Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Client Configuration Guide for Red Hat Insights with FedRAMP

Red Hat Insights 1-latest

Configuration options and use cases for the Insights client

Red Hat Customer Content Services

Abstract

This guide is for Insights for Red Hat Enterprise Linux users who want to configure Insights client features on their RHEL systems with FedRAMP®. The Insights client configuration settings on your system affect the interaction with Insights for Red Hat Enterprise Linux.
Red Hat is committed to replacing problematic language in our code, documentation, and web properties. We are beginning with these four terms: master, slave, blacklist, and whitelist. Because of the enormity of this endeavor, these changes will be implemented gradually over several upcoming releases. For more details, see our CTO Chris Wright's message.

Chapter 1. Insights client overview

The Insights client (insights-client) is the client for Red Hat Insights for Red Hat Enterprise Linux. Run insights-client from the command line.

1.1. Red Hat Insights client distribution

Insights client is available for the following releases of Red Hat Enterprise Linux (RHEL).

RHEL releaseComments

RHEL 9

Distributed with Insights client pre-installed.

RHEL 8

Distributed with Insights client pre-installed, unless RHEL 8 was installed as a minimal installation.

RHEL 7

Distributed with the Insights client RPM package loaded but not installed.

RHEL 6.10 and later

You must download the Insights client RPM package and install it.

Additional resources

Chapter 2. Installing insights-client

You can install Red Hat Insights for Red Hat Enterprise Linux on an existing system that is managed by Red Hat infrastructure, or you can install it on a minimal installation of Red Hat Enterprise Linux.

After you install the Insights client, you need to register your system. For more information about registering systems, refer to:

Configuring authentication

2.1. Installing insights-client on an existing system managed by Red Hat Update Infrastructure

Use these instructions to deploy Insights for Red Hat Enterprise Linux on an existing, cloud marketplace-purchased Red Hat Enterprise Linux system managed by Red Hat Update Infrastructure (RHUI).

Prerequisites

  • Root-level access for the system.

Procedure

  • Enter the following command to install the current version of the Insights client package:

    RHEL versions 6 and 7

    Copy to Clipboard Toggle word wrap 
    [root@server ~]# yum install insights-client

    RHEL version 8 and later

    Copy to Clipboard Toggle word wrap 
    [root@server ~]# dnf install insights-client

2.2. How the Insights client CLI and configuration file interact

The Insights client runs automatically, according to its scheduler settings. By default, it runs every 24 hours. To run the client interactively, enter the insights-client command.

When you run insights-client, the following values and settings determine the results:

  1. Values that you enter when you run insights-client from the CLI temporarily override the preset configuration file settings and system environment settings. Any values that you enter for options in the insights-client command are used only for that instance of Insights client.
  2. Settings in the configuration file (/etc/insights-client/insights-client.conf) override system environment settings.
  3. Values of any system environment variables (printenv) are not affected by the CLI or the client configuration files.
Note

If you are running RHEL 6.9 or earlier, use redhat-access-insights to run the Insights client.

2.3. Installing Insights client on a minimal installation of RHEL

The Insights client is not automatically installed on systems running the minimal installation of Red Hat Enterprise Linux 8.

For more information about minimal installations, see Configuring software selection in Performing a standard RHEL installation.

Prerequisites

  • Root-level access to the system.

Procedure

  1. To create a minimal installation with the Insights client, select Minimal Installation from the RHEL Software Selection options in the Anaconda installer.
  2. Make sure to select the Standard checkbox in the Additional Software for Selected Environment section. The Standard option includes the insights-client package in the RHEL installation.

If you do not select the Standard checkbox, RHEL installs without the insights-client package. If that happens, use dnf install to install the Insights client at a later time.

2.4. How to resolve the Insights client real-time scheduling issue

The Insights client executes a number of commands that collect data on your system. Therefore, it has a configuration restriction that limits its CPU usage to no more than 30%. This restriction is defined in the configuration file:

insights-client-boot.service: CPUQuota=30%

This configuration prevents the Insights client from creating a CPU spike on your system. This spike could interfere with other applications running on your system. Specifically, it could prevent applications that depend on real-time scheduling from initiating.

If you need to enable real-time scheduling, you can disable the CPU quota restriction. The risk of removing this configuration is minimal. However, it is possible that when the Insights client runs, the CPU usage may become unusually high. If this situation occurs and negatively impacts other services on your system, please contact Red Hat support for assistance.

Chapter 3. Configuring authentication

Important

Basic Authentication has been deprecated. If you are using Basic Authentication, you must change to one of the currently supported authenticated methods. For more information about changing from Basic Authentication to certificate-based authentication for user access, refer to How to switch from Basic Auth to Certificate Authentication for Red Hat Insights.

3.1. Authentication methods

Depending on how you use Red Hat Insights for Red Hat Enterprise Linux, you must use one of the following authentication methods:

  • Certificate-based authentication (CERT)

    Certificate-based authentication is the default authentication method. Certificates are generated when you register a system with Red Hat Subscription Manager (RHSM), or when Red Hat Satellite system management manages your system. The client configuration file includes authmethod=CERT by default. There are no additional configuration change requirements.

  • Activation keys

    The preferred authentication method uses activation keys, along with the Organization ID, to register a system with Red Hat hosted services such as RHSM or remote host configuration (RHC).

    A list of the activation keys for your organization are on the Activation Keys page in the Red Hat Hybrid Cloud Console. You can use an activation key as an authentication token to register a system with Red Hat-hosted services, such as Red Hat Subscription Manager (RHSM) or remote host configuration (RHC). Administrators can create, edit, and delete activation keys for your organization.

Additional resources

3.2. Using activation keys for authentication

An activation key is a preshared authentication token that enables authorized users to register and configure systems. It eliminates the need to store, use, and share a personal username and password combination, which increases security and facilitates automation.

You can use an activation key and a numeric organization identifier (organization ID) to register a system with Red Hat hosted services, such as Red Hat Subscription Manager (RHSM) or remote host configuration (rhc). Your organization’s activation keys and organization ID are displayed on the Activation Keys page in the Hybrid Cloud Console.

For more information about how to create and manage activation keys for your systems, see Creating and managing activation keys in the Red Hat Hybrid Cloud Console.

3.3. Registering systems with Red Hat Hosted Services

After you install the Insights client, you need to register your system. This requires two steps:

  • Registering with Red Hat hosted services, such as Red Hat Subscription Manager (RHSM) or remote host configuration (rhc).
  • Registering the system with the Insights client.

For more information about registering the system with Insights client, refer to:

Prerequisites

  • Admin login access to each system
  • Activation key
  • Organization ID

Procedure

RHEL 7 and 8

  1. To register a system running Red Hat Enterprise Linux version 7 or 8, use an activation key and your Organization ID to register with RHSM.

    Copy to Clipboard Toggle word wrap 
    # subscription-manager register --activationkey=_activation_key_name_ --org=_organization_ID_

RHEL 9

  1. To register a system running RHEL 9 or later, use an activation key to register with the rhc client. If you do not want to run rhc management services on your system, use the same commands for RHEL 9 systems as you would for RHEL 7 or RHEL 8.

    Copy to Clipboard Toggle word wrap 
    # rhc connect --activation-key example_key --organization your_org_ID

Additional resources

Chapter 4. Configuring insights-client

After you install Insights client, you must register your system with Red Hat Insights for Red Hat Enterprise Linux. Registration enables you to use Red Hat Insights for Red Hat Enterprise Linux services.

4.1. Registering your system with Red Hat Insights

You can use the insights-client command to register a system with Red Hat Insights.

You can assign a different display name for your host when you register your system by appending the --display-name option to the command. The display name identifies the system in the Insights UI. If you do not assign a display name when you register the system, Insights uses the default hostname for the system.

Prerequisites

You have completed the following steps on your system:

  • Logged in with root-level permissions
  • Installed the Insights client

Procedure

  1. Run the following subscription-manager commands in the CLI:

    Copy to Clipboard Toggle word wrap 
    [root@insights]# subscription-manager register
[root@insights]# subscription-manager status

  2. Run the following insights-client registration commands as follows:

    Copy to Clipboard Toggle word wrap 
    [root@insights]# insights-client --register
[root@insights]# insights-client --status

Examples

  • The following example shows how you can register a system with a display name that is different from the hostname:

    Copy to Clipboard Toggle word wrap 
    [root@insights01]# insights-client --register --display-name ITC-4

    • Resulting output:

      Copy to Clipboard Toggle word wrap 
      Successfully registered host insights01-rhel9 as ITC-4 in group None
Automatic scheduling for Insights has been enabled.
Starting to collect Insights data for ITC-4
Writing RHSM facts to /etc/rhsm/facts/insights-client.facts ...
Uploading Insights data.
Successfully uploaded report from ITC-4 to account 1234567.
View the Red Hat Insights console at https://console.redhat.com/insights/

  • The following example shows how you can change the display name of a system that is already registered for Red Hat Insights.

    Copy to Clipboard Toggle word wrap 
    [root@insights01]# insights-client --display-name ITC-5

    • Resulting output:

      Copy to Clipboard Toggle word wrap 
      System display name changed from ITC-4 to ITC-5

For more information about the insights-client command options, see the Additional resources section.

Result

You can now access the cloud-based Red Hat Insights for Red Hat Enterprise Linux services.

Important
  • It can take up to 15 minutes for your newly registered system to be listed on the Red Hat Insights inventory page on the console.
  • Red Hat Satellite users: After registering a Satellite system with Insights, if you subsequently upgrade or rebuild your Satellite system by doing a fresh install, you must re-register the system in Insights. For more information about how to do that, see Re-registering your system with Red Hat Insights.

Additional resources

4.1.1. Resolving the host telemetry enablement error during Satellite registration

This issue affects Red Hat Satellite users. If you are a Satellite user registering a host with Red Hat Insights, after you run insights-client --register, the following output might display on the CLI:

Telemetry is not enabled for this host

This error can occur because the host_registration_insights parameter is set to false during host registration. It must be set to true for Satellite to accept the Insights client upload. To resolve this error message, you must do the following:

  • Change the host_registration_insights parameter to true
  • Run the Insights-client --register command in the command line again after the parameter has been updated.

Additional resources

For detailed information about this issue and its resolution, see the following:

4.2. Unregistering your system with Red Hat Insights

You can unregister your system with Red Hat Insights for Red Hat Enterprise Linux. When you do so, your system information is no longer uploaded to Insights for Red Hat Enterprise Linux.

Prerequisites

  • Root-level access to your system.
  • Your system is registered with Insights for Red Hat Enterprise Linux.

Procedure

  1. Enter the insights-client command with the --unregister option.

    Copy to Clipboard Toggle word wrap 
    [root@insights]# insights-client --unregister
Successfully unregistered from the Red Hat Insights Service

Verification

  • Enter the insights-client command with the --status option.

    Copy to Clipboard Toggle word wrap 
    [root@insights]# insights-client --status
System is NOT registered locally via .registered file. Unregistered at 2021-03-12T10:36:39.257300
Insights API says this machine was unregistered at 2021-03-12T00:36:39.000Z

4.3. Re-registering your system with Red Hat Insights

There are instances when you might need to re-register a system in Red Hat Insights for Red Hat Enterprise Linux.

Re-registering a system in Insights by using the correct steps can help to prevent and fix duplicate host entries in the Insights inventory service. For example, one reason you might re-register a system in Insights is to clean up entries for a previously registered system that has been rebuilt with a clean install.

Important

If you are a Red Hat Satellite user and you plan to upgrade or rebuild your Satellite system by doing a fresh install, you must re-register that system in Insights. Ensure that you unregister the system in Insights before you begin the upgrade. After you have reinstalled the Satellite system, register it again with the Insights client. Otherwise, you might see duplicate host entries or other unexpected results.

To re-register a system in Insights, run the insights-client command twice by using the following two options:

  1. --unregister
  2. --register

Prerequisites

You have completed the following steps on your system:

  • Logged in with root-level permissions
  • Installed the Insights client

Procedure

  1. On the command line, enter the insights-client command with the --unregister option.

    Copy to Clipboard Toggle word wrap 
    [root@insights]# insights-client --unregister

  2. Enter the insights-client command with the --register option.

    Copy to Clipboard Toggle word wrap 
    [root@insights]# insights-client --register

Verification

When a system has been successfully re-registered by using the insights-client command with the —-unregister option followed by the insights-client command with the —-register option, a new Insights profile gets created and the following output is displayed:

Copy to Clipboard Toggle word wrap 
[root@insights]# Successfully uploaded report for <machine name>
View the Red Hat Insights console at https://console.openshiftusgov.com/insights/

4.4. Changing the host display name

You can change the host display name as it appears in the GUI. Make this change either when you register the system with Red Hat Insights for Red Hat Enterprise Linux, or after registration. If you do not assign a display name when you register the system, Red Hat Insights for Red Hat Enterprise Linux uses the value in /etc/hostname.

This procedure is optional. Determine if you want to use a display name in addition to the default hostname.

Note

Using the insights-client command to set the display name takes effect immediately, but does not run the Insights client.

Note

If you obfuscate the hostname, the hostname configured in /etc/hostname is obfuscated. Assign a display name so that you can identify a host even when its hostname is obfuscated.

Prerequisites

  • Root-level access to the system.

Procedure

  • Enter the insights-client command with the --display-name option and specify a display name.

    Copy to Clipboard Toggle word wrap 
    [root@insights]# insights-client --display-name ITC-4
System display name changed from None to ITC-4

  • To create a display name that contains spaces, use double quotes.

    Copy to Clipboard Toggle word wrap 
    [root@insights]# insights-client --display-name "ITC-4 B9 4th floor"
System display name changed from None to ITC-4 B9 4th floor

4.5. Displaying the client version

You can display the client version and client core version.

Prerequisites

  • Root-level access to your system.

Procedure

  • Enter the insights-client command with the --version option.

    Copy to Clipboard Toggle word wrap 
    [root@insights]# insights-client --version
Client: 3.0.6-0
Core: 3.0.121-1

Additional resources

Chapter 5. Insights client data obfuscation

Red Hat Insights has optional controls for excluding the IP address or hostname from the data file transmitted to Red Hat and to obfuscate the values within the user interface. You can also set a custom display name for the identification of obfuscated hosts.

5.1. Obfuscation overview

The Insights client obfuscation feature uses a Python data cleaning process to replace the hostname and IP address with preset values when it processes the Insights archive. The processed archive file containing the obfuscated values is then sent to Red Hat Insights for Red Hat Enterprise Linux.

To enable obfuscation, configure the applicable options in the /etc/insights-client/insights-client.conf file. You can choose to obfuscate the system IP address, or you can choose to obfuscate both the IP address and hostname. You cannot obfuscate the hostname only. Obfuscation is disabled by default.

Note
  • The Python data cleaning process automatically generates the masked values. You cannot choose the values for obfuscation.
  • The Red Hat Insights for Red Hat Enterprise Linux compliance service uses OpenSCAP tools to generate compliance reports based on information from the host system. The collaboration with OpenSCAP prevents the compliance service’s ability to completely obfuscate or redact hostname and IP address data. Also, host information is sent to Insights for Red Hat Enterprise Linux when a compliance data collection job launches on the host system. Red Hat Insights for Red Hat Enterprise Linux is working to improve obfuscation options for host information.

For information about how Red Hat Insights for Red Hat Enterprise Linux handles data collection, see Red Hat Insights Data & Application Security.

Important

Double obfuscation is required if you use Red Hat Satellite to manage clients and register them on console.redhat.com. This means you must enable obfuscation in both the insights-client.conf and the Satellite web UI. For more information about enabling obfuscation in Satellite, see the Red Hat Cloud settings chapter of the Administering Red Hat Satellite guide.

5.2. Obfuscating the IPv4 address

You can mask the IPv4 host address in the archive file before it is sent to Red Hat Insights for Red Hat Enterprise Linux by enabling obfuscation.

When you choose IP address obfuscation, your host address in the archive file is changed to the value provided in the Python data cleaning file. You cannot configure the value provided for obfuscation. You also cannot obfuscate or select the portion of the host IP address to obfuscate.

Important

Red Hat Insights supports IP address obfuscation for IPv4 addresses only.

Prerequisites

  • If you are using Red Hat Satellite to manage clients and register them on console.redhat.com, complete the following step:

    • In the Satellite web UI, go to the Red Hat Cloud settings and enable the Obfuscate host IPv4 addresses option.

Procedure

  1. Open the /etc/insights-client/insights-client.conf file with an editor.

  2. Locate the following section:

    Copy to Clipboard Toggle word wrap 
    # Obfuscate IP addresses
#obfuscate=False

  3. Remove the preceding hash (#) character, and change False to True, as follows:

    Copy to Clipboard Toggle word wrap 
    obfuscate=True
  4. Save and close the /etc/insights-client/insights-client.conf file.

Result

When obfuscation is successfully enabled, the original IP address is masked in the console UI, logs, and in any archive data files that Red Hat collects, as shown in the following example.

Important

After you enable obfuscation, you will continue to see the original IP address in the command-line output of some insights-client commands.

Example

  • The original host system IP address:

    Copy to Clipboard Toggle word wrap 
    192.168.0.24

  • The obfuscated host IP address

    Copy to Clipboard Toggle word wrap 
    10.230.230.1

  • The following screenshot provides an example of an obfuscated IP address in the Red Hat Hybrid Cloud Console UI:

    An example of an obfuscated IP address in the Red Hat Hybrid Cloud Console UI

Note

When you enable obfuscation on multiple systems, the same obfuscated IP address gets generated. Therefore, in the example scenario provided, when you search or filter by IP address in the Insights UI on the Hybrid Cloud Console you might see several instances of 10.230.230.1. This is because the Python data cleaning process that the Insights obfuscation feature uses, can generate the same obfuscated IP address in the archive file.

5.3. Obfuscating the hostname

When you obfuscate the hostname of a system in Insights, the value of the hostname configured in /etc/hostname is masked in the console GUI and in the archive file before it is sent to Red Hat.

To obfuscate the hostname of a system, you must also enable obfuscation on the IP address. You cannot obfuscate only the hostname.

When obfuscation is enabled in Insights, the hostname value in /etc/hostname changes to a 12-character UUID that is automatically generated by the Python data cleaning process.

Tip

Assign a display name to your system so that you can more easily find and manage your obfuscated hosts. The display name does not get obfuscated and displays in the Insights console UI. Only the value of /etc/hostname gets obfuscated.

Prerequisites

  • You have obfuscated the IP address. For more information, see Obfuscating the IPv4 address.

  • If you are using Red Hat Satellite to manage clients and register them on console.redhat.com, complete the following step before you enable hostname obfuscation:

    • In the Satellite web UI, go to the Red Hat Cloud settings and enable the Obfuscate host names option.

Procedure

  1. Open the /etc/insights-client/insights-client.conf file with an editor.

  2. Locate the line that has obfuscate_hostname.

    Copy to Clipboard Toggle word wrap 
    #obfuscate_hostname=False

  3. Remove the # and change False to True.

    Copy to Clipboard Toggle word wrap 
    obfuscate_hostname=True

  4. (Optional) To help you find and manage your obfuscated hosts in the Insights console UI, set a display name for your system in the insights-client.conf file, as follows:

    Copy to Clipboard Toggle word wrap 
    display_name=example-display-name
    Note

    You can also set a display name on the console by using the following command:

    Copy to Clipboard Toggle word wrap 
    [root@insights]# insights-client --display-name ITC-4
  5. Save and close the /etc/insights-client/insights-client.conf file.

Result

When obfuscation is successfully enabled, the hostname gets masked in the Insights console UI, logs, and in any archive data files that Red Hat collects.

Note
  • If you configure hostname obfuscation on more than one system, you might see multiple systems with the same hostname in the Red Hat Insights for Red Hat Enterprise Linux GUI as a result of obfuscation. Setting a display name can help you to more easily identify your obfuscated hosts.
  • After you enable obfuscation, there are some instances where the original hostname displays in the command-line output of some insights-client commands.

Example

  • The original hostname of the system in /etc/hostname:

    Copy to Clipboard Toggle word wrap 
    RTP.data.center.01

  • The obfuscated /etc/hostname as it displays in Red Hat Insights for Red Hat Enterprise Linux:

    Copy to Clipboard Toggle word wrap 
    90f4a9365ce0.example.com

  • The following screenshot of the Red Hat Hybrid Cloud Console UI shows an example of a system whose hostname and IP address are obfuscated:

    An example of an obfuscated hostname in the Red Hat Hybrid Cloud Console UI

Additional resources

Chapter 6. Insights client data redaction

Red Hat Insights handles data collection by using Insights core collection. For redaction purposes, core collection replaces a limited JSON-file (.cache.json and .uploader.json) and shell script data collection method. In addition, core collection:

  • Is compatible with Insights client 3.0 and later.
  • Uses YAML files to determine which commands and files to redact.
  • Uses robust Python data cleaning processes.
  • Supports complex data collection by using datasources and avoids the possible limitations of using JSON files, such as uploader.json and shell scripts.
  • Allows you to use more easily maintained datasources to know which datasources that are part of insights-core.

For more information about Red Hat Insights client core collection, datasources, and collection rules, see the following resources:

Important

Using .cache.json and uploader.json files to redact data is no longer supported by Red Hat. Use Datasources instead.

Preventing the collection of Personally Identifiable Information (PII)

Red Hat Insights for Red Hat Enterprise Linux collects a minimal amount of data, including data that might contain personally identifiable information (PII). To prevent PII (or other configuration data) from being collected, apply data redaction.

For information about how Red Hat Insights for Red Hat Enterprise Linux handles data collection, see Red Hat Insights data and application security.

6.1. Creating and configuring the required redaction YAML files

To redact data in Red Hat Insights, you need Insights client 3.0 and the following YAML configuration files to control the redaction actions:

  • file-redaction.yaml
  • file-content-redaction.yaml

You can use one or both files, depending on the content you want to redact.

To find the items to redact, Insights client uses the default configuration of the insights-client.conf configuration file to call the file-redaction.yaml and file-content-redaction.yaml files. The following example shows an example of the default configuration for redaction in the insights-client.conf file:

Copy to Clipboard Toggle word wrap 
# Location of the redaction file for commands, files, and components
#redaction_file=/etc/insights-client/file-redaction.yaml

# Location of the redaction file for patterns and keywords
#content_redaction_file=/etc/insights-client/file-content-redaction.yaml

While you do not need to change the configuration of the insights-client.conf file, you do need to create the YAML files.

Important

Red Hat no longer supports the use of the remove.conf configuration file to redact data.

How the YAML files work

The Insights client /etc/insights-client/file-redaction.yaml file lists commands and files that you want to redact. A Python data cleaning process runs on the file-redaction.yaml file and redacts the listed commands and files.

Note

When the Python data cleaning process runs, it redacts the specified content before adding it to the archive file.

The /etc/insights-client/file-content-redaction.yaml defines pattern redaction and keyword replacement. For pattern redaction, the process redacts patterns or regular expressions that match those specified in the YAML file. For keyword replacement, the process replaces the specified keywords with generic identifiers.

6.1.1. Configuring file-redaction.yaml to redact commands and system files

You can create the /etc/insights-client/file-redaction.yaml file and include a list of commands and system files that you want redacted. When the data redaction takes place, a Python data cleaning process runs, and analyzes the contents of the YAML file.

Note

The output of the listed commands or files does not get included in the uploaded archive file.

Prerequisites

  • You must be familiar with the basics of YAML syntax. For more information about YAML, see yaml.org.
  • You must have root-level access to the system.

Procedure

  1. Use an editor to create the /etc/insights-client/file-redaction.yaml file.

  2. Enter the strings, files: and commands:, on separate lines in the YAML file.

    Copy to Clipboard Toggle word wrap 
    files:


commands:

  3. Specify the files and commands you want to redact:

    1. On the line following files:, enter the files that you want to redact. Use the information in the Datasources catalog to identify which files and commands to specify. For example, if you want to redact the auditd.conf file, this is how it would look:

      Copy to Clipboard Toggle word wrap 
      files:
  - /etc/audit/auditd.conf

    2. On the line following commands:, enter the commands that you want to redact. Use the information in the Datasources catalog to identify which commands to specify. For example, if you want to redact the ethtool -i command, this is how it would look:

      Copy to Clipboard Toggle word wrap 
      commands:
  - ethtool_i
  4. Save the YAML file in /etc/insights-client/.

  5. Verify that the file-redaction.yaml file permissions are root owner only by running ll file-redaction.yaml as root, on the command line.

    Copy to Clipboard Toggle word wrap 
    [root@insights]# ll file-redaction.yaml
-rw-------. 1 root root 145 Sep 25 17:39 file-redaction.yaml

Example file-redaction.yaml file with comments

The following example shows a sample file-redaction.yaml file that includes commands and files to redact. Comments, which are lines preceded by a hash symbol (#), also offer guidance to help you configure the YAML file.

Copy to Clipboard Toggle word wrap 
# file-redaction.yaml
---
# Redact the entire output of commands
# Specify commands by either full command or by the "symbolic_name" like “ethtool_i.”
# Refer to the “Datasource Catalog” and “General Datasources” at https://insights-core.readthedocs.io/en/latest/specs_catalog.html#general-datasource for a full list of available symbolic_names, and the commands and files they correspond to.

 commands:
- /bin/rpm -qa
- /bin/ls
- ethtool_i

# Redact the entire output of files
# Specify files either by full filename or
by the "symbolic_name" for example, “cluster_conf.”
# Refer to the “Datasource Catalog” and “General Datasources” at https://insights-core.readthedocs.io/en/latest/specs_catalog.html#general-datasource for a full list of available symbolic_names, and the commands and files they correspond to.

files:
- /etc/audit/auditd.conf
- cluster_conf

Verification step

To verify that your redaction file is working, you can run the insights-client command with the --no-upload option, then review the output messages on your console or terminal.

  1. On the command line, enter the insights-client command with the --no-upload option, and press Return.

    Copy to Clipboard Toggle word wrap 
    [root@insights]# insights-client --no-upload

  2. The command runs and displays informational messages. The following example shows the redaction of the dmesg command and the cluster.conf file.

    Copy to Clipboard Toggle word wrap 
    WARNING: Excluding data from files
Starting to collect Insights data for I-HOST
WARNING: Skipping command /bin/dmesg
WARNING: Skipping file /etc/cluster/cluster.conf
Archive saved at /var/tmp/qsINM9/insights-ITC-4-20190925180232.tar.gz

The generated archive file gets saved to /var/tmp but the file is not uploaded to Red Hat.

6.1.2. Configuring YAML pattern and keyword redaction

The /etc/insights-client/file-content-redaction.yaml file redacts files using two methods: pattern redaction and keyword replacement. Pattern redaction uses either a pattern match or regular expression match. In keyword replacement, a Python data cleaning process replaces the keyword with a generic identifier.

Prerequisites

  • You must be familiar with the basics of YAML syntax. Explaining YAML is beyond the scope of this procedure.
  • You must have root-level access to the system.

Procedure

  1. Use an editor to create the /etc/insights-client/file-content-redaction.yaml file.

    Example

    Copy to Clipboard Toggle word wrap 
    # file-content-redaction.yaml
---
# Pattern redaction per matching line
#  Lines that match a pattern are excluded from files and command output.
#  Patterns are processed in the order that they are listed.
# Example

patterns:
 - "a_string_1"
 - "a_string_2"

# Regular expression pattern redaction per line
#  Use "regex:" to wrap patterns with regular expressions"
# Example

patterns:
 regex:
 - "abc.*def"
 - "localhost[[:digit:]]"


# Keyword replacement redaction
#  Replace keywords in files and command output with generic identifiers
#  Keyword does not support regex
# Example

keywords:
- "1.1.1.1"
- "My Name"
- "a_name"

  2. Make sure the file-content-redaction.yaml file permissions are set for root owner only.

    Copy to Clipboard Toggle word wrap 
    [root@insights]# ll file-content-redaction.yaml
-rw-------. 1 root root 145 Sep 25 17:39 file-content-redaction.yaml

6.2. Verifying the Insights client archive

You can verify the contents of the archive file. By inspecting the archive file, you can confirm what data is sent to Red Hat.

If you use obfuscation or redaction, you can inspect the archive before it uploads. If you want to preserve the archive file, you can keep it on your system.

6.2.1. Verifying the archive before uploading

To inspect the archive before the Python data cleaning script uploads it to Red Hat Insights for Red Hat Enterprise Linux, run the insights-client command with the --no-upload option, and then save the file without uploading it. This allows you to view the information that the client sends to Insights for Red Hat Enterprise Linux, and to verify your obfuscation or redaction settings.

The archive file is stored in the /var/tmp/ directory. When insights-client completes, it displays the file name.

Prerequisites

  • Make sure the /etc/insights-client/insights-client.conf file is correctly configured.

Procedure

  1. Enter the insights-client command with the --no-upload option.

    Copy to Clipboard Toggle word wrap 
    [root@insights]# insights-client --no-upload

    The command displays informational messages when redaction or obfuscation is applied.

    Copy to Clipboard Toggle word wrap 
    WARNING: Excluding data from files
Starting to collect Insights data for ITC-4
WARNING: Skipping patterns found in remove.conf
WARNING: Skipping command /bin/dmesg
WARNING: Skipping command /bin/hostname
WARNING: Skipping file /etc/cluster/cluster.conf
WARNING: Skipping file /etc/hosts
Archive saved at /var/tmp/qsINM9/insights-ITC-4-20190925180232.tar.gz

  2. Navigate to the temporary storage directory as shown in the Archive saved at message.

    Copy to Clipboard Toggle word wrap 
    [root@insights]# cd /var/tmp/qsINM9/

  3. Unpack the compressed tar.gz file.

    Copy to Clipboard Toggle word wrap 
    [root@insights]# tar -xzf insights-ITC-4-20190925180232.tar.gz

    The script creates a new directory that contains the files.

6.2.2. Verifying the Insights client archive after uploading

To keep a copy of the archive for inspection after the Python data cleaning script uploads it to Red Hat Insights for Red Hat Enterprise Linux, run insights-client and then save the file. This allows you to verify the information that the client sends to Insights for Red Hat Enterprise Linux, and to verify your obfuscation or redaction settings.

Prerequisites

  • Make sure the /etc/insights-client/insights-client.conf file is correctly configured.

Procedure

  1. Enter the insights-client command with the --keep-archive option.

    Copy to Clipboard Toggle word wrap 
    [root@insights]# insights-client --keep-archive

    The command displays informational messages.

    Copy to Clipboard Toggle word wrap 
    Starting to collect Insights data for ITC-4
Uploading Insights data.
Successfully uploaded report from ITC-4 to account 6229994.
Insights archive retained in /var/tmp/ozM8bY/insights-ITC-4-20190925181622.tar.gz

  2. Navigate to the temporary storage directory displayed in the Insights archive retained in message.

    Copy to Clipboard Toggle word wrap 
    [root@insights]# cd /var/tmp/ozM8bY/

  3. Unpack the compressed tar.gz file.

    Copy to Clipboard Toggle word wrap 
    [root@insights]# tar -xzf insights-ITC-4-20190925181622.tar.gz

    The script creates a new directory that contains the files.

Chapter 7. System filtering and groups

Red Hat Insights for Red Hat Enterprise Linux enables you to filter systems in inventory, as well as by individual service. Insights for Red Hat Enterprise Linux also allows you to filter groups of systems by three criteria:

  • Groups running SAP workloads
  • Satellite host groups
  • Custom filters that you define in a YAML file
Note

As of Spring 2022, inventory, advisor, compliance, vulnerability, patch, and policies enable filtering by groups and tags. Other services will follow.

Use the global Filter Results box to filter by SAP workloads, Satellite host groups, or custom filters added to the Insights client configuration and file filters added to the Insights client configuration file.

Prerequisites

You have completed the following steps on your system:

  • Logged in with root-level permissions
  • Installed the Insights client

7.1. SAP workloads

As Linux becomes the mandatory operating system for SAP ERP workloads in 2025, Red Hat Enterprise Linux and Red Hat Insights for Red Hat Enterprise Linux are working to make Insights for Red Hat Enterprise Linux the management tool of choice for SAP administrators.

As part of this ongoing effort, Insights for Red Hat Enterprise Linux automatically tags systems running SAP workloads and by SAP ID (SID), without any customization needed by administrators. To filter those workloads throughout the Insights for Red Hat Enterprise Linux application, use the global Filter Results drop-down menu.

7.2. Satellite host groups

Satellite host groups are configured in Satellite and automatically recognized by Insights for Red Hat Enterprise Linux.

7.3. Custom system tagging

You can apply custom grouping and tagging to your systems. This enables you to add contextual markers to individual systems, filter by those tags in the Insights for Red Hat Enterprise Linux application, and more easily focus on related systems. This functionality can be especially valuable when deploying Insights for Red Hat Enterprise Linux at scale, with many hundreds or thousands of systems under management.

In addition to the ability to add custom tags to several Insights for Red Hat Enterprise Linux services, you can add predefined tags. The advisor service can use these tags to create targeted recommendations for your systems that might require more attention, such as those systems that require a higher level of security.

7.3.1. Filter structure

Filters use a namespace=value or key=value paired structure.

  • Namespace. The namespace is the name of the ingestion point, insights-client. This value cannot be changed. The tags.yaml file is abstracted from the namespace, which is injected by the client before upload.
  • Key. You can create the key or use a predefined key from the system. You can use a mix of capitalization, letters, numbers, symbols and whitespace.
  • Value. You can define your own descriptive string value. You can use a mix of capitalization, letters, numbers, symbols and whitespace.

7.3.2. Creating a custom group and the tags.yaml file

To create and add tags to /etc/insights-client/tags.yaml, use insights-client with the --group=<name-you-choose> option. This command option performs the following actions:

  • Creates the etc/insights-client/tags.yaml file
  • Adds the group= key and <name-you-choose> value to tags.yaml
  • Uploads a fresh archive from the system to the Insights for Red Hat Enterprise Linux application making the new tag immediately visible along with your latest results

Prerequisites

  • Root-level access to your system.

Procedure

  1. Run the following command as root, adding your custom group name in place of <name-you-choose>:

    Copy to Clipboard Toggle word wrap 
    [root@server ~]# insights-client --group=<name-you-choose>
  2. Optional. To add additional tags, edit the /etc/insights-client/tags.yaml file.
  3. Navigate to Inventory > Systems and log in if necessary.
  4. Click the Filter by tags drop-down menu. You can also use the search box to enter all or part of the tag’s name to automatically show systems with that text in the tags.
  5. Scroll up or down the list to locate the tag.
  6. Click the tag to filter by it.

  7. Verify that your system is among the results on the advisor systems list.

    1. Navigate to Inventory > Systems and log in if necessary.
    2. Activate the Name filter and begin typing the system name until you see your system, then select it.
    3. The tag symbol is a darker color, and the number beside it shows the correct number of tags applied.

7.3.3. Editing tags.yaml to add or change tags

After you create the group tag, you can edit the contents of tags.yaml to add or modify tags.

The following procedure shows how to edit the /etc/insights-client/tags.yaml file, then verify the tag exists in the Red Hat Insights > RHEL > Inventory.

Prerequisites

  • Root-level access to your system.

Procedure

  1. Open the tag configuration file, tags.yaml, in an editor.

    Copy to Clipboard Toggle word wrap 
    [root@server ~]# vim /etc/insights-client/tags.yaml

  2. Edit the file contents or add additional key=value pairs. Add additional key=value pairs if needed. Use a mix of capitalization, letters, numbers, symbols, and whitespace. The following example shows how to organize tags.yaml when adding more than one tag to a system.

    Copy to Clipboard Toggle word wrap 
    # tags
---
group: _group-name-value_
location: _location-name-value_
description:
- RHEL8
- SAP
key 4: value
  3. Save your changes and close the editor.

  4. Generate an upload to Insights for Red Hat Enterprise Linux.

    Copy to Clipboard Toggle word wrap 
    [root@server ~]# insights-client
  5. Navigate to Inventory > Systems and log in if necessary.

  6. In the Filter Results box, click the down arrow and select one of the filters or enter the name of the filter and select it.

    Note

    You can search by the tag key or by its value.

  7. Find your system among the results.
  8. Verify that the filter icon is darkened and shows a number representing the number of filters applied to the system.

7.4. Using predefined system tags to get more accurate Red Hat Insights advisor service recommendations and enhanced security

Red Hat Insights advisor service recommendations treat every system equally. However, some systems might require more security than others, or require different networking performance levels. In addition to the ability to add custom tags, Red Hat Insights for Red Hat Enterprise Linux provides predefined tags that the advisor service can use to create targeted recommendations for your systems that might require more attention.

To opt in and get the extended security hardening and enhanced detection and remediation capabilities offered by predefined tags, you need to configure the tags. After configuration, the advisor service provides recommendations based on tailored severity levels, and preferred network performance that apply to your systems.

To configure the tags, use the /etc/insights-client/tags.yaml file to tag systems with predefined tags in a similar way that you might use it to tag systems in the inventory service. The predefined tags are configured using the same key=value structure used to create custom tags. Details about the Red Hat-predefined tags are in the following table.

Table 7.1. List of Supported Predefined Tags
KeyValueNote

security

normal (default) / strict

With the normal (default) value, the advisor service compares the system’s risk profile to a baseline derived from the default configuration of the most recent version of RHEL and from often-used usage patterns. This keeps recommendations focused, actionable, and low in numbers. With the strict value, the advisor service considers the system to be security-sensitive, causing specific recommendations to use a stricter baseline, potentially showing recommendations even on fresh up-to-date RHEL installations.

network_performance

null (default) / latency / throughput

The preferred network performance (either latency or throughput according to your business requirement) would affect the severity of an advisor service recommendation to a system.

Note

The predefined tag keys names are reserved. If you already use the key security, with a value that differs from one of the predefined values, you will not see a change in your recommendations. You will only see a change in recommendations if your existing key=value is the same as one of the predefined keys. For example, if you have a key=value of security: high, your recommendations will not change because of the Red Hat-predefined tags. If you currently have a key=value pair of security: strict, you will see a change in the recommendations for your systems.

Additional resources

7.4.1. Configuring predefined tags

You can use the Red Hat Insights for Red Hat Enterprise Linux advisor service’s predefined tags to adjust the behavior of recommendations for your systems to gain extended security hardening and enhanced detection and remediation capabilities. You can configure the predefined tags by following this procedure.

Prerequisites

  • You have root-level access to your system
  • You have Insights client installed
  • You have systems registered within the Insights client
  • You have created the tags.yaml file. For information about creating the tags.yaml file, see Creating a tags.yaml file and adding a custom group.

Procedure

  1. Using the command line, and your preferred editor, open /etc/insights-client/tags.yaml. (The following example uses Vim.)

    Copy to Clipboard Toggle word wrap 
    [root@server ~]# vi /etc/insights-client/tags.yaml

  2. Edit the /etc/insights-client/tags.yaml file to add the predefined key=value pair for the tags. This example shows how to add security: strict and network_performance: latency tags.

    Copy to Clipboard Toggle word wrap 
    # cat /etc/insights-client/tags.yaml
group: redhat
location: Brisbane/Australia
description:
- RHEL8
- SAP
security: strict
network_performance: latency
  3. Save your changes.
  4. Close the editor.

  5. Optional: Run the insights-client command to generate an upload to Red Hat Insights for Red Hat Enterprise Linux, or wait until the next scheduled Red Hat Insights upload.

    Copy to Clipboard Toggle word wrap 
    [root@server ~]# insights-client

Confirming that predefined tags are in your production area

After generating an upload to Red Hat Insights (or waiting for the next scheduled Insights upload), you can find out whether the tags are in the production environment by accessing Red Hat Insights > RHEL > Inventory. Find your system and look for the newly created tags. You see a table that shows:

  • Name
  • Value
  • Tag Source (for example, insights-client).

The following image shows an example of what you see in inventory after creating the tag.

highlighted information that shows current name and value and the tag source

Example of recommendations after applying a predefined tag

The following image of the advisor service shows a system with the network_performance: latency tag configured.

shows a recommendation that has a higher Total Risk that is Important and another recommendation that has a Total Risk of Moderate

The system shows a recommendation with a higher Total Risk level of Important. The system without the network_performance: latency tag has a Total Risk of Moderate. You can make decisions about prioritizing the system with higher Total Risk.

Chapter 8. Changing the insights-client schedule

You can disable, enable, and modify the schedule that controls when the Insights client runs. By default, the Insights client runs every 24 hours. The timers in the default schedules vary so that all systems do not run the client at the same time.

8.1. Disabling the Insights client schedule

You must disable the client schedule before you can change the default Insights client settings and create a new schedule.

The procedure you use to disable the insights-client schedule depends on your Red Hat Enterprise Linux and client versions.

Additional resources

8.1.1. Disabling the client schedule for RHEL 6, RHEL 7 and later with Client 3.x

Note

The --no-schedule option is deprecated in Client 3.x and later.

Prerequisites

  • Root-level access to your system.

Procedure

  1. Enter the insights-client command with the --version option to verify the client version.

    Copy to Clipboard Toggle word wrap 
    [root@insights]# insights-client --version
Client: 3.0.6-0
Core: 3.0.121-1

  2. Enter the insights-client command with the --disable-schedule option to disable the client schedule.

    Copy to Clipboard Toggle word wrap 
    [root@insights]# insights-client --disable-schedule

8.2. Enabling the Insights client schedule

When you first enable the client schedule, it runs using its default settings. If you make changes to the schedule, those settings take precedence.

When you run insights-client from the command line, Insights client runs using the settings you specify for only that session. When the next scheduled run takes place, it uses the default settings.

8.2.1. Enabling the Insights client schedule on RHEL 7 or later and Client 3.x

You can enable the client schedule so that it runs on its default settings. If you change the default schedule settings, the changed settings take precedence.

Prerequisites

  • Root-level access to your system.
  • The client schedule is disabled.
  • (Optional) You modified the default schedule.

Procedure

  1. To verify the client version, enter the insights-client command with the --version option.

    Copy to Clipboard Toggle word wrap 
    [root@insights]# insights-client --version
Client: 3.0.6-0
Core: 3.0.121-1

  2. Enter the insights-client command with the --enable-schedule option to enable the client schedule.

    Copy to Clipboard Toggle word wrap 
    [root@insights]# insights-client --enable-schedule

8.3. Modifying the Insights client schedule

To change when the Insights client runs, modify the schedule. The method that you use depends on the RHEL release and client version that your system is running.

Select the procedure that matches your version of RHEL.

  • For Red Hat Enterprise Linux 7.4 and earlier, use cron to modify the system schedule.
  • For Red Hat Enterprise Linux 7.5 and later, update the systemd settings and the insights-client-timer file.

8.3.1. Scheduling insights-client using systemd settings

Note

Use this for systems running RHEL 7.5 and later with Client 3.x.

You can change the default schedule for running insights-client by updating the system systemd settings and the insights-client.timer file.

Prerequisites

  • Root-level access to your system.

Procedure

  1. To edit the settings in the insights-client.timer file, enter the systemctl edit command and the file name.

    Copy to Clipboard Toggle word wrap 
    [root@insights]# systemctl edit insights-client.timer

    This action opens an empty file with the default system editor.

  2. Enter different settings to modify the schedule. The values in this example are the default settings for systemd.

    Copy to Clipboard Toggle word wrap 
    [Timer]
OnCalendar=daily
RandomizedDelaySec=14400

  3. Enable the insights-client schedule.

    Copy to Clipboard Toggle word wrap 
    [root@insights]# insights-client --enable-schedule

Additional resources

8.3.2. Refreshing the package cache for systems managed by Red Hat Satellite

Insights now provides the optional --build-packagecache command to provide accurate reporting for applicable updates on Satellite-managed systems. This option rebuilds the yum/dnf package caches for insights-client, and creates a refreshed list of applicable updates for the system.

You can run the command manually to rebuild the package caches immediately, or you can edit the client configuration file (/etc/insights-client/insights-client.conf) to rebuild the package caches automatically each time the system checks in to Insights.

Additional resources

Chapter 9. Enabling and disabling automatic rule updates for Insights

By default, automatic collection rule updates are enabled for Insights. You can edit the client configuration file to disable them or re-enable them.

9.1. Disabling automatic rule updates for Insights

You can disable the automatic collection rule updates for Red Hat Insights for Red Hat Enterprise Linux. If you do so, you risk using outdated rule definition files and not getting the most recent validation updates.

Prerequisites

  • Root-level access to your system.
  • Automatic rule updates are enabled.

Procedure

  1. Open the /etc/insights-client/insights-client.conf file with an editor.

  2. Locate the line that contains

    Copy to Clipboard Toggle word wrap 
    #auto_update=True

  3. Remove the # and change True to False.

    Copy to Clipboard Toggle word wrap 
    auto_update=False
  4. Save and close the /etc/insights-client/insights-client.conf file.

9.2. Enabling automatic rule updates for Insights

You can re-enable the automatic collection rule updates for Red Hat Insights for Red Hat Enterprise Linux, if you previously disabled updates. By default, automatic rule update is enabled.

Prerequisites

  • Root-level access to your system.
  • Automatic rule collection is disabled.

Procedure

  1. Open the /etc/insights-client/insights-client.conf file with an editor.

  2. Locate the line that contains

    Copy to Clipboard Toggle word wrap 
    auto_update=False

  3. Change False to True.

    Copy to Clipboard Toggle word wrap 
    auto_update=True
  4. Save and close the /etc/insights-client/insights-client.conf file.

Chapter 10. Creating a diagnostic log for support

If you need help from the Red Hat support team, you can create and share diagnostic log files. These log files can help the support team to troubleshoot issues with insights-client.

10.1. Creating a diagnostic log

You can create a diagnostic log to share with the support team.

Prerequisites

  • Root-level access to your system.

Procedure

  1. Enter the insights-client command with the --support option.

    Copy to Clipboard Toggle word wrap 
    [root@insights]# insights-client --support

    The command displays informational messages while creating the support file.

    Copy to Clipboard Toggle word wrap 
    Collecting logs...
Insights version: insights-core-3.0.121-1
Registration check:
status: True
unreachable: False
. . . .
Copying Insights logs to archive...
Support information collected in /var/tmp/H_Y43a/insights-client-logs-20190927144011.tar.gz

  2. Navigate to the collection directory as shown in the Support information collected in message.

    Copy to Clipboard Toggle word wrap 
    [root@insights]# cd /var/tmp/H_Y43a

  3. Unpack the compressed tar.gz file.

    Copy to Clipboard Toggle word wrap 
    [root@insights]# tar -xzf insights-client-logs-20190927144011.tar.gz

    Unzipping the tar.gz file produces a new directory containing the log files. You can share the tar.gz file with the support team if requested.

Appendix A. Command options for insights-client

As a system administrator with root privileges, you can use the insights-client command and its options to control the Insights client operation on your system. Because the insights-client.rpm is updated less frequently than individual components in Insights for Red Hat Enterprise Linux, the man page might not include the most recent information about insights-client.

Each time you enter the insights-client command, the client collects data and sends it to Insights for Red Hat Enterprise Linux.

Note

Using the insights-client --display-name command to set the display name takes effect immediately, but does not run the Insights client.

A.1. Options for the Insights client

Table A.1. insights-client user command options
OptionDescription

--help

-h

Display help information

--register

Register the host to Insights for Red Hat Enterprise Linux by using the information in /etc/hostname. Will automatically enable the nightly cron job unless --disable-schedule is set.

--unregister

Unregister the host from Insights for Red Hat Enterprise Linux.

--display-name=DISPLAY_NAME

Set or change the host display name in the GUI. Use with --register to set the value of display_name when the host is registered if you want to use a different name than the one specified in /etc/hostname. You can also use the --display-name option after registration to override the name shown for this host in Insights inventory.

--group=GROUP

Add host to GROUP during registration. Group names are defined in /etc/insights-client/tags.yaml.

--retry=RETRIES

Set the number of times to retry an upload. The default is 1. The retry interval is 180 seconds, which is how long the Insights client waits until retrying the upload.

NOTE: In the scheduler, the number of retries is 3.

--validate

Validate /etc/insights-client/tags.yaml, /etc/insights-client/file-redaction.yaml, and /etc/insights-client/file-content-redaction.yaml files.

--quiet

Only log error messages to the console.

--silent

Log nothing to the console.

--enable-schedule

Enable the job schedule. By default, the Insights client runs daily, at or near midnight.

NOTE: If you are using Client 1.x, use the --register option to enable the schedule.

--disable-schedule

Disable the nightly job schedule.

--conf=CONF

-c=CONF

Use a custom configuration file CONF instead of the default /etc/insights-client/insights-client.conf file.

--no-upload

Runs the client but does not upload the archive to Red Hat Insights. The archive is stored in the /var/tmp/ directory. The file name displays when the insights-client command completes.

--offline

Run the client without using network functionality. Implies --no-upload.

--logging-file=LOGFILE

Output the log data to the specified log file (LOGFILE). The default log file is /var/log/insights-client/insights-client.log.

--diagnosis

Fetch diagnostic information from the API. You need to ensure that the system has been registered and uploaded at least once before you can use --diagnosis.

--compliance

Scan the system with OpenSCAP and upload the report.

--compliance-policies

Lists all the policies that the system can be assigned to and provides useful information in the output table for the following categories:

  • Assigned: Lists the status of the policy as False (system does not have the policy assigned) or True (system has the policy assigned)
  • ID: Lists the unique ID (UUID) for the policy.
  • Title: Lists the name of the Security Content Automation Protocol (SCAP) policy to which you can add your system.

--compliance-assign

Assigns the system to the policy by using the ID that is output from insights-client --compliance-policies.

--compliance-unassign

Unassigns the system from the policy by using the ID that is output from insights-client --compliance-policies.

--payload=PAYLOAD

Upload a specific archive payload file to Red Hat Insights for Red Hat Enterprise Linux. Requires --content-type to be set.

--content-type=TYPE

Set the content type for PAYLOAD. Type can be gz, bz2, xz, or none. The value of TYPE must match the --compressor used with the payload file.

--show-results

Display analysis results fetched by --check-results.

--output-dir=DIR

Write the collection to a specified directory instead of uploading.

--output-file=FILE

Write the collection to a specified archive instead of uploading.

--ansible-host=ANSIBLE_HOST

Set or change the Ansible hostname in Red Hat Insights inventory. Use this option during registration when you want to set a different name than the one specified in /etc/hostname or the configuration file. You can also use this option to override the hostname injected into playbooks targeting this host as generated by Red Hat Insights remediations.

--list-specs

Show insights-client collection specs.

--build-packagecache

Refresh the system package manager cache.

--manifest=MANIFEST

The specified manifest YAML file that defines what Insights Core should collect.

--checkin

Do a lightweight check-in instead of a full upload.

--collector=APP

Run the specified app and upload its results archive.

For example, specify:

  • --collector malware-detection to use Red Hat Insights to help detect the presence of malware. For more information, see the Additional resources section.
  • --collector compliance to instruct Red Hat Insights to scan the system with OpenSCAP and upload the report. This action can also be achieved by using the`--compliance` option instead.

Additionally, use the following insights-client command options when you need to debug Insights client operations:

Table A.2. insights-client debug options
OptionDescription

--version

Print the versions of insights-client Client and Core.

--test-connection

Test connectivity to the Red Hat Insights for Red Hat Enterprise Linux services.

--verbose

Log all debug output to the console.

--no-upload

Runs the client but does not upload the archive. The archive gets stored in the /var/tmp/ directory. The file name displays when insights-client completes.

--keep-archive

Store the archive in the /var/cache/insights-client/ directory after upload.

--support

Generate a diagnostic log for support.

--status

Display host registration status.

--net-debug

Log network calls to the console.

Additional resources

Appendix B. Command options for insights-client

You can use the settings in the /etc/insights-client/insights-client.conf configuration file to change how the Insights client operates on your system.

B.1. Options for the Insights client configuration file

When the configuration file and the CLI have similar options, the CLI option is executed when you enter the insights-client command. When the scheduler runs the client, the configuration file options are executed.

Note

You must enter the choices exactly as shown. True and False use initial capital letters.

The changes initiated by the options take effect either at the next scheduled run, or when you enter the insights-client command. The options should be formatted as key=value pairs.

Table B.1. insights-client.conf configuration options
OptionDescription

ansible_host

Use this option if you want a different hostname when running Ansible playbooks.

authmethod=CERT

Set the authentication method. Valid option is CERT. The default value is CERT.

auto_config=True

Use this to auto configure with Satellite server. Values can be True (default) or False.

NOTE: When auto_config=True (default), the authentication method used is CERT.

auto_update=True

Automatically update the dynamic configuration. The default is True. Change to False if you do not want to automatically update.

base_url=cert-api.access.redhat.com:443/r/insights

This is the base URL for the API.

cmd_timeout=120

This is for commands run during collection and is measured in seconds. The command processes are terminated when the timeout value is reached.

content_redaction_file

Use this to omit lines or keywords from files and commands in the core collection. The core collection is a more comprehensive result set.

You do not need to change the default configuration. The content_redaction_file option uses the /etc/insights-client/file-content-redaction.yaml file by default.

display_name

Use this as the display name for registration. The default is to use /etc/hostname.

NOTE: This value interacts with the insights-client --display-name command. If you use the CLI to change the display name but a different display name is enabled in the configuration file, the display name reverts to the configuration file value when the scheduler runs the Insights client.

http_timeout=120

This is for HTTP calls and is measured in seconds. The command processes terminate when the timeout value is reached.

[insights-client]

This is a required first line of the configuration file, even if you specify a different location or name for the client configuration file.

loglevel=DEBUG

Use this to change the log level. Options are: DEBUG, INFO, WARNING, ERROR, and CRITICAL. The default is DEBUG. The default log file location is /var/log/insights-client/insights-client.log.

obfuscate=False

Use this to obfuscate IPv4 addresses. The default is False. Change to True to enable address obfuscation.

obfuscate_hostname=False

Use this to obfuscate hostname. You must set obfuscate=True to obfuscate the hostname, which enables IPv4 address obfuscation. You cannot obfuscate only the hostname.

proxy

Use this for the URL for your proxy. Example: http://user:pass@192.168.100.50:8080

redaction_file

Use this to omit files or commands from the core collection. The core collection is a more comprehensive result set.

You do not need to change the default configuration. The redaction_file option uses /etc/insights-client/file-redaction.yaml by default.

Providing feedback on Red Hat documentation

We appreciate and prioritize your feedback regarding our documentation. Provide as much detail as possible, so that your request can be quickly addressed.

Prerequisites

  • You are logged in to the Red Hat Customer Portal.

Procedure

To provide feedback, perform the following steps:

  1. Click the following link: Create Issue
  2. Describe the issue or enhancement in the Summary text box.
  3. Provide details about the issue or requested enhancement in the Description text box.
  4. Type your name in the Reporter text box.
  5. Click the Create button.

This action creates a documentation ticket and routes it to the appropriate documentation team. Thank you for taking the time to provide feedback.

Legal Notice

Copyright © 2025 Red Hat, Inc.
The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at http://creativecommons.org/licenses/by-sa/3.0/. In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, Red Hat Enterprise Linux, the Shadowman logo, the Red Hat logo, JBoss, OpenShift, Fedora, the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
Java® is a registered trademark of Oracle and/or its affiliates.
XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.
MySQL® is a registered trademark of MySQL AB in the United States, the European Union and other countries.
Node.js® is an official trademark of Joyent. Red Hat is not formally related to or endorsed by the official Joyent Node.js open source or commercial project.
The OpenStack® Word Mark and OpenStack logo are either registered trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United States and other countries and are used with the OpenStack Foundation's permission. We are not affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community.
All other trademarks are the property of their respective owners.
Back to top
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2025 Red Hat, Inc.