

You can display the insights-client version and client core version.

Prerequisites

  • Root-level access to your system.

Procedure

  • Enter the insights-client command with the --version option. 

    [root@rhlightspeed]# insights-client --version
Client: 3.0.6-0
Core: 3.0.121-1

Additional resources

By default, the insights-client runs every 24 hours. The timers in the default schedules are random so that all systems do not run the client at the same time. You can disable, enable, or modify the schedule to control when the system performs data collection, although changes from the default might affect performance. To ensure that host information remains up-to-date extending the timers beyond 24 hours is not recommended.

4.4.1. Disable the insights-client schedule
Copy link

You must disable the client schedule before you can change the default insights-client settings and create a new schedule. The procedure you use to disable the insights-client schedule depends on your Red Hat Enterprise Linux and client versions.

Prerequisites

  • Root-level access to your system

  • The insights-client version 3.x and later

    • NOTE: The --no-schedule option is deprecated in Client 3.x and later.

Procedure

  1. Enter the insights-client command with the --version option to verify that you have the required client version installed. 

    [root@rhlightspeed]# insights-client --version
Client: 3.0.6-0
Core: 3.0.121-1

  2. Enter the insights-client command with the --disable-schedule option to disable the client schedule. 

    [root@rhlightspeed]# insights-client --disable-schedule

4.4.2. Enable the insights-client schedule
Copy link

When you enable the client schedule, it runs using its default settings. If you change the schedule, those settings take precedence.

When you run insights-client from the command line, insights-client runs using the settings you specify for only that session. When the next scheduled run takes place, it uses the default settings.

Prerequisites

  • Root-level access to your system.
  • The client schedule is disabled.
  • (Optional) You modified the default schedule.

Procedure

  1. Verify the client version on your system by entering the insights-client command with the --version option. 

    [root@rhlightspeed]# insights-client --version
Client: 3.0.6-0
Core: 3.0.121-1

  2. Enter the insights-client command with the --enable-schedule option to enable the client schedule. 

    [root@rhlightspeed]# insights-client --enable-schedule

You can change when the insights-client runs by modifying the schedule. The method that you use depends on the RHEL release and client version that your system is running. For Red Hat Enterprise Linux 7.5 and later, you can update the systemd settings and the insights-client.timer file.

Important

If you update the schedule using cron or the systemd.timer, those customized settings take precedence. However, if you change settings using the insights-client on the command line, the settings apply only to that session. When the next scheduled run takes place, the client uses your persistent customized settings.

Note

For Red Hat Enterprise Linux 7.4 and earlier, use cron to modify the system schedule. For more information about using cron, see the Red Hat Knowledgebase solution, What is cron and how is it used?.

Prerequisites

  • You have root-user access to your system.

Procedure

  1. To edit the settings in the insights-client.timer file, enter the systemctl edit command and the file name. 

    [root@rhlightspeed]# systemctl edit insights-client.timer

    This action opens an empty file with the default system editor, on RHEL 6, 7, and 8. On RHEL 9 and later, running the command opens a file with a template that includes the original systemd service file as a reference.

  2. Enter different settings to modify the schedule. The values in this example are the default settings for systemd. 

    [Timer]
OnCalendar=daily
RandomizedDelaySec=14400

  3. Enable the insights-client schedule. 

    [root@rhlightspeed]# insights-client --enable-schedule
    • For more information, refer to the man pages for systemctl(1), systemd.timer(5), and systemd.time(7) to understand systemd

You can re-enable the automatic collection rule updates for Red Hat Lightspeed, if you previously disabled updates. By default, automatic rule update is enabled. Re-enable these updates to ensure that your system continues to benefit from the latest security and performance analysis provided by Red Hat Lightspeed.

Prerequisites

  • Root-level access to your system.
  • Automatic rule collection is disabled.

Procedure

  1. Open the /etc/insights-client/insights-client.conf file with an editor.

  2. Locate the line that contains the following: 

    auto_update=False

  3. Change False to True. 

    auto_update=True
  4. Save and close the /etc/insights-client/insights-client.conf file.

4.4.5. Disable automatic rule updates
Copy link

You can disable the automatic collection rule updates for Red Hat Lightspeed, but it is not a recommended action to take. Disabling the automatic rule updates puts your systems at risk of using outdated rule definition files and not getting the most recent validation or updates from Red Hat’s hosted services.

Prerequisites

  • Root-level access to your system.
  • Automatic rule updates are enabled.

Procedure

  1. Open the /etc/insights-client/insights-client.conf file with an editor.

  2. Locate the line that contains 

    #auto_update=True

  3. Remove the # and change True to False. 

    auto_update=False
  4. Save and close the /etc/insights-client/insights-client.conf file.

You can use the --build-packagecache option to provide accurate reporting for applicable updates on Satellite-managed systems. This option rebuilds the yum/dnf package caches for insights-client, and creates a refreshed list of applicable updates for the system.

You can run the command manually to rebuild the package caches immediately, or you can edit the client configuration file, /etc/insights-client/insights-client.conf, to rebuild the package caches automatically each time the system checks in to Red Hat Lightspeed.

Additional resources

To minimize data collection and enhance data privacy, configure data obfuscation and redaction for your Red Hat systems. To obfuscate, use client tools to mask sensitive and unique identifiers like IP addresses and hostnames. To redact, use client tools to exclude specific file content or command output. Finally, verify the effects of these configurations by inspecting the contents of the generated insights archive file before and after you upload.

5.1. System facts
Copy link

A data collector is an application or service that regularly sends host information, updates, or system profile data to Red Hat Lightspeed inventory. insights-client is a data collector for Red Hat Lightspeed.

System facts are the metadata that data collectors collect about your RHEL systems. These facts describe runtime configuration, system health, and system performance. The insights-client uses the system facts it collects to populate inventory data in Red Hat Lightspeed and to update existing data. Red Hat Lightspeed also uses system facts to analyze system performance and to create recommendations for services such as advisor or remediations.

Additional resources

5.2. Data obfuscation
Copy link

IP addresses, Media Access Control (MAC) addresses, and hostnames uniquely define devices on the internet. Red Hat Lightspeed has optional controls for excluding the IP address, MAC address, and hostname from the data file transmitted to Red Hat and to obfuscate the values within the user interface. This helps to protect the privacy of your systems and users by masking sensitive information.

Several client tools and products from Red Hat work together to provide a full range of functionalities. Depending on your setup, different tools can collect information from your systems at the same time. Some of the tools have built-in features for configuring obfuscation or redaction. To achieve the desired state of data privacy, you must take many aspects into consideration, such as the feature-level requirements and how the system consumes the content.

Important

Directly connected systems. It is not possible to achieve a true obfuscation or redaction of the system information because the subscription-manager must remain enabled on the system and continues to report data from the system regardless of how insights-client or rhc are configured.

You cannot prevent the collection of certain key system information such as the hostname, IP or MAC addresses. For directly connected systems, even configuring data obfuscation in the insights-client will also not achieve the desired results.

Systems connected to a Red Hat Satellite or Capsule. It is not possible to fully prevent collection of key system information from the systems (hostname, IP, MAC addresses), but it is possible to adjust the feature level and to configure Satellite so that the data is never sent to Red Hat.

5.2.2. Configuring data obfuscation on the system
Copy link

Only systems registered to a Red Hat Satellite by using a combination of configured client tools and server settings in Satellite can fully obfuscate data. The insights-client obfuscation feature uses a Python data cleaning process which you can optionally enable to replace the hostname, IP address, or MAC address with preset values when the tool processes the Red Hat Lightspeed archive. The processed archive file containing the obfuscated values is then sent to Red Hat Lightspeed. Obfuscation is disabled by default.

Note
  • The Python data cleaning process automatically generates the masked values. You cannot choose the values for obfuscation.
  • The Red Hat Lightspeed compliance service uses OpenSCAP tools to generate compliance reports based on information from the host system. The collaboration with OpenSCAP prevents the compliance service’s ability to completely obfuscate or redact hostname and IP address data. Also, host information is sent to Red Hat Lightspeed when a compliance data collection job launches on the host system. Red Hat Lightspeed is working to improve obfuscation options for host information.

Additional resources

5.2.3. Obfuscate IPv4 IP addresses
Copy link

If your hosts use IPv4 IP addresses, you can enable obfuscation of this data in the archive file before it is sent to Red Hat Lightspeed by setting an option in the insights-client configuration file. This helps to protect the privacy of your systems and users by masking sensitive information.

When you enable obfuscation, the original IP address of the host is replaced with a generated value in the archive file. This obfuscated value is used in the Red Hat Hybrid Cloud Console UI, logs, and any archive data files that Red Hat collects. However, you will still see the original IP address in the command-line output of some insights-client commands.

Important

The obfuscation process uses a Python data cleaning process to generate a unique value for each host. You cannot configure the value provided for obfuscation. You also cannot obfuscate or select the portion of the host IP address to obfuscate.

Prerequisites

  • If you are using Red Hat Satellite to manage clients and register them on console.redhat.com, you must also configure the Red Hat Cloud settings before you can enable obfuscation in Red Hat Lightspeed:

    • In the Satellite web UI, navigate to Administer > Settings > Red Hat Cloud and enable the required obfuscation settings that apply to your environment.

Procedure

  1. Open the /etc/insights-client/insights-client.conf file with an editor.

  2. Locate the following section: 

    # Specify which will be obfuscated in the data collection,
# empty by default, and supported options are: ipv4, ipv6, hostname, mac
# (comma-separated list)
# obfuscation_list=

  3. Remove the preceding hash (#) character, before obfuscation_list=, and add the following line: 

    obfuscation_list=ipv4

  4. If your configuration file contains the older obfuscate=True or obfuscate=False Red Hat Lightspeed obfuscation setting, remove that line of configuration.

    Important

    Remove deprecated obfuscate and obfuscate_hostname options from the configuration file. If your configuration file contains both obfuscation_list and deprecated options, the obfuscation_list takes precedence and insights-client displays a warning message in the output.

  5. Save and close the /etc/insights-client/insights-client.conf file.

Result

When obfuscation is successfully enabled, the original IPv4 address is masked in the console UI, logs, and in any archive data files that Red Hat collects, as shown in the following example.

Important

After you enable obfuscation, you will continue to see the original IPv4 address in the command-line output of some insights-client commands.

  • The following example shows an original host system IP address: 

    192.168.0.24

  • The following example shows an obfuscated host IP address 

    10.230.230.1

  • The following screenshot provides an example of an obfuscated IPv4 IP address in the Red Hat Hybrid Cloud Console UI:

    An example of an obfuscated IPv4 IP address in the Red Hat Hybrid Cloud Console UI

Note

When you enable obfuscation on several systems, the same obfuscated IP address gets generated. Therefore, in the example scenario provided, when you search or filter by IP address in the Red Hat Lightspeed UI on the Hybrid Cloud Console you might see several instances of 10.230.230.1. This is because the Python data cleaning process that the Red Hat Lightspeed obfuscation feature uses, can generate the same obfuscated IP address in the archive file.

5.2.4. Obfuscate IPv6 IP addresses
Copy link

If your hosts use IPv6 IP addresses, you can enable obfuscation of this data in the archive file before it is sent to Red Hat Lightspeed by setting an option in the insights-client configuration file. This helps to protect the privacy of your systems and users by masking sensitive information.

When you enable obfuscation, the original IP address of the host is replaced with a generated value in the archive file. This obfuscated value is used in the Red Hat Hybrid Cloud Console UI, logs, and any archive data files that Red Hat collects. However, you will still see the original IP address in the command-line output of some insights-client commands.

Important

The obfuscation process uses a Python data cleaning process to generate a unique value for each host. You cannot configure the value provided for obfuscation. You also cannot obfuscate or select the portion of the host IP address to obfuscate.

Prerequisites

  • If you are using Red Hat Satellite to manage clients and register them on console.redhat.com, you must also configure the Red Hat Cloud settings before you can enable obfuscation in Red Hat Lightspeed:

    • In the Satellite web UI, navigate to Administer > Settings > Red Hat Cloud and enable the required obfuscation settings that apply to your environment.

Procedure

  1. Open the /etc/insights-client/insights-client.conf file with an editor.

  2. Locate the following section: 

    # Specify which will be obfuscated in the data collection,
# empty by default, and supported options are: ipv4, ipv6, hostname, mac
# (comma separated list)
# obfuscation_list=

  3. Remove the preceding hash (#) character, before obfuscation_list=, and add the following line: 

    obfuscation_list=ipv6

  4. If your configuration file contains the older obfuscate=True or obfuscate=False Red Hat Lightspeed obfuscation setting, remove that line of configuration.

    Important

    Remove deprecated obfuscate and obfuscate_hostname options from the configuration file. If your configuration file contains both obfuscation_list and deprecated options, the obfuscation_list takes precedence and insights-client displays a warning message in the output.

  5. Save and close the /etc/insights-client/insights-client.conf file.

Result

When obfuscation is successfully enabled, the original IPv6 address is masked in the console UI, logs, and in any archive data files that Red Hat collects, as shown in the following example.

Important

After you enable obfuscation, you will continue to see the original IP address in the command-line output of some insights-client commands.

Example

  • Original host system IPv6 addresses: 

    ff00:f800:f801:f802::f806
ff00:f800:f801:f802:f00:f803:f804:f805
ff01::f00:f803:f804:f805

  • Obfuscated host IPv6 addresses: 

    fc47:d0f1:5ae7:e4e9::0477,
fc47:d0f1:5ae7:e4e9:fee:3939:5b4a:2c55,
70f1::fee:3939:5b4a:2c55,

  • The following image shows a screen capture of the example obfuscated IPv6 IP addresses in the Red Hat Hybrid Cloud Console UI:

    An example of an obfuscated IP addresses in the Red Hat Hybrid Cloud Console UI

Note

When you enable obfuscation on several systems, the same obfuscated IP address gets generated. Therefore, in the scenario provided, when you search or filter by IP address in the Red Hat Lightspeed UI on the Hybrid Cloud Console, you might see several instances of 70f1::fee:3939:5b4a:2c55. This is because the Python data cleaning process that the Red Hat Lightspeed obfuscation feature uses can generate the same obfuscated IP address in the archive file.

5.2.5. Obfuscate MAC addresses
Copy link

You can mask the Media Access Control (MAC) addresses of your hosts in the archive file before it is sent to Red Hat Lightspeed by enabling obfuscation.

Important

The obfuscation process uses a Python data cleaning process to generate a unique value for each host. You cannot configure the value provided for obfuscation. You also cannot obfuscate or select the portion of the host MAC address to obfuscate.

Prerequisites

  • If you are using Red Hat Satellite to manage clients and register them on console.redhat.com, you must also configure the Red Hat Cloud settings before you can enable obfuscation in Red Hat Lightspeed:

    • In the Satellite web UI, navigate to Administer > Settings > Red Hat Cloud and enable the required obfuscation settings that apply to your environment.

Procedure

  1. Open the /etc/insights-client/insights-client.conf file with an editor.

  2. Locate the following section: 

    # Specify which will be obfuscated in the data collection,
# empty by default, and supported options are: ipv4, ipv6, hostname, mac
# (comma separated list)
# obfuscation_list=

  3. Remove the preceding hash (#) character, before obfuscation_list= and add the following line: 

    obfuscation_list=mac

  4. If your configuration file contains the older obfuscate=True or obfuscate=False Red Hat Lightspeed obfuscation setting, remove that line of configuration.

    Important

    Remove deprecated obfuscate and obfuscate_hostname options from the configuration file. If your configuration file contains both obfuscation_list and deprecated options, the obfuscation_list takes precedence and insights-client displays a warning message in the output.

  5. Save and close the /etc/insights-client/insights-client.conf file.

Result

When obfuscation is successfully enabled, the original MAC address is masked in the console UI, logs, and in any archive data files that Red Hat collects, as shown in the following example.

Important

After you enable obfuscation, you will continue to see the original MAC address in the command-line output of some insights-client commands.

  • The following example shows an original host system MAC address: 

    08:00:27:7c:fc:0f

  • The following example shows the equivalent obfuscated host MAC address 

    1e:fb:bc:2e:4a:6d

  • The following image shows a screen capture of the example obfuscated MAC address in the Red Hat Hybrid Cloud Console UI:

    An example of an obfuscated MAC address in the Red Hat Hybrid Cloud Console UI

Note

When you enable obfuscation on several systems, the same obfuscated MAC address gets generated. Therefore, in the example scenario provided, when you search or filter by MAC address in the Red Hat Lightspeed UI on the Hybrid Cloud Console, you might see several instances of 1e:fb:bc:2e:4a:6d. This is because the Python data cleaning process that the Red Hat Lightspeed obfuscation feature uses can generate the same obfuscated MAC address in the archive file.

5.2.6. Obfuscate hostnames
Copy link

To obfuscate system hostnames in Red Hat Lightspeed, mask the hostname found in the /etc/hostname file before insights-client sends data to Red Hat. As part of the obfuscation process, a Python data cleaning process generates a 12-character UUID and uses that UUID to replace the hostname in the data archive file and Hybrid Cloud Console.

Tip

An obfuscated hostname can be difficult to recognize. Setting a display name can help you to more easily identify your obfuscated hosts. The display name does not get obfuscated and displays in the Red Hat Lightspeed console UI. Only the value of /etc/hostname gets obfuscated.

Prerequisites

  • If you are using Red Hat Satellite to manage clients and register them on console.redhat.com, you must also configure the Red Hat Cloud settings before you can enable obfuscation in Red Hat Lightspeed:

    • In the Satellite web UI, navigate to Administer > Settings > Red Hat Cloud and enable the required obfuscation settings that apply to your environment.

Procedure

  1. Open the /etc/insights-client/insights-client.conf file with an editor.

  2. Locate the following section: 

    obfuscation_list=

  3. Add the following line to the obfuscation_list section to enable hostname obfuscation: 

    obfuscation_list=hostname
    Note

    To add multiple obfuscation options, separate them with commas. For example, to obfuscate the hostname and an IPv6 IP address, add: 

    obfuscation_list=hostname,ipv6

  4. If your configuration file contains the older obfuscate_hostname=True or obfuscate_hostname=False Red Hat Lightspeed obfuscation setting, remove that line of configuration.

    Important

    Remove deprecated obfuscate and obfuscate_hostname options from the configuration file. If your configuration file contains both obfuscation_list and deprecated options, the obfuscation_list takes precedence and insights-client displays a warning message in the output.

  5. Optional: Assign a display name to your system so that you can more easily find and manage your obfuscated hosts in the Red Hat Lightspeed console UI by adding the following line: 

    display_name=example-display-name
    Note

    You can also set a display name by using the following command: 

    [root@rhlightspeed]# insights-client --display-name ITC-4
  6. Save and close the /etc/insights-client/insights-client.conf file.

Result

  • When obfuscation is successfully enabled, the hostname gets masked in the Red Hat Lightspeed console UI, logs, and any archive data files that Red Hat collects.
  • If you configure hostname obfuscation on more than one system, you might see multiple systems with the same hostname in the Red Hat Lightspeed GUI as a result of obfuscation.
  • After you enable obfuscation, there might be instances where the original hostname displays in the command-line output of some insights-client commands.

Example

  • The original hostname of the system in /etc/hostname: 

    RTP.data.center.01

  • The following example shows the obfuscated /etc/hostname as it displays in Red Hat Lightspeed: 

    90f4a9365ce0.example.com

  • The following screenshot of the Red Hat Hybrid Cloud Console UI shows an example of a system whose hostname and IP address are obfuscated:

    An example of an obfuscated hostname in the Red Hat Hybrid Cloud Console UI

5.2.7. Obfuscation in Red Hat Satellite
Copy link

If you are using Red Hat Satellite to manage clients and register them on the console, you must enable obfuscation in the Satellite web user interface (UI) before configuring the client system. This prevents double-obfuscation issues. For more information about enabling obfuscation in Satellite, refer to the Red Hat Cloud settings chapter of the Administering Red Hat Satellite guide.

Important

Double obfuscation is required if you use Red Hat Satellite to manage clients and register them on console.redhat.com. This means you must enable obfuscation in both the insights-client.conf file and on the Satellite web UI.

5.3. Data redaction
Copy link

You can configure data redaction to remove specific content such as files, command output, or keyword patterns from the collected archive. Data redaction can be used to exclude data containing personally identifiable information (PII).

Do not redact the hostname or IP and MAC addresses because they are part of the canonical facts used for creating the host entry in the Red Hat Lightspeed database. To prevent these pieces of information from being collected or sent to Red Hat, instead consider the obfuscation feature in combination with using a Red Hat Satellite Server in your environment.

Important

Directly connected systems. It is not possible to achieve a true obfuscation or redaction of system information because the subscription-manager client must remain enabled on the system and continues to report data from the system regardless of how insights-client or rhc are configured.

You cannot prevent the collection of certain key system information such as the hostname, IP or MAC addresses and having that information sent to Red Hat. For directly connected systems, even configuring data obfuscation within the insights-client will not achieve the desired results.

Systems connected to a Red Hat Satellite or Capsule. It is not possible to fully prevent collection of key system information from the systems (hostname, ip, mac addresses), but it is possible to adjust the feature level and to configure Satellite so that the data is never sent to Red Hat.

5.3.2. Data collection rules and redaction
Copy link

Use the Red Hat Lightspeed core collection (insights-core) to manage data collection and redaction on insights-client 3.0 and later systems. With YAML configuration files and the insights-client insights-core datasource catalog, you can specify exactly which commands and files to redact to prevent sensitive data from being uploaded.

Additional resources

5.3.3. Creating YAML files for redaction
Copy link

To redact data in Red Hat Lightspeed, you need insights-client 3.0 and the following YAML configuration files to control the redaction actions:

  • file-redaction.yaml
  • file-content-redaction.yaml

You can use one or both files, depending on the content you want to redact.

To find the items to redact, insights-client uses the default configuration of the insights-client.conf configuration file to call the file-redaction.yaml and file-content-redaction.yaml files. The following example shows an example of the default configuration for redaction in the insights-client.conf file: 

# Location of the redaction file for commands, files, and components
#redaction_file=/etc/insights-client/file-redaction.yaml

# Location of the redaction file for patterns and keywords
#content_redaction_file=/etc/insights-client/file-content-redaction.yaml

You do not need to change the configuration of the insights-client.conf file, but you do need to create the YAML files.

Important

Red Hat no longer supports the use of the remove.conf configuration file to redact data.

How the YAML files work

The /etc/insights-client/file-redaction.yaml file lists commands and files that you want to redact. A Python data cleaning process runs on the file-redaction.yaml file and redacts the listed commands and files. When the Python data cleaning process runs, it redacts the specified content before adding it to the archive file.

The /etc/insights-client/file-content-redaction.yaml defines pattern redaction and keyword replacement. For pattern redaction, the process redacts patterns or regular expressions that match those specified in the YAML file. For keyword replacement, the process replaces the specified keywords with generic identifiers.

5.3.4. Configure file redaction
Copy link

You can create the /etc/insights-client/file-redaction.yaml file and include a list of commands and system files that you want redacted. When the data redaction takes place, a Python data cleaning process runs, and analyzes the contents of the YAML file.

Note

The output of the listed commands or files does not get included in the uploaded archive file.

Prerequisites

  • You must be familiar with the basics of YAML syntax. For more information about YAML, see yaml.org.
  • You must have root-level access to the system.

Procedure

  1. Use an editor to create the /etc/insights-client/file-redaction.yaml file.

  2. Enter the strings, files: and commands:, on separate lines in the YAML file. 

    files:


commands:

  3. Specify the files and commands you want to redact:

    1. On the line following files:, enter the files that you want to redact. Use the information in the Datasources catalog to identify which files and commands to specify. For example, if you want to redact the auditd.conf file, this is how it would look: 

      files:
  - /etc/audit/auditd.conf

    2. On the line following commands:, enter the commands that you want to redact. Use the information in the Datasources catalog to identify which commands to specify. For example, if you want to redact the ethtool -i command, this is how it would look: 

      commands:
  - ethtool_i
  4. Save the YAML file in /etc/insights-client/.

  5. On the command line, run ll file-redaction.yaml as root to verify that the file-redaction.yaml file permissions are root owner only. 

    [root@rhlightspeed]# ll file-redaction.yaml
-rw-------. 1 root root 145 Sep 25 17:39 file-redaction.yaml

Example

The following example shows a sample file-redaction.yaml file that includes commands and files to redact. Comments, which are lines preceded by a hash symbol (#), also offer guidance to help you configure the YAML file. 

# file-redaction.yaml
---
# Redact the entire output of commands
# Specify commands by either full command or by the "symbolic_name" like “ethtool_i.”
# Refer to the “Datasource Catalog” and “General Datasources” at https://insights-core.readthedocs.io/en/latest/specs_catalog.html#general-datasource for a full list of available symbolic_names, and the commands and files they correspond to.

 commands:
- /bin/rpm -qa
- /bin/ls
- ethtool_i

# Redact the entire output of files
# Specify files either by full filename or
by the "symbolic_name" for example, “cluster_conf.”
# Refer to the “Datasource Catalog” and “General Datasources” at https://insights-core.readthedocs.io/en/latest/specs_catalog.html#general-datasource for a full list of available symbolic_names, and the commands and files they correspond to.

files:
- /etc/audit/auditd.conf
- cluster_conf

Verification

To verify that your redaction file is working, you can run the insights-client command with the --no-upload option, then review the output messages on your console or terminal.

  1. On the command line, enter the insights-client command with the --no-upload option, and press Return. 

    [root@rhlightspeed]# insights-client --no-upload

  2. The command runs and displays informational messages. The following example shows the redaction of the dmesg command and the cluster.conf file. 

    WARNING: Excluding data from files
Starting to collect Red Hat Lightspeed data for I-HOST
WARNING: Skipping command /bin/dmesg
WARNING: Skipping file /etc/cluster/cluster.conf
Archive saved at /var/tmp/qsINM9/rhlightspeed-ITC-4-20190925180232.tar.gz

    The generated archive file gets saved to /var/tmp but the file is not uploaded to Red Hat.

The /etc/insights-client/file-content-redaction.yaml file redacts files using two methods: pattern redaction and keyword replacement. Pattern redaction uses either a pattern match or regular expression match. In keyword replacement, a Python data cleaning process replaces the keyword with a generic identifier.

Prerequisites

  • You must be familiar with the basics of YAML syntax. Explaining YAML is beyond the scope of this procedure.
  • You have root-level access to the system.

Procedure

  1. Use an editor to create the /etc/insights-client/file-content-redaction.yaml file.

    Example

    # file-content-redaction.yaml
---
# Pattern redaction per matching line
#  Lines that match a pattern are excluded from files and command output.
#  Patterns are processed in the order that they are listed.
# Example

patterns:
 - "a_string_1"
 - "a_string_2"

# Regular expression pattern redaction per line
#  Use "regex:" to wrap patterns with regular expressions"
# Example

patterns:
 regex:
 - "abc.*def"
 - "localhost[[:digit:]]"


# Keyword replacement redaction
#  Replace keywords in files and command output with generic identifiers
#  Keyword does not support regex
# Example

keywords:
- "1.1.1.1"
- "My Name"
- "a_name"

  2. Make sure the file-content-redaction.yaml file permissions are set for root owner only. 

    [root@rhlightspeed]# ll file-content-redaction.yaml
-rw-------. 1 root root 145 Sep 25 17:39 file-content-redaction.yaml

5.4. The insights-client archive
Copy link

To confirm what data the archive file sends to Red Hat, inspect the archive file. If you use obfuscation or redaction, you can inspect the archive before it uploads. If you want to preserve the archive file, you can keep it on your system.

5.4.1. Verify the archive before uploading
Copy link

To inspect the archive before the Python data cleaning script uploads it to Red Hat Lightspeed, run the insights-client command with the --no-upload option, and then save the file without uploading it. You can view the information that the client sends to Red Hat Lightspeed, and verify your obfuscation or redaction settings.

You can find the archive file in the /var/tmp/ directory. When insights-client completes, it displays the file name.

Prerequisites

  • You have a root user access to your system

Procedure

  1. Enter the insights-client command with the --no-upload option. 

    [root@rhlightspeed]# insights-client --no-upload

    The command displays informational messages when redaction or obfuscation is applied. 

    WARNING: Excluding data from files
Starting to collect Red Hat Lightspeed data for ITC-4
WARNING: Skipping patterns found in remove.conf
WARNING: Skipping command /bin/dmesg
WARNING: Skipping command /bin/hostname
WARNING: Skipping file /etc/cluster/cluster.conf
WARNING: Skipping file /etc/hosts
Archive saved at /var/tmp/qsINM9/rhlightspeed-ITC-4-20190925180232.tar.gz

  2. Navigate to the temporary storage directory as shown in the Archive saved at message. 

    [root@rhlightspeed]# cd /var/tmp/qsINM9/

  3. Unpack the compressed tar.gz file. 

    [root@rhlightspeed]# tar -xzf rhlightspeed-ITC-4-20190925180232.tar.gz

    The script creates a new directory that contains the files.

5.4.2. Verify the archive after uploading
Copy link

You can keep a copy of the archive for inspection after the Python data cleaning script uploads it to Red Hat Lightspeed, run insights-client and then save the file.

You can verify the information that the client sends to Red Hat Lightspeed, and verify your obfuscation or redaction settings.

Prerequisites

  • You have root user access to your system

Procedure

  1. Enter the insights-client command with the --keep-archive option as a root user: 

    [root@rhlightspeed]# insights-client --keep-archive

    The command displays informational messages. 

    Starting to collect Red Hat Lightspeed data for ITC-4
Uploading Red Hat Lightspeed data.
Successfully uploaded report from ITC-4 to account 6229994.
Red Hat Lightspeed archive retained in /var/tmp/ozM8bY/rhlightspeed-ITC-4-20190925181622.tar.gz

  2. Navigate to the temporary storage directory displayed in the Red Hat Lightspeed archive retained in message. 

    [root@rhlightspeed]# cd /var/tmp/ozM8bY/

  3. Unpack the compressed tar.gz file. 

    [root@rhlightspeed]# tar -xzf rhlightspeed-ITC-4-20190925181622.tar.gz

    The script creates a new directory that contains the files.

To apply filtering and tags in the Red Hat Lightspeed inventory, use the insights-client to categorize and organize your systems. Filtering enables you to show only the systems that you want to view, and tagging systems with contextual markers adds additional options for filtering. Creating custom tags or using predefined tags helps you streamline organization and maintenance of your system inventory.

6.1. Filters and tags for SAP workloads
Copy link

When Linux becomes the mandatory operating system for SAP ERP workloads in 2025, Red Hat Enterprise Linux and Red Hat Lightspeed are working to make Red Hat Lightspeed the management tool of choice for SAP administrators.

As part of this ongoing effort, Red Hat Lightspeed automatically tags systems running SAP workloads and by SAP ID (SID), without any customization needed by administrators. To filter those workloads throughout the Red Hat Lightspeed application, use the global Filter Results drop-down menu.

6.2. Filters and tags for Satellite host groups
Copy link

Satellite host groups are configured in Satellite and are automatically recognized by Red Hat Lightspeed.

6.3. Custom system tagging
Copy link

Apply custom tags to your registered systems to add contextual markers and organize your Red Hat Lightspeed inventory. With custom tags, you can filter and focus on related groups of systems, which simplifies management for large-scale deployments.

You can also apply predefined tags to your systems. The advisor service uses predefined tags to generate targeted recommendations for systems that require specific attention, such as those with high security needs.

6.3.1. Filter structure
Copy link

Filters use a namespace=value or key=value paired structure.

  • Namespace. The namespace is the name of the ingestion point, insights-client. This value cannot be changed. The tags.yaml file is abstracted from the namespace, which is injected by the client before upload.
  • Key. You can create the key or use a predefined key from the system. You can use a mix of capitalization, letters, numbers, symbols, and whitespace.
  • Value. You can define your own descriptive string value. You can use a mix of capitalization, letters, numbers, symbols, and whitespace.

To create and add tags to /etc/insights-client/tags.yaml, use insights-client with the --group=<name-you-choose> option. Running this command on your systems that are registered to Red Hat Lightspeed completes the following actions:

  • Creates the etc/insights-client/tags.yaml file
  • Adds the group= key and <name-you-choose> value to tags.yaml
  • Uploads a fresh archive from the system to the Red Hat Lightspeed service, making the new tag immediately visible along with your latest results

Prerequisites

  • Root-level access to your system.

Procedure

  1. Run the following command as root, adding your custom group name in place of <name-you-choose>: 

    [root@server ~]# insights-client --group=<name-you-choose>
  2. Optional: To add additional tags, edit the /etc/insights-client/tags.yaml file.
  3. Navigate to Inventory > Systems and log in if necessary.
  4. Click the Filter by tags drop-down menu. You can also use the search box to enter all or part of the tag’s name to automatically show systems with that text in the tags.
  5. Scroll up or down the list to locate the tag.
  6. Click the tag to filter by it.

  7. Verify that your system is among the results on the advisor systems list.

    1. Navigate to Inventory > Systems and log in if necessary.
    2. Activate the Name filter and begin typing the system name until you see your system, then select it.
    3. The tag symbol is a darker color, and the number beside it shows the correct number of tags applied.

After you create the group tag, you can edit the contents of tags.yaml to add or modify tags. The following procedure shows how to edit the /etc/insights-client/tags.yaml file, then verify that the tag exists in the Red Hat Lightspeed > RHEL > Inventory > Systems.

Prerequisites

  • Root-level access to your system.

Procedure

  1. Open the tag configuration file, tags.yaml, in an editor. 

    [root@server ~]# vim /etc/insights-client/tags.yaml

  2. Edit the file contents or add additional key=value pairs. Add additional key=value pairs if needed. Use a mix of capitalization, letters, numbers, symbols, and whitespace. The following example shows how to organize tags.yaml when adding more than one tag to a system. 

    group: _group-name-value_
location: _location-name-value_
description:
- RHEL8
- SAP
key 4: value
  3. Save your changes and close the editor.

  4. Initiate an upload to Red Hat Lightspeed. 

    [root@server ~]# insights-client
  5. Navigate to Inventory > Systems and log in if necessary.

  6. In the Filter Results box, click the down arrow and select one of the filters or enter the name of the filter and select it.

    Note

    You can search by the tag key or by its value.

  7. Find your system among the results.
  8. Verify that the filter icon is highlighted and shows a number representing the number of filters applied to the system.

6.4. Predefined tags
Copy link

In addition to custom tags, Red Hat Lightspeed provides predefined tags that the advisor service can use to create targeted recommendations. These predefined tags are useful for systems that require more security or need different networking performance levels.

To get the extended security hardening and enhanced detection and remediation capabilities offered by predefined tags, opt in and configure the tags. After configuration, the advisor service provides recommendations based on tailored severity levels and the preferred network performance that applies to your systems.

Use the /etc/insights-client/tags.yaml file to tag systems with predefined tags, similar to how you tag systems in the inventory service. The predefined tags are configured using the same key=value structure used to create custom tags. Details about the Red Hat-predefined tags are in the following table:

Expand
Table 6.1. List of supported predefined tags
KeyValueNote

security

normal (default) / strict

With the normal (default) value, the advisor service compares the system’s risk profile to a baseline that comes from the default configuration of the most recent version of RHEL and from often-used usage patterns. This option keeps recommendations focused, actionable, and low in numbers. The strict value is best for systems that are security-sensitive. This option uses a stricter baseline and can show recommendations even on the most up-to-date RHEL installations.

network_performance

null (default) / latency / throughput

The network performance values, either latency or throughput according to your business requirement, affect the severity of an advisor service recommendation to a system.

Note

The names of predefined tag keys are reserved for specific use. If you already use the key security, with a value that differs from one of the predefined values, you will not see a change in your recommendations. You will only see a change in recommendations if your existing key=value is the same as one of the predefined keys. For example, if you have a key=value of security: high, your recommendations will not change because of the predefined tags that Red Hat has already defined. If you currently have a key=value pair of security: strict, you will see a change in the recommendations for your systems.

Additional resources

6.4.1. Configure predefined tags
Copy link

Configure predefined tags to adjust recommendations and gain extended security hardening, enhanced detection, and remediation capabilities within the Red Hat Lightspeed advisor service.

Prerequisites

  • You have root-level access to your system.
  • You have insights-client installed.
  • You have systems registered within the insights-client.
  • You have created the tags.yaml file. For information about creating the tags.yaml file, see Creating a tags.yaml file and adding a custom group.

Procedure

  1. Use the command line and your preferred editor to open /etc/insights-client/tags.yaml. (The following example uses Vim.) 

    [root@server ~]# vi /etc/insights-client/tags.yaml

  2. Edit the /etc/insights-client/tags.yaml file to add the predefined key=value pair for the tags. This example shows how to add security: strict and network_performance: latency tags. 

    # cat /etc/insights-client/tags.yaml
group: redhat
location: Brisbane/Australia
description:
- RHEL8
- SAP
security: strict
network_performance: latency
  3. Save your changes.
  4. Close the editor.

  5. Optional: Run the insights-client command to generate an upload to Red Hat Lightspeed, or wait until the next scheduled Red Hat Lightspeed upload. 

    [root@server ~]# insights-client

Verification

After generating an upload to Red Hat Lightspeed (or waiting for the next scheduled Red Hat Lightspeed upload), you can find out whether the tags are in the production environment by accessing Red Hat Lightspeed > RHEL > Inventory > Systems. Find your system and look for the newly created tags. You see a table that shows:

  • Name
  • Value
  • Tag Source (for example, insights-client).

Example

The following image of the advisor service shows a system with the network_performance: latency tag configured.

shows a recommendation that has a higher Total Risk that is Important and another recommendation that has a Total Risk of Moderate

The system shows a recommendation with a higher Total Risk level of Important. The system without the network_performance: latency tag has a Total Risk of Moderate. You can make decisions about prioritizing the system with higher Total Risk.

Additional resources

Find information to diagnose common connection failures and apply specific software fixes to maintain system health and connectivity.

7.1. RHC connection issues
Copy link

You can diagnose and resolve common problems that prevent the rhc client from communicating with the Red Hat Hybrid Cloud Console. For example, you can verify the core client protocol and check the system logs for specific error messages that indicate a connection failure.

7.1.1. rhc client communication (mqtt)
Copy link

MQTT is the communication technology behind the rhc daemon, rhcd. The client establishes a connection to the Red Hat message broker and waits for new messages. When the client receives new messages, it reads them and almost instantaneously converts them into playbook execution. The client always establishes the communication to the message broker. There is no communication initiated from the Red Hat services to your environment.

7.1.2. Review the rhc daemon log (journalctl)
Copy link

If you are experiencing connection issues, you must confirm that the client successfully established and maintained its connection to the message broker. You can troubleshoot your connection issue by reviewing the rhc daemon log by using the journalctl command.

Prerequisites

  • You have root user access to the system or sudo privileges.
  • The rhc daemon (rhcd or yggdrasil) service must be installed and enabled.
  • You have TCP ports and destinations enabled for the rhc daemon (port 443).

Procedure

  1. To consult recent daemon logs, enter the following command in your terminal: 

    # journalctl -u rhcd

  2. Use -f, --follow, to show only the most recent journal entries, and continuously print new entries as they are appended to the journal: 

    # journalctl -u rhcd -f

7.2. Real-time scheduling CPU conflict
Copy link

The insights-client executes commands that collect data on your system. It has a configuration restriction that limits its CPU usage to no more than 30%.

You can define this restriction in the configuration file with the following option:

insights-client-boot.service: CPUQuota=30%

This configuration prevents the insights-client from creating a CPU spike on your system. This spike could interfere with other applications running on your system. Specifically, it could prevent applications that depend on real-time scheduling from initiating.

If you need to enable real-time scheduling, you can disable the CPU quota restriction. The risk of removing this configuration is minimal. However, it is possible that when the insights-client runs, the CPU usage can become unusually high. If this situation occurs and negatively impacts other services on your system, contact Red Hat support.

Additional resources

7.3. Verify network connectivity of required ports
Copy link

If the RHC daemon log (journalctl) indicates communication failures, it can be a problem of a blocked port. Before contacting support, you must verify that your system can reach all required Red Hat service destinations and TCP ports.

Check Connectivity
Ensure that all required ports are open and destinations are accessible. The system needs access for the Subscription Manager, the insights-client, and the RHC daemon.
Check the list of TCP Ports and Destinations
See Manage system connectivity and networking for the definitive list of TCP Ports and Destinations required for full system functionality.

7.4. Create a diagnostic log for support
Copy link

You can create a diagnostic log to share with the support team.

Prerequisites

  • You have root user access to your system.
  • You have installed the insights-client on your system.

Procedure

  1. Enter the insights-client command with the --support option. 

    [root@rhlightspeed]# insights-client --support

    The command displays informational messages while creating the support file. 

    Collecting logs...
Red Hat Lightspeed version: insights-core-3.0.121-1
Registration check:
status: True
unreachable: False
. . . .
Copying Red Hat Lightspeed logs to archive...
Support information collected in /var/tmp/H_Y43a/insights-client-logs-20190927144011.tar.gz

  2. Navigate to the collection directory as shown in the Support information collected in message. 

    [root@rhlightspeed]# cd /var/tmp/H_Y43a

  3. Unpack the compressed tar.gz file. 

    [root@rhlightspeed]# tar -xzf insights-client-logs-20250912112824.tar.gz

    Extracting the tar.gz copies the log files into your current directory. You can share the tar.gz file with the support team if requested.

To register systems and configure tools, learn more about the essential command-line instructions and configuration parameters for RHEL client tools and RHEL system registration.

8.1. Options for insights-client command
Copy link

As a system administrator with root privileges, you can use the insights-client command and its options to control the insights-client operation on your system.

Updates to the insights-client.rpm occur less often than updates to individual components in Red Hat Lightspeed. The frequency of updates could cause the man page to not include the most recent information about insights-client.

Each time you enter the insights-client command, the client collects data and sends it to Red Hat Lightspeed.

Note

Using the insights-client --display-name command to set the display name takes effect immediately, but does not run the insights-client.

Expand
Table 8.1. insights-client user command options
OptionDescription

--help

-h

Display help information

--register

Register the host to Red Hat Lightspeed by using the information in /etc/hostname. Enables the nightly cron job unless --disable-schedule is set.

--unregister

Unregister the host from Red Hat Lightspeed.

--display-name=DISPLAY_NAME

Set or change the host display name in the GUI. Use it with the --register option to set the value of display_name during the host registration if you want to use a different name than the one specified in /etc/hostname. You can also use the --display-name option after registration to override the name shown for this host in Red Hat Lightspeed inventory.

--group=GROUP

Add a host to a GROUP during registration. Define Group names in /etc/insights-client/tags.yaml.

--retry=RETRIES

Set the number of times to retry an upload. The default is 1. The retry interval is 180 seconds, which is how long the insights-client waits until retrying the upload.

NOTE: In the scheduler, the number of retries is 3.

--validate

Validate /etc/insights-client/tags.yaml, /etc/insights-client/file-redaction.yaml, and /etc/insights-client/file-content-redaction.yaml files.

--quiet

Log only error messages to the terminal output.

--silent

Disable message logging to the terminal.

--enable-schedule

Enable the job schedule. By default, the insights-client runs daily, at or near midnight.

--disable-schedule

Disable the nightly job schedule.

--conf=CONF

-c=CONF

Use a custom configuration file by specifying a file path for CONF instead of using the default /etc/insights-client/insights-client.conf file.

IMPORTANT: This option is not available for RHEL 10 systems.

--no-upload

Runs the insights-client without uploading the archive to Red Hat Lightspeed. The archive is stored in the /var/tmp/ directory. When the command completes running, the file name displays.

--offline

Run the client without using network functionality. Using this command does not upload data to Red Hat Lightspeed, similar to using the --no-upload option.

--logging-file=LOGFILE

Write the log data to the specified log file, LOGFILE. The default log file is /var/log/insights-client/insights-client.log.

IMPORTANT: This option is not available for RHEL 10 systems.

--diagnosis Get diagnostic information from the API. The system must be registered and uploaded at least once to use the --diagnosis option.

 

--compliance

Scan the system with OpenSCAP and upload the report to the Red Hat Lightspeed compliance service in the Red Hat Hybrid Cloud Console.

--compliance-policies

List the policies available to assign to the system. The output also provides information for the following categories:

Assigned
Lists the status of the policy as False (system does not have the policy assigned) or True (system has the policy assigned).
ID
Lists the unique ID (UUID) for the policy.
Title
Lists the name of the Security Content Automation Protocol (SCAP) policy to which you can add your system.

--compliance-assign

Assign the system to the policy by using the ID from the insights-client --compliance-policies output.

--compliance-unassign

Remove the system from the policy by using the ID from the insights-client --compliance-policies output.`

--payload=PAYLOAD

Upload a specific archive payload file to Red Hat Lightspeed. You must set --content-type.

--content-type=TYPE

Set the content type for the PAYLOAD option. The TYPE value can be gz, bz2, xz, or none. The value of TYPE must match the --compressor used with the payload file.

--show-results

Display analysis results by using the --check-results option.

--output-dir=DIR

Write the collection to a specified directory instead of uploading to Red Hat Lightspeed.

--output-file=FILE

Write the collection to a specified archive instead of uploading to Red Hat Lightspeed.

--ansible-host=ANSIBLE-HOST

Set or change the Ansible hostname in Red Hat Lightspeed inventory. Run this during registration to specify a different hostname from the one listed in /etc/hostname or the configuration file. This also overrides the hostname that Red Hat Lightspeed remediations injects into generated playbooks targeting the Ansible host.

--list-specs

Show insights-client collection specs.

--build-packagecache

Refresh the system package manager cache.

--manifest=MANIFEST

The specified manifest YAML file that defines what Red Hat Lightspeed Core should collect.

--checkin

Do a lightweight check-in instead of a full upload.

--collector=APPLICATION

Run the specified application and upload its generated archive.

For example, specify:

  • --collector malware-detection to use Red Hat Lightspeed to help detect the presence of malware. For more information, see the Additional resources section.
  • --collector compliance to instruct Red Hat Lightspeed to scan the system with OpenSCAP and upload the report. You can get the same result by using the`--compliance` option.

Additionally, use the following insights-client command options when you need to debug insights-client operations:

Expand
Table 8.2. insights-client debug options
OptionDescription

--version

Print the versions of insights-client Client and Core.

--test-connection

Test connectivity to the Red Hat Lightspeed services.

--verbose

Log all debug output to the console.

--no-upload

Run the client, but do not upload the archive. The client stores the archive in the /var/tmp/ directory. The file name displays when insights-client completes.

--keep-archive

Store the archive in the /var/cache/insights-client/ directory after upload.

--support

Generate a diagnostic log for support.

--status

Display host registration status.

--net-debug

Log network calls to the console.

When the configuration file and the command line have similar options, the command-line option is executed when you enter the insights-client command. When the scheduler runs the client, the configuration file options are executed.

Note

You must enter the choices exactly as shown. True and False use initial capital letters.

The changes initiated by the options take effect either at the next scheduled run, or when you enter the insights-client command. Format the options as key=value pairs.

Expand
Table 8.3. insights-client.conf configuration options
OptionDescription

ansible_host

Use this option if you want a different hostname when running Ansible playbooks.

authmethod=CERT

Set the authentication method. The default value is CERT.

auto_config=True

Use this to auto configure with Satellite Server. Values can be True (default) or False.

NOTE: When auto_config=True (default), the authentication method used is CERT.

auto_update=True

Use this option to automatically update the dynamic configuration. The default value is True. Change the value to False if you do not want automatic updates.

base_url=cert-api.access.redhat.com:443/r/insights

Specify the base URL for the API.

cmd_timeout=120

Use this option to set the timeout limit for commands that run during collection. The value is measured in seconds. The command processes end when the timeout limit reaches the value of this option.

content_redaction_file

Omit lines or keywords from files and commands in the core collection. The core collection consists of a comprehensive set of data such as system logs, configuration files, and command outputs collected by the insights-client.

You do not need to change the default configuration. The content_redaction_file option uses the /etc/insights-client/file-content-redaction.yaml file by default.

display_name

Use this value to for the --display-name option for registration. The default is to use /etc/hostname.

NOTE: This value interacts with the insights-client --display-name command. If you use the command line to change the display name but the configuration file contains a different display name, the display name reverts to the configuration file value when the scheduler runs the insights-client.

http_timeout=120

Use this option to set the timeout limit for HTTP calls. The value is measured in seconds. The command processes terminate when the timeout limit reaches the value.

[insights-client]

The configuration file must begin with this entry, even if you specify a custom path or name for the client configuration file.

loglevel=DEBUG

Use this option to change the log level. Values are: DEBUG, INFO, WARNING, ERROR, and CRITICAL. The default is DEBUG. The default log file location is /var/log/insights-client/insights-client.log.

obfuscation_list=<ipaddress_type>

Use this option to specify which IP connectivity protocol addresses to obfuscate in the data collection. By default, this value is not set and no data obfuscation occurs. Supported values are: IPv4, IPv6, hostname, and MAC. For example, to obfuscate the IP address (IPv6) and the hostname, set obfuscation_list=ipv6,hostname.

IMPORTANT: Remove deprecated obfuscate and obfuscate_hostname options from the configuration file. If your configuration file contains both obfuscation_list and deprecated options, the obfuscation_list takes precedence and insights-client displays a warning message in the output.

proxy

Use this option to set the URL for your proxy. Example: http://user:pass@192.168.100.50:8080

redaction_file

Use this option to omit files or commands from the core collection. The core collection consists of comprehensive result set.

You do not need to change the default configuration. The redaction_file option uses /etc/insights-client/file-redaction.yaml by default.

Providing feedback on Red Hat documentation
Copy link

We appreciate and prioritize your feedback regarding our documentation. Provide as much detail as possible, so that your request can be quickly addressed.

Prerequisites

  • You are logged in to the Red Hat Customer Portal.

Procedure

To provide feedback, perform the following steps:

  1. Click the following link: Create Issue
  2. Describe the issue or enhancement in the Summary text box.
  3. Provide details about the issue or requested enhancement in the Description text box.
  4. Type your name in the Reporter text box.
  5. Click the Create button.

This action creates a documentation ticket and routes it to the appropriate documentation team. Thank you for taking the time to provide feedback.

Legal Notice
Copy link

Copyright © Red Hat.
Except as otherwise noted below, the text of and illustrations in this documentation are licensed by Red Hat under the Creative Commons Attribution–Share Alike 3.0 Unported license . If you distribute this document or an adaptation of it, you must provide the URL for the original version.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, the Red Hat logo, JBoss, Hibernate, and RHCE are trademarks or registered trademarks of Red Hat, LLC. or its subsidiaries in the United States and other countries.
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
XFS is a trademark or registered trademark of Hewlett Packard Enterprise Development LP or its subsidiaries in the United States and other countries.
The OpenStack® Word Mark and OpenStack logo are trademarks or registered trademarks of the Linux Foundation, used under license.
All other trademarks are the property of their respective owners.
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2026 Red HatBack to top