Administering vRealize
Log Insight
March 01, 2023
vRealize Log Insight 8.10
You can find the most up-to-date technical documentation on the VMware website at:
https://docs.vmware.com/
VMware, Inc.
3401 Hillview Ave.
Palo Alto, CA 94304
www.vmware.com
Copyright
©
2023 VMware, Inc. All rights reserved. Copyright and trademark information.
Administering vRealize Log Insight
VMware, Inc. 2
Contents
Administering vRealize Log Insight 7
1 Upgrading vRealize Log Insight 8
vRealize Log Insight Upgrade Path 8
Upgrade to the Latest Version of vRealize Log Insight 8
vRealize Log Insight 8.1 Upgrade 10
vRealize Log Insight 8.0 Upgrade 11
2 Managing vRealize Log Insight User Accounts 12
User Management Overview 12
Role-Based Access Control 13
Using Filtering to Manage User Accounts 14
Create a User Account 14
Unlock a User Account 16
Configure VMware Identity Manager Access to Active Directory Groups for vRealize Log Insight
17
Import an Active Directory Group to vRealize Log Insight 19
Define a Data Set 20
Create and Modify Roles 22
Delete a User Account or Group 25
3 Configuring Authentication 26
Activate User Authentication Through VMware Identity Manager 26
Activate User Authentication Through Active Directory 28
Configure the Protocol to Use for Active Directory 29
4 Configuring vRealize Log Insight 31
vRealize Log Insight Configuration Limits 32
Add a Log Filter Configuration 33
Add a Log Mask Configuration 34
Configuring Virtual Appliance Settings 36
Configure the Root SSH Password for the vRealize Log Insight Virtual Appliance 36
Change the Network Settings of the vRealize Log Insight Virtual Appliance 37
Increase the Storage Capacity of the vRealize Log Insight Virtual Appliance 37
Add Memory and CPU to the vRealize Log Insight Virtual Appliance 38
Assign a License to vRealize Log Insight 39
Log Storage Policy 40
Managing System Notifications 40
VMware, Inc.
3
System Notifications 41
Configuring Destinations for vRealize Log Insight System Notifications 46
Add a vRealize Log Insight Log Forwarding Destination 49
Using Log Management Filters in Explore Logs 51
Configure Log Forwarding to vRealize Log Insight Cloud 52
Add a Cloud Channel 53
Synchronize the Time on the vRealize Log Insight Virtual Appliance 54
Configure the SMTP Server for vRealize Log Insight 55
Configure an HTTP Proxy 56
Configure a Webhook 57
Install a Custom SSL Certificate 60
Generate a Self-Signed Certificate 61
Generate a Certificate Signing Request 62
Request a Signature from a Certificate Authority 64
Concatenate Certificate Files 64
Upload Signed Certificate 65
Configure SSL Connection Between the vRealize Log Insight Server and the Log Insight
Agents 65
View and Remove SSL Certificates 69
Change the Default Timeout Period for vRealize Log Insight Web Sessions 70
Retention and Archiving 70
Configure an Index Partition 70
Data Archiving 72
Format of the vRealize Log Insight Archive Files 72
Import a vRealize Log Insight Archive into vRealize Log Insight 73
Export a Log Insight Archive to a Raw Text File or JSON 74
Restart the vRealize Log Insight Service 75
Power off the vRealize Log Insight Virtual Appliance 76
Download a vRealize Log Insight Support Bundle 76
Join or Leave the VMware Customer Experience Improvement Program 77
Configure STIG Compliance for vRealize Log Insight 78
Activate FIPS for vRealize Log Insight 79
5
Managing vRealize Log Insight Clusters
81
Add a Worker Node to a vRealize Log Insight Cluster 81
Deploy the vRealize Log Insight Virtual Appliance 81
Join an Existing Deployment 84
Remove a Worker Node from a vRealize Log Insight Cluster 85
Working with an Integrated Load Balancer 86
Activate the Integrated Load Balancer 87
6 Configuring, Monitoring, and Updating vRealize Log Insight Agents 89
Administering vRealize Log Insight
VMware, Inc. 4
Centralized Agent Configurations and Agent Groups 89
Agent Group Configuration Merging 90
Create an Agent Group 91
Edit an Agent Group 92
Add a Content Pack Agent Group as an Agent Group 93
Delete an Agent Group 93
Monitor the Status of the vRealize Log Insight Agents 94
Activate Agent Auto-Update from the Server 95
7
Monitoring vRealize Log Insight
97
Check the Health of the vRealize Log Insight Virtual Appliance 97
Monitor Hosts That Send Log Events 98
Configure a System Notification to Report on Inactive Hosts 99
8 Integrating vRealize Log Insight with VMware Products 100
Connect vRealize Log Insight to a vSphere Environment 101
vRealize Log Insight as a Syslog Server 103
Configure an ESXi Host to Forward Log Events to vRealize Log Insight 103
Modify an ESXi Host Configuration for Forwarding Log Events to vRealize Log Insight 105
vRealize Log Insight Notification Events in vRealize Operations 106
Configure vRealize Log Insight to Pull Events, Tasks, and Alarms from vCenter Server Instance
107
Using vRealize Operations with vRealize Log Insight 108
Requirements for Integrating With vRealize Operations 108
Configure vRealize Log Insight to Send Notifications and Metrics to vRealize Operations
110
Activate Launch in Context for vRealize Log Insight in vRealize Operations 112
Deactivate Launch in Context for vRealize Log Insight in vRealize Operations 116
Add a DNS Search Path and Domain 117
Remove the vRealize Log Insight Adapter 118
vRealize Operations Content Pack for vRealize Log Insight 119
Integrate vRealize Log Insight with NSX Identity Firewall 119
Add an Identity Provider to an NSX Identity Firewall Integration 120
9
Security Considerations for
vRealize Log Insight 123
Ports and External Interfaces 123
vRealize Log Insight Configuration Files 125
vRealize Log Insight Public Key, Certificate, and Keystore 125
vRealize Log Insight License and EULA File 126
vRealize Log Insight Log Files 126
Activate Debug Level for User Audit Log Messages 129
Audit Logs in vRealize Log Insight 129
Administering vRealize Log Insight
VMware, Inc. 5
vRealize Log Insight User Accounts 130
vRealize Log Insight Firewall Recommendations 131
Security Updates and Patches 132
10 Backup, Restore, and Disaster Recovery 133
Backup, Restore, and Disaster Recovery Overview 133
Using Static IP Addresses and FQDN 134
Planning and Preparation 135
Backup Nodes and Clusters 136
Backup Linux or Windows Agents 137
Restore Nodes and Clusters 138
Changing Configurations After Restoration 139
Restore to the Same Host 139
Restore to a Different Host 139
Verify Restorations 142
Disaster Recovery 143
11
Troubleshooting vRealize Log Insight
144
Cannot Log In to vRealize Log Insight on Internet Explorer 144
vRealize Log Insight Runs Out of Disk Space 145
Import of Archived Data Might Fail 145
Use the Virtual Appliance Console to Create a Support Bundle of vRealize Log Insight 146
Reset the Admin User Password 147
Reset the Root User Password 147
Alerts Could Not Be Delivered to vRealize Operations 149
Unable to Log In Using Active Directory Credentials 150
SMTP does not work with STARTTLS option activated 150
Upgrade Fails Because the Signature of the .pak file Cannot Be Validated 151
Upgrade Fails with an Internal Server Error 152
Missing vmw_object_id Field in the First Log Message After Integration with VMware Products
152
Administering vRealize Log Insight
VMware, Inc. 6
Administering vRealize Log Insight
Administering vRealize Log Insight
provides information about the administration of
VMware
®
vRealize
™
Log Insight
™
, including how to manage user accounts and how to configure
integration with other VMware products. It also includes information about managing product
security and upgrading your deployment.
The information is written for experienced Windows or Linux system administrators who are
familiar with virtual machine technology and datacenter operations. Administrators are users
associated with the Super Admin role, clones of the Super Admin role, or roles that have
permissions for the relevant administrative tasks. These roles are defined in the Management
> Access Control page, on the Roles tab.
VMware, Inc. 7
Upgrading vRealize Log Insight
1
You can upgrade vRealize Log Insight to version 8.10 from 8.8.x and to 8.8 from 8.6.x. You can
upgrade to version 8.4 from 8.3 or 8.2, and to 8.1 from 4.8 or 8.0. To upgrade to the rest of
the versions, you must follow an incremental upgrade path. The upgrade includes automatically
upgrading the nodes in a cluster.
To download the PAK files for vRealize Log Insight, go to the Download VMware vRealize Log
Insight page.
This chapter includes the following topics:
n vRealize Log Insight Upgrade Path
n Upgrade to the Latest Version of vRealize Log Insight
n vRealize Log Insight 8.1 Upgrade
n vRealize Log Insight 8.0 Upgrade
vRealize Log Insight Upgrade Path
The upgrade path to follow depends on which version of vRealize Log Insight is installed and the
version you are upgrading to.
You can upgrade vRealize Log Insight to version 8.10 from 8.8.x, to 8.8 from 8.6.x, to 8.4 from
8.3 or 8.2, and to 8.1 from 4.8 or 8.0. Upgrades to the rest of the versions must be done
incrementally. For example, to upgrade from version 8.1 to 8.3, you apply the 8.2 upgrade to 8.1
and then upgrade from 8.2 to 8.3. You must upgrade to each intermediate release.
You can also view supported upgrade paths on the VMware Product Interoperability Matrixes
site.
Upgrade to the Latest Version of vRealize Log Insight
You can upgrade a cluster to vRealize Log Insight 8.10 from 8.8.x, and to 8.8 from 8.6.x. You can
upgrade to version 8.4 from 8.3 or 8.2, and to 8.1 from 4.8 or 8.0. To upgrade a cluster to the rest
of the versions, you must follow an incremental path. For example, to upgrade from version 8.1 to
8.3, you apply the 8.2 upgrade to 8.1 and then upgrade from 8.2 to 8.3.
VMware, Inc.
8
Upgrading vRealize Log Insight must be done from the primary node's FQDN. Upgrading using
the Integrated Load Balancer IP address is not supported.
During upgrade, the primary node is upgraded first, and restarts. Each of the cluster nodes
is upgraded sequentially. You can see the status of the rolling upgrade on the Management
> Cluster page. If the integrated load balancer is configured, its IPs are migrated among the
cluster nodes so cluster services, including UI, API, and ingestion of incoming events, remain
available throughout the rolling upgrade. Low-level details are written to the file /storage/
core/loginsight/var/upgrade.log on each individual node. A system notification is sent
when the upgrade finishes successfully.
If a problem is encountered affecting one or more of the nodes during the upgrade process,
the entire cluster is rolled back to the original, working version. Because configuration changes
performed after the upgrade started might be inconsistent or invalid, the configuration is
reverted to a known-good state captured before upgrade. No ingested events are lost. Progress
is written to the file /storage/core/loginsight/var/rollback.log on each individual node.
A system notification is sent when rollback finishes. After the issue is investigated and fixed, you
can retry the upgrade.
After upgrade, all nodes are placed in a connected state and brought online even if they were in
maintenance before upgrade.
Prerequisites
n Verify that you are applying the correct upgrade to version vRealize Log Insight . For more
information about supported upgrade paths, see vRealize Log Insight Upgrade Path.
n Create a snapshot or backup copy of the vRealize Log Insight virtual appliance.
n Obtain a copy of the vRealize Log Insight upgrade bundle .pak file for the release you are
upgrading to.
n Verify that you are logged in to the vRealize Log Insight web user interface as a Super
Admin user, or a user associated with a role that has the relevant permissions. See Create
and Modify Roles for more information. The URL format of the web user interface is https://
log-insight-host
, where
log-insight-host
is the IP address or host name of the vRealize Log
Insight virtual appliance.
n Make a note of any nodes you are upgrading that are in maintenance mode. When the
upgrade is finished, you must move them from the state Connected to Maintenance mode.
Procedure
1 Expand the main menu and navigate to Management > Cluster.
2 Click Upgrade from PAK to upload the .pak file.
3 Accept the new EULA to complete the upgrade procedure.
Administering vRealize Log Insight
VMware, Inc. 9
4 vRealize Log Insight participates in VMware’s Customer Experience Improvement Program
(CEIP).
n If CEIP was activated for the earlier release, no additional change is required during
upgrade. CEIP remains activated after the upgrade is finished.
n If CEIP was not activated for the earlier release, the CEIP check box is displayed when the
upgrade is finished, and the check box is selected by default. Deselect the check box to
leave the CEIP.
After activating or deactivating CEIP, click OK.
What to do next
After the primary node upgrade process is complete, you can view the remaining upgrade
process, which is automatic.
Check for the email sent to the Admin to confirm the upgrade completed successfully.
After upgrade, all nodes are brought online even if they were in maintenance mode before the
upgrade. Move these nodes back to maintenance mode as needed.
vRealize Log Insight 8.1 Upgrade
You can upgrade from vRealize Log Insight 8.0 to 8.1, where both versions are on Photon
operating systems. You can also upgrade directly from vRealize Log Insight 4.8 on an SLES
operating system to vRealize Log Insight 8.1 on a Photon operating system.
Upgrading from vRealize Log Insight 8.0 to 8.1
The upgrade from vRealize Log Insight 8.0 to 8.1 does not change the architecture of the virtual
machine of the vRealize Log Insight virtual appliance. The only change is in the currently booted
root partition, for example, from SDA4 to SDA3, which has no impact on the user experience.
If the upgrade to vRealize Log Insight 8.1 fails, an automated rollback does not happen. However,
you can do a manual rollback to revert to an earlier version. For more information, see https://
kb.vmware.com/s/article/75150. There is no change in the user interface or REST API. When you
connect to the vRealize Log Insight 8.1 virtual machine from the command line and work on it, you
see systemd-based information, as Photon is based on systemd.
Upgrading from vRealize Log Insight 4.8 to 8.1
Upgrading from vRealize Log Insight 4.8 to 8.1 is similar to upgrading from 4.8 to 8.0. For more
information, see vRealize Log Insight 8.0 Upgrade.
For additional information about upgrading to vRealize Log Insight 8.1, see the upgrade notes.
For information about the upgrade process, see Upgrade to the Latest Version of vRealize Log
Insight.
Administering vRealize Log Insight
VMware, Inc. 10
vRealize Log Insight 8.0 Upgrade
You can upgrade from vRealize Log Insight 4.8 on an SLES operating system to vRealize Log
Insight 8.0 on a Photon operating system.
Upgrading from an SLES-based vRealize Log Insight 4.8 to a Photon-based vRealize Log Insight
8.0 is different from the previous upgrades because of the change in the underlying operating
system. This upgrade changes the architecture of each virtual machine in the vRealize Log Insight
virtual appliance.
For example, consider a virtual machine with a disk SDA, which has three partitions for boot
(SDA1), swap (SDA2), and root (SDA3). The size of partition SDA3 is approximately 16 GB and
it contains information about SLES. Upgrading from an SLES-based vRealize Log Insight 4.8 to
a Photon-based vRealize Log Insight 8.0 creates another partition in SDA3 and splits it equally
into two parts, sized approximately 8 GB each - one for SLES (SDA3) and another for Photon
(SDA4). SDA4 becomes the active partition. SDA3 remains inactive but contains valid vRealize
Log Insight information for SLES. You can boot SDA3 by manually selecting it when you boot the
virtual machine.
Note Before upgrading from an SLES-based vRealize Log Insight 4.8 to a Photon-based vRealize
Log Insight 8.0, ensure that the root partition has enough space for the upgrade. If the root
partition is smaller in size, for example, 8 GB, increase the disk size to 20 GB, so that the root
partition size increases to 16 GB. You must increase the disk size for each node that has a
root partition with less space. For information about increasing the root partition size, see https://
kb.vmware.com/s/article/76304.
After an upgrade to a Photon-based vRealize Log Insight 8.0:
n There is no change in the user interface or REST API.
n When you connect to the vRealize Log Insight 8.0 virtual machine from the command line
and work on it, you see systemd-based information, because SLES is based on initd whereas
Photon is based on systemd.
For additional information about upgrading to vRealize Log Insight 8.0, see the upgrade notes.
For information about the upgrade process, see Upgrade to the Latest Version of vRealize Log
Insight.
Administering vRealize Log Insight
VMware, Inc. 11
Managing vRealize Log Insight
User Accounts
2
You can create user accounts and roles to provide users with access to the vRealize Log Insight
web interface.
You can create and edit user accounts if you are a user associated with the Super Admin role or
a role that has the Access control permission with Edit access level. However, you can change
your own email and account password without having this permission.
This chapter includes the following topics:
n User Management Overview
n Role-Based Access Control
n Using Filtering to Manage User Accounts
n Create a User Account
n Unlock a User Account
n Configure VMware Identity Manager Access to Active Directory Groups for vRealize Log
Insight
n Import an Active Directory Group to vRealize Log Insight
n Define a Data Set
n Create and Modify Roles
n Delete a User Account or Group
User Management Overview
You can use a combination of user logins, role-based access control, and data sets to manage
vRealize Log Insight users. Role-based access control lets you manage users and the tasks that
they can perform.
Note You can create and edit user accounts if you are a user associated with the Super Admin
role or a role that has the Access control permission with Edit access level.
VMware, Inc.
12
Roles are sets of permissions required to perform particular tasks. vRealize Log Insight has a set
of predefined roles. Additionally, you can create custom roles as part of defining security policies,
and grant the roles to users. To change the permissions and tasks associated with a custom role,
you can update the role settings. The updated settings take effect for all users associated with
the role.
n To allow a user to perform a task, you grant the role to the user.
n To prevent a user from performing a task, you revoke the role from the user.
Managing roles for each user is based on their user login account. You can assign multiple roles
to a user, in which case the role permissions are merged.
Users who cannot view or access certain objects or cannot perform certain operations were not
assigned the roles with the permissions to do so.
Role-Based Access Control
Role-based access control lets you restrict log access for specific users, and control tasks that
these users can perform after they log in. You can associate or revoke roles with or from user
login accounts. A user can see all the dashboards that they have access to, but the data in the
dashboards and in Explore Logs is filtered based on the data sets that the user role has access
to.
Note You can create and edit user accounts if you are a user associated with the Super Admin
role or a role that has the Access control permission with Edit access level.
Users
You can control the access and actions of each user by granting or revoking roles to or from
the login account of the user.
Permissions
Permissions and access levels are associated with roles, and control the allowed actions in
vRealize Log Insight. Permissions apply to particular administrative or user tasks in vRealize
Log Insight. The predefined roles in vRealize Log Insight have a fixed set of permissions.
You can modify these permissions for all predefined roles except the Super Admin role.
Additionally, you can also create custom roles and assign permissions with access levels
according to your requirement. For example, you can grant the Management permission
with Full Access to allow a user to view and modify the vRealize Log Insight administrative
settings in the Management section.
Data Sets
Administering vRealize Log Insight
VMware, Inc. 13
Data sets consist of a set of filters. You can use data sets to provide users with access to
specific content by associating a data set with a role.
Note You can associate data sets with all predefined roles except the Super Admin role.
Roles
Roles are collections of permissions and data sets that can be associated with users. Roles
provide a convenient way to package all the permissions required to perform a task. One
user can be assigned multiple roles.
vRealize Log Insight has a set of predefined roles. You can modify all predefined roles
except the Super Admin role. You can also create custom roles and modify the associated
permissions and data sets according to your requirement.
Using Filtering to Manage User Accounts
You can search for a user or set of users by specifying a search filter.
To use filtering for user accounts, navigate to Management > Access Control and select the
Users tab.
The search text box is located near the top of the page and contains the phrase Filter by
username.
The search function filters results as you type, returning user names that contain the input
pattern. For example, if you have user names John_Smith, John_Doe, and Helen_Jonson, when
you type the letter J, search returns all user names that include that letter, for this example
John_Smith, John_Doe, and Helen_Jonson. When you continue to type letters, search results
are narrowed to match the exact pattern. For this example, when you type John_, search returns
John_Smith and John_Doe.
You can sort search results by fields: domain, authentication, roles, email, or UPN. In addition, you
can perform a bulk action, such as deleting multiple users, on the search result.
Create a User Account
You can create user accounts to provide access to the vRealize Log Insight web user interface.
Prerequisites
n Verify that you are logged in to the vRealize Log Insight web user interface as a Super
Admin user, or a user associated with a a role that has the Access control permission with
Edit access level. The URL format of the web user interface is https://
log-insight-host
, where
log-insight-host
is the IP address or host name of the vRealize Log Insight virtual appliance.
Administering vRealize Log Insight
VMware, Inc. 14
n Verify that you have configured VMware Identity Manager or Active Directory support if you
are creating user accounts that use either of these types of authentication. See Activate User
Authentication Through VMware Identity Manager and Activate User Authentication Through
Active Directory.
Procedure
1 Expand the main menu and navigate to Management > Access Control.
2 Click Users.
3 Click New User.
4 Do either of the following:
n If you are using the default, built-in authentication, enter a user name and an email
address.
n If you are using Active Directory or VMware Identity Manager authentication, enter the
domain to which the user belongs, a user name, and optionally, the email address for the
user name account.
5 From the Roles list on the right, select one or more predefined or custom user roles.
Option
Description
Dashboard User Dashboard users can only use the Dashboards page of vRealize Log Insight.
Super Admin Super Admin users can access all the functionalities of vRealize Log Insight,
can administer vRealize Log Insight, and can manage the accounts of all
other users.
User Users can access all the functionalities of vRealize Log Insight. Users can
view log events, run queries to search and filter logs, import content packs
into their own user space, view alerts, and manage their own user accounts
to change a password or email address. Users do not have access to the
administration options and cannot share content with other users, create or
modify alerts, modify the accounts of other users, and or install a content
pack from the Marketplace. However, they can import a content pack into
their own user space which is visible only to them.
View Only Admin View Only Admin users can view Admin information, have full User access,
and can edit shared content.
Custom Role A user with a custom role can view or modify information based on the
permissions associated with the role.
To view the permissions associated with a predefined or custom role, in the Access Control
page, click the Roles tab and then click Show Permissions against the role.
Administering vRealize Log Insight
VMware, Inc. 15
6 Click Save.
n For built-in authentication, the information is saved locally. An email is sent to the user's
email address with a link to finish the registration. The user can click the link and enter a
password for their account. Before the user registers their account, the account status is
pending. After registration, the account status is active.
Note A user must register their account within 24 hours of receiving the registration
email. If they fail to do so, their account status remains pending, and they have to request
the Super Admin user to unlock their account. For more information, see Unlock a User
Account.
n For authentication with VMware Identity Manager, vRealize Log Insight verifies whether
the user's domain is linked to a group. If the domain does not belong to a group, vRealize
Log Insight verifies whether the domain has established trust with a domain associated
with a group. If cross-domain trust has been established, the user can log in to vRealize
Log Insight, and the corresponding user account is added to the user table in Access
Control > Users.
Unlock a User Account
If a user account is in pending status because of the failure to register within 24 hours or if the
account is in locked status, a Super Admin user can unlock the account.
User accounts are locked in either of the following situations:
n The user enters the wrong password three consecutive times in a 15 minute period.
n The user has not logged in to vRealize Log Insight for 35 days. This lock condition is valid only
if the password policy restriction is activated.
n The user has not changed their password for 60 days. This lock condition is valid only if the
password policy restriction is activated.
For information about enabling the password policy restriction, see Configure STIG Compliance
for vRealize Log Insight.
Note This procedure unlocks accounts that use the default, built-in authentication only, and not
accounts that use VMware Identity Manager or Active Directory authentication.
Prerequisites
Verify that you are logged in to the vRealize Log Insight web user interface as a Super Admin
user, or a user associated with a a role that has the Access control permission with Edit access
level. The URL format of the web user interface is https://
log-insight-host
, where
log-insight-host
is the IP address or host name of the vRealize Log Insight virtual appliance.
Procedure
1 Expand the main menu and navigate to Management > Access Control.
Administering vRealize Log Insight
VMware, Inc. 16
2 Click Users.
3 (Optional) For the locked user account, point to the red lock icon in the Status column to
know why the account is locked.
4 Click the pencil icon against the user name of the account.
5 Select the Reset Password check box if it is not selected already.
6 Click Save.
Results
An email is sent to the user's email address with a link to reset their password. The user can click
the link and enter a new password for their account.
Note A user must unlock their account within 24 hours of receiving the email. If they fail to do
so, they have to request the Super Admin user to unlock their account again.
Configure VMware Identity Manager Access to Active
Directory Groups for vRealize Log Insight
You can use Active Directory groups with vRealize Log Insight through VMware Identity Manager
single sign-on authentication. Your site must be configured for VMware Identity Manager
authentication that is enabled for Active Directory support, and server synchronization must be in
place.
You must also import group information to vRealize Log Insight.
A VMware Identity Manager user inherits roles that are assigned to any group the user belongs
to in addition to the roles that are assigned to the individual user. For example, you can assign
Group A to the role of View Only Admin and assign a user to the role of User. The same user can
also be assigned to Group A. When the user logs in, they inherit the group role with privileges for
both the View Only Admin and User roles.
The group is not a VMware Identity Manager local group, but an Active Directory group that is
synchronized with VMware Identity Manager.
Prerequisites
n Verify that you have configured the UPN attribute (userPrincipalName) attribute. It can be
configured through the VMware Identity Manager administrator interface at Identity & Access
Management > User Attributes.
n Verify that you are logged in to the vRealize Log Insight web user interface as a Super
Admin user, or a user associated with a a role that has the Access control permission with
Edit access level. The URL format of the web user interface is https://
log-insight-host
, where
log-insight-host
is the IP address or host name of the vRealize Log Insight virtual appliance.
n Verify that you configured VMware Identity Manager support in vRealize Log Insight. See
Activate User Authentication Through VMware Identity Manager
Administering vRealize Log Insight
VMware, Inc. 17
Procedure
1 Expand the main menu and navigate to Management > Access Control.
2 Click Users.
3 Scroll to the Directory Groups table and click New Group.
4 Select VMware Identity Manager from the Type drop-down menu.
The default domain name that you specified when you configured VMware Identity Manager
support appears in the Domain text box.
5 Change the domain name to the Active Directory name for the group.
6 Enter the name of the group that you want to add.
7 From the Roles list on the right, select one or more predefined or custom user roles.
Option Description
Dashboard User Dashboard users can only use the Dashboards page of vRealize Log Insight.
Super Admin Super Admin users can access all the functionalities of vRealize Log Insight,
can administer vRealize Log Insight, and can manage the accounts of all
other users.
User Users can access all the functionalities of vRealize Log Insight. Users can
view log events, run queries to search and filter logs, import content packs
into their own user space, view alerts, and manage their own user accounts
to change a password or email address. Users do not have access to the
administration options and cannot share content with other users, create or
modify alerts, modify the accounts of other users, and or install a content
pack from the Marketplace. However, they can import a content pack into
their own user space which is visible only to them.
View Only Admin View Only Admin users can view Admin information, have full User access,
and can edit shared content.
Custom Role A user with a custom role can view or modify information based on the
permissions associated with the role.
To view the permissions associated with a predefined or custom role, in the Access Control
page, click the Roles tab and then click Show Permissions against the role.
8 Click Save.
For authentication, vRealize Log Insight verifies whether the user's domain is linked to a
group. If the domain does not belong to a group, vRealize Log Insight verifies whether the
domain has established trust with a domain associated with a group. If cross-domain trust
has been established, the user can log in to vRealize Log Insight, and the corresponding user
account is added to the user table in Access Control > Users.
Administering vRealize Log Insight
VMware, Inc. 18
Results
Users that belong to the group that you added can use their VMware Identity Manager account
to log in to vRealize Log Insight and have the same level of permissions as the group to which
they belong.
Import an Active Directory Group to vRealize Log Insight
Instead of adding individual domain users, you can add domain groups to allow users to log in to
vRealize Log Insight.
When you activate AD support in vRealize Log Insight, you configure a domain name and provide
a binding user that belongs to the domain. vRealize Log Insight uses the binding user to verify the
connection to the AD domain, and to verify the existence of AD users and groups.
The Active Directory groups that you add to vRealize Log Insight must either belong to the
domain of the binding user, or to a domain that is trusted by the domain of the binding user.
An Active Directory user inherits roles that are assigned to any group the user belongs to, in
addition to the roles that are assigned to the individual user. For example, you can assign GroupA
to the role of
View Only Admin and assign the user Bob to the role of User. Bob can also be
assigned to GroupA. When Bob logs in, he inherits the group role and has privileges for both the
View Only Admin and User roles.
Prerequisites
n Verify that you are logged in to the vRealize Log Insight web user interface as a Super
Admin user, or a user associated with a a role that has the Access control permission with
Edit access level. The URL format of the web user interface is https://
log-insight-host
, where
log-insight-host
is the IP address or host name of the vRealize Log Insight virtual appliance.
n Verify that you configured AD support. See Activate User Authentication Through Active
Directory
Procedure
1 Expand the main menu and navigate to Management > Access Control.
2 Click Users.
3 Under Directory Groups, click New Group.
4 Click Active Directory in the Type drop-down menu.
The default domain name that you specified when you configured Active Directory support
appears in the Domain text box. If you are adding groups from the default domain, do not
modify the domain name.
5 (Optional) If you want to add a group from a domain that trusts the default domain, type the
name of the trusting domain in the Domain text box.
6 Enter the name of the group that you want to add.
Administering vRealize Log Insight
VMware, Inc. 19
7 From the Roles list on the right, select one or more predefined or custom user roles.
Option Description
Dashboard User Dashboard users can only use the Dashboards page of vRealize Log Insight.
Super Admin Super Admin users can access all the functionalities of vRealize Log Insight,
can administer vRealize Log Insight, and can manage the accounts of all
other users.
User Users can access all the functionalities of vRealize Log Insight. Users can
view log events, run queries to search and filter logs, import content packs
into their own user space, view alerts, and manage their own user accounts
to change a password or email address. Users do not have access to the
administration options and cannot share content with other users, create or
modify alerts, modify the accounts of other users, and or install a content
pack from the Marketplace. However, they can import a content pack into
their own user space which is visible only to them.
View Only Admin View Only Admin users can view Admin information, have full User access,
and can edit shared content.
Custom Role A user with a custom role can view or modify information based on the
permissions associated with the role.
To view the permissions associated with a predefined or custom role, in the Access Control
page, click the Roles tab and then click Show Permissions against the role.
8 Click Save.
vRealize Log Insight verifies whether the AD group exists in the domain that you specified
or in a trusting domain. If the group cannot be found, a dialog box informs you that vRealize
Log Insight cannot verify that group. You can save the group without verification or cancel to
correct the group name.
Results
Users that belong to the Active Directory group that you added can use their domain account to
log in to vRealize Log Insight and have the same level of permissions as the group to which they
belong.
Define a Data Set
You can define a data set to provide users access to specific content.
Prerequisites
Verify that you are logged in to the vRealize Log Insight web user interface as a Super Admin
user, or a user associated with a a role that has the Access control permission with Edit access
level. The URL format of the web user interface is https://
log-insight-host
, where
log-insight-host
is the IP address or host name of the vRealize Log Insight virtual appliance.
Administering vRealize Log Insight
VMware, Inc. 20
Procedure
1 Expand the main menu and navigate to Management > Access Control.
2 Click Data Sets.
3 Click New Data Set.
4 Enter a name and description for the data set.
5 Click Add Filter.
Tip The This data set restricts other data sets check box determines how a data set should
behave when combined with other data sets. For example, you have two data sets:
Data set 1:
hostname contains "host"
appname contains "app"
Data set 2:
severity contains "error"
If both of these data sets are added to a role, the resulting combined data set would be:
(hostname contains "host" AND appname contains "app") OR (severity contains "error")
However, if you select the This data set restricts other data sets check box for data set 2, the
combined data set would be:
(hostname contains "host" AND appname contains "app") AND (severity contains "error")
6 Use the first drop-down menu to select a field defined within vRealize Log Insight to filter on.
For example, hostname.
The list contains static fields only and excludes fields that are extracted, user shared, and
fields created through event_type filters.
Note Numeric fields contain the additional operators =, >, <, >=, and <=, which string fields
do not. These operators perform numeric comparisons. Using them yields different results
than using string operators. For example, the filter response_time = 02 matches an event
that contains a response_time field with a value 2. The filter response_time contains 02
does not have the same match.
7 Use the second drop-down menu to select the operation to apply to the field selected in the
first drop-down menu.
For example, select contains. The contains filter matches full tokens: searching for the string
err does not result in error as a match.
Administering vRealize Log Insight
VMware, Inc. 21
8 In the filter box to the right of the filter drop-down menu, enter the value that you want to
use as a filter.
You can use multiple values. The operator between these values is OR. If you are using the
_index field in one of the filters, the operator is AND.
Note The box is not available if you select the exists operator in the second drop-down
menu.
9 (Optional) To add more filters, click Add Filter.
10 (Optional) To verify that the filter behavior is what you want, click Run in Explore Logs page,
which opens an Explore Logs window with data that matches your filters.
11 Click Save.
What to do next
Associate a data set with a user role. See Create and Modify Roles.
Create and Modify Roles
You can create or modify roles to allow users to perform certain tasks and access specific
content.
Note You can edit all predefined roles except the Super Admin role. You can clone the Super
Admin role and then modify the cloned role.
Prerequisites
Verify that you are logged in to the vRealize Log Insight web user interface as a Super Admin
user, or a user associated with a a role that has the Access control permission with Edit access
level. The URL format of the web user interface is https://
log-insight-host
, where
log-insight-host
is the IP address or host name of the vRealize Log Insight virtual appliance.
Procedure
1 Expand the main menu and navigate to Management > Access Control.
2 Click Roles.
3 Click New Role or the pencil icon to edit an existing role.
4 Modify the Name and Description text boxes.
5 Select one or more permissions and their corresponding access levels from the Permissions
list. Permissions have main categories and sub-categories within each main category.
The following access levels are available:
Full Access
Administering vRealize Log Insight
VMware, Inc. 22
Provides view and edit access to all the sub-categories for a permission. For example, if you
select the Full Access check box against the Management permission, the users associated
with the role can view and edit clusters, hosts, agents, and the rest of the sub-categories
under Management.
No Access
Does not provide view or edit access to the corresponding sub-category in a permission.
View
Provides view access to the corresponding sub-category in a permission.
Edit
Provides view and edit access to the corresponding sub-category in a permission.
Note Some permissions do not have all access levels due to absence of use cases. For
example, you do not have the Edit access level for content pack dashboards. Similarly, you
do not have the No Access access level for extracted fields in Explore Logs.
The following permissions are available:
Permission
Description
Management Can view or modify information corresponding to the selected sub-
categories, under the Management section:
n System monitor
n Cluster
n Access control
n Hosts
n Agents
n Certificates
n Licenses
Configuration Can view or configure information corresponding to the selected sub-
categories, under the Configuration section:
n General Configuration
n Authentication Configuration
n Time Configuration
n SMTP Configuration
n SSL Configuration
n Proxy Configuration
Log Management Can view or manage information corresponding to the selected sub-
categories, in the Log Management page:
n Log Masking
n Log Filtering
n Log Forwarding
n Index Partitions
Administering vRealize Log Insight
VMware, Inc. 23
Permission Description
Integrations Can view or configure the integration of vRealize Log Insight with
the products corresponding to the selected sub-categories, under the
Integration section:
n vSphere Integration
n vROps (vRealize Operations)) Integration
n NSX Integration
n Cloud Integration
Content Packs Can view or manage content packs in the Content Packs page.
Alerts Can view, create, or modify alerts in the Alerts page or perform alert-related
activities from the Explore Logs page.
Explore Logs Can view or modify information corresponding to the selected sub-
categories in the Explore Logs page:
n Explore Logs
n Extracted Fields
n Export
Dashboards Can view or modify information corresponding to the selected sub-
categories in the Dashboards page:
n User Dashboards
n Shared Dashboards
n Content Pack Dashboards
n Shared Dashboard URLs
n Scheduled Reports
6 (Optional) From the Data Sets list, select a data set to associate with the user role.
7 Click Save.
Results
The role appears in the Roles tab of the Access Control page, with information such as name,
description, data sets, and so on.
n To view the user accounts associated with any role, click Show Users against the role.
n To view the permissions associated with any role, click Show Permissions against the role.
What to do next
You can associate a user account or group with the role. For more information, see:
n Create a User Account
n Configure VMware Identity Manager Access to Active Directory Groups for vRealize Log
Insight
n Import an Active Directory Group to vRealize Log Insight
Administering vRealize Log Insight
VMware, Inc. 24
Delete a User Account or Group
You can delete user accounts or groups from the vRealize Log Insight user interface.
User accounts and groups are listed in separate tables on the Access Control page. You can use
a search filter to find specific user accounts. When you delete a group, all users that belong to
the group lose the privileges given to them by the group.
Prerequisites
Verify that you are logged in to the vRealize Log Insight web user interface as a Super Admin
user, or a user associated with a a role that has the Access control permission with Edit access
level. The URL format of the web user interface is https://
log-insight-host
, where
log-insight-host
is the IP address or host name of the vRealize Log Insight virtual appliance.
Procedure
1 Expand the main menu and navigate to Management > Access Control.
2 Click Users.
3 Select the check box beside the user name or group that you want to delete.
4 To remove the account or group, click X DELETE at the top of the User Account or Groups
table.
Administering vRealize Log Insight
VMware, Inc. 25
Configuring Authentication
3
You can use several authentication methods with your deployment.
Authentication methods include local authentication, VMware Identity Manager authentication,
and Active Directory authentication. You can use more than one method in the same deployment
and users then select the type of authentication to use at login.
The download page for vRealize Log Insight includes a download link for the appropriate version
of VMware Identity Manager. VMware Identity Manager includes the following features.
n Directory integration to authenticate users against existing directories such as Active
Directory or LDAP.
n Single Sign-On integration with other VMware products that also support Single Sign-On
capability.
n Single Sign-On with several third-party identity providers such as ADFS, Ping Federate, and
others.
n Two-factor authentication through integration with third-party software such as RSA SecurID,
Entrust, and others. Two-factor authentication with VMware Verify is included.
For more information, see the VMware Identity Manager documentation.
Local authentication is a component of vRealize Log Insight. To use it, you create a local user and
password that is stored on the vRealize Log Insight server. A product administrator must activate
vRealize Log Insight and Active Directory.
This chapter includes the following topics:
n Activate User Authentication Through VMware Identity Manager
n Activate User Authentication Through Active Directory
Activate User Authentication Through VMware Identity
Manager
When activated, VMware Identity Manager authentication can be used with vRealize Log Insight.
With VMware Identity Manager authentication, users can use a single sign-on for all VMware
products that use the same Identity Manager.
VMware, Inc.
26
Active Directory users can also authenticate through VMware Identity Manager when the Active
Directory and VMware Identity Manager servers are synchronized. See VMware Identity Manager
documentation for more information about synchronization.
Integration with VMware Identity Manager can be done only with local users. Active Directory
users who are assigned a tenant admin role in VMware Identity Manager are not eligible for
integration with vRealize Log Insight.
Prerequisites
Verify that you are logged in to the vRealize Log Insight web user interface as a Super Admin
user, or a user associated with a role that has the relevant permissions. See Create and Modify
Roles for more information. The URL format of the web user interface is https://
log-insight-host
,
where
log-insight-host
is the IP address or host name of the vRealize Log Insight virtual appliance.
Procedure
1 Expand the main menu and navigate to Configuration > Authentication.
2 Select Enable Single Sign-On.
3 In the Host text box, enter a host identifier for the VMware Identity Manager instance to use
for authenticating users .
For example, company-name.vmwareidentity.com.
4 In the API Port text box, specify the port to use to connect to the VMware Identity Manager
instance. The default is 443.
5 Optionally, enter the VMware Identity Manager tenant. This is required only if tenant mode is
configured as tenant-in-path in VMware Identity Manager.
6 Specify VMware Identity Manager user credentials in the Username and Password text
boxes.
This information is used only once during configuration for creating a vRealize Log Insight
client onVMware Identity Managerand is not stored locally in vRealize Log Insight. The user
must have permission to run API commands against the tenant.
7 Click Test Connection to verify that the connection works.
8 If the VMware Identity Manager instance provides an untrusted SSL certificate, a dialog
box appears with the details of the certificate. Click Accept to add the certificate to the
truststores of all the nodes in the vRealize Log Insight cluster.
If you click Cancel, the certificate is not added to the truststores and the connection with
the VMware Identity Manager instance fails. You must accept the certificate for a successful
connection.
Administering vRealize Log Insight
VMware, Inc. 27
9 In the Redirect URL Host drop-down menu, select the Hostname or IP to be used in Redirect
URL for registering on VMware Identity Manager.
If at least one virtual IP is defined for the Integrated Load Balancer,VMware Identity Manager
redirects to the VIP selected. If the Integrated Load Balancer is not configured, the primary
node's IP address is used instead.
10 Select whether to allow log in support for Active Directory users through VMware Identity
Manager.
You can use this option for Active Directory users when VMware Identity Manager is
synchronized with that Active Directory instance.
11 Click Save.
If you did not test the connection and the VMware Identity Manager instance provides an
untrusted certificate, follow the instructions in step 9.
Activate User Authentication Through Active Directory
You can authenticate users through Active Directory to simplify the log in process by letting
users use a common password for multiple purposes.
Child domain access is not supported through Active Directory. This type of access is supported
through VMware Identity Manager only.
Prerequisites
Verify that you are logged in to the vRealize Log Insight web user interface as a Super Admin
user, or a user associated with a role that has the relevant permissions. See Create and Modify
Roles for more information. The URL format of the web user interface is https://
log-insight-host
,
where
log-insight-host
is the IP address or host name of the vRealize Log Insight virtual appliance.
Procedure
1 Expand the main menu and navigate to Configuration > Authentication.
2 Select Enable Active Directory support.
3 In the Default Domain text box, type a domain name.
For example, company-name.com.
Note You cannot list multiple domains in the default domain text box. If the default domain
that you specify is trusted by other domains, vRealize Log Insight uses the default domain
and the binding user to verify Active Directory users and groups in the trusting domains.
Child-domain access with Active Directory is unsupported.
If you switch to a different domain that already includes users and groups, the authentication
fails for the existing users and groups, and data saved by the existing users is lost.
Administering vRealize Log Insight
VMware, Inc. 28
4 If you have geo-located or security-restricted domain controllers, manually specify the
domain controllers closest to this vRealize Log Insight instance.
Note Load-balanced Active Directory authorization servers are not supported.
5 Enter the credentials of a binding user that belongs to the default domain.
vRealize Log Insight uses the default domain and the binding user to verify AD users and
groups in the default domain, and in domains that trust the default domain.
6 Specify values for the connection type.
This connection is used for Active Directory authentication.
7 Click Test Connection to verify that the connection works.
8 If the Active Directory server provides an untrusted SSL certificate, a dialog box appears with
the details of the certificate. Click Accept to add the certificate to the truststores of all the
nodes in the vRealize Log Insight cluster.
If you click Cancel, the certificate is not added to the truststores and the connection with the
Active Directory server fails. You must accept the certificate for a successful connection.
9 Click Save.
If you did not test the connection and the Active Directory server provides an untrusted
certificate, follow the instructions in step 9.
What to do next
Give permissions to Active Directory users and groups to access the current instance of vRealize
Log Insight.
Configure the Protocol to Use for Active Directory
You can configure the protocol to use when connecting to Active Directory. By default, when
vRealize Log Insight connects to Active Directory, it first tries SSL LDAP, and then non-SSL LDAP
if necessary.
If you want to limit the Active Directory communication to one particular protocol, or want to
change the order of protocols that are tried, you must apply additional configurations in the
vRealize Log Insight virtual appliance.
Prerequisites
n Verify that you have the root user credentials to log in to the vRealize Log Insight virtual
appliance.
n To enable SSH connections, verify that TCP port 22 is open.
Procedure
1 Establish an SSH connection to the vRealize Log Insight virtual appliance and log in as the
root user.
Administering vRealize Log Insight
VMware, Inc. 29
2 Navigate to the following location: /storage/core/loginsight/config
3 Locate the latest configuration file where [number] is the largest: /storage/core/
loginsight/config/loginsight-config.xml#
[number]
4 Copy the latest configuration file: /storage/core/loginsight/config/loginsight-
config.xml#
[number]
5 Increase the [number] and save to the following location: /storage/core/loginsight/
config/loginsight-config.xml#[number + 1]
6 Open the file for editing.
7 In the Authentication section, add the line that corresponds to the configuration that you
want to apply:
Option Description
<ad-protocols value="LDAP" /> For specifically using LDAP without SSL
<ad-protocols value="LDAPS" /> For specifically using LDAP with SSL only
<ad-protocols
value="LDAP,LDAPS" />
For specifically using LDAP first and then using LDAP with SSL.
<ad-protocols
value="LDAPS,LDAP" />
For specifically using LDAPS first and then using LDAP without SSL
When you do not select a protocol, vRealize Log Insight attempts to use LDAP first, and then
uses LDAP with SSL.
8 Save and close the file.
9 Run the service loginsight restart command.
Administering vRealize Log Insight
VMware, Inc. 30
Configuring vRealize Log Insight
4
You can configure and customize vRealize Log Insight to change default settings, network
settings, and modify storage resources. You can also configure system notifications.
This chapter includes the following topics:
n vRealize Log Insight Configuration Limits
n Add a Log Filter Configuration
n Add a Log Mask Configuration
n Configuring Virtual Appliance Settings
n Assign a License to vRealize Log Insight
n Log Storage Policy
n Managing System Notifications
n Add a vRealize Log Insight Log Forwarding Destination
n Configure Log Forwarding to vRealize Log Insight Cloud
n Synchronize the Time on the vRealize Log Insight Virtual Appliance
n Configure the SMTP Server for vRealize Log Insight
n Configure an HTTP Proxy
n Configure a Webhook
n Install a Custom SSL Certificate
n View and Remove SSL Certificates
n Change the Default Timeout Period for vRealize Log Insight Web Sessions
n Retention and Archiving
n Restart the vRealize Log Insight Service
n Power off the vRealize Log Insight Virtual Appliance
n Download a vRealize Log Insight Support Bundle
n Join or Leave the VMware Customer Experience Improvement Program
n Configure STIG Compliance for vRealize Log Insight
VMware, Inc.
31
n Activate FIPS for vRealize Log Insight
vRealize Log Insight Configuration Limits
When you configure vRealize Log Insight, you must stay at or below the supported maximums.
Table 4-1. vRealize Log Insight Configuration Maximums
Item Maximum
Node Configuration
CPU 16 vCPUs
Memory 32 GB
Storage device (vmdk) 2 TB - 512 bytes
Total addressable storage 4 TB (+ OS drive)
A maximum of 4 TB addressable log storage on Virtual Machine Disks
(VMDKs) with a maximum size of 2 TB each. You can have two 2 TB
VMDKs or four 1 TB VMDKs, and so on. When you reach the maximum,
you must scale outward with a larger cluster size instead of adding
more disks to existing VMs.
Syslog connections 750
Cluster Configuration
Nodes 18 (Primary + 17 Workers)
Virtual IP addresses 60
Ingestion per Node
Events per second 15,000 eps
Syslog message length 10 KB (text field)
Ingestion API HTTP POST request 16 KB (text field); 4 MB per HTTP Post request
Integrations
vRealize Operations 1
vSphere vCenter Server 15 per node
Cloud Channel 1
Active Directory domains 1
Email servers 1
DNS servers 2
NTP servers 4
Forwarders 10
Administering vRealize Log Insight
VMware, Inc. 32
Table 4-1. vRealize Log Insight Configuration Maximums (continued)
Item Maximum
Index Partition Configuration
Index partitions 5
Add a Log Filter Configuration
You can add a configuration to drop logs that match the filter criteria you provide.
Dropping logs lets you view only the logs that you require, which is cost-effective, saves storage,
and improves performance.
Note
n A log filter configuration is applied only to the logs that are ingested after you create and
activate the configuration.
n A log filter configuration is applied only to logs with static fields in the filter criteria.
Prerequisites
Verify that you are logged in to the vRealize Log Insight web user interface as a Super Admin
user, or a user associated with a role that has the relevant permissions. See Create and Modify
Roles for more information. The URL format of the web user interface is https://
log-insight-host
,
where
log-insight-host
is the IP address or host name of the vRealize Log Insight virtual appliance.
Procedure
1 Expand the main menu, click Log Management and then click Log Filtering.
2 Click New Configuration.
3 Enter a unique name for the log filter configuration.
4 Select fields and constraints to define the logs that you want to drop. If you do not select
a filter, all the logs are dropped. To see the results of your filter, click Run in Explore Logs
page.
Operator
Description
Matches Finds strings that match the string and wildcard specification, where *
means zero or more characters and ? means zero or any single character.
Prefix and postfix globbing is supported.
For example, *test* matches strings such as test123 or my-test-run.
does not match Excludes strings that match the string and wildcard specification, where *
means zero or more characters and ? means zero or any single character.
Prefix and postfix globbing is supported.
For example, test* excludes test123, but not mytest123. ?test*
excludes test123 and xtest123, but not mytest123.
Administering vRealize Log Insight
VMware, Inc. 33
Operator Description
starts with Finds strings that start with the specified character string.
For example, test finds test123 or test, but not my-test123.
does not start with Excludes strings that start with the specified character string.
For example, test filters out test123, but not my-test123.
5 The log filter configuration is activated by default. To deactivate the configuration, click the
Enabled toggle button.
6 To activate log forwarding for the logs that match the filter criteria, click the Allow
Forwarding toggle button.
When you click the toggle button and save this configuration, the logs matching the filter
criteria are no longer ingested into the current vRealize Log Insight instance. Instead, they are
sent to the log forwarding or cloud forwarding destination that has the same filter criteria as
your log filter configuration.
You can configure a log forwarding destination in Log Management > Log Forwarding and a
cloud forwarding destination in Log Management > Cloud Forwarding.
7 Click Save.
Results
The log filter configuration appears in the Log Filtering tab with information about the drop
filter and whether it is activated. You can activate or deactivate the configuration by clicking the
Enabled toggle button.
Add a Log Mask Configuration
You can add a configuration to mask sensitive information in all logs or logs that match the filter
criteria you provide.
Note
n A log mask configuration is applied only to the logs that are ingested after you create and
activate the configuration.
n A log mask configuration is applied only to logs in which the
FieldName
field and the filter
criteria have static fields.
Prerequisites
Verify that you are logged in to the vRealize Log Insight web user interface as a Super Admin
user, or a user associated with a role that has the relevant permissions. See Create and Modify
Roles for more information. The URL format of the web user interface is https://
log-insight-host
,
where
log-insight-host
is the IP address or host name of the vRealize Log Insight virtual appliance.
Administering vRealize Log Insight
VMware, Inc. 34
Procedure
1 Expand the main menu, click Log Management and then click Log Masking.
2 Click New Configuration.
3 Enter a unique name for the log mask configuration.
4 In the Field Name drop-down menu, select the field that you want to mask in the logs.
5 In the Selector text box, enter the regex selector for the field value, which indicates the part
of the field that you want to mask.
You must express this value as a capture group in the regex. Capture groups are identified
with enclosed parentheses (). You can have multiple capture groups inside a selector. To
mask all the content for a specified field, you can set the selector as (.*).
6 In the Mask Value text box, enter a value to replace the masked content of the specified
fields, the default value for which is an empty string.
7 Click Add Filter to define the logs for which you want to mask information. If you do not
add a filter, all the logs are masked. To see the results of your filter, click
Run in Explore Logs
page.
Operator
Description
Matches Finds strings that match the string and wildcard specification, where *
means zero or more characters and ? means zero or any single character.
Prefix and postfix globbing is supported.
For example, *test* matches strings such as test123 or my-test-run.
does not match Excludes strings that match the string and wildcard specification, where *
means zero or more characters and ? means zero or any single character.
Prefix and postfix globbing is supported.
For example, test* excludes test123, but not mytest123. ?test*
excludes test123 and xtest123, but not mytest123.
starts with Finds strings that start with the specified character string.
For example, test finds test123 or test, but not my-test123.
does not start with Excludes strings that start with the specified character string.
For example, test filters out test123, but not my-test123.
8 The log mask configuration is activated by default. To deactivate the configuration, click the
Enabled toggle button.
9 Click Save.
Results
The log mask configuration appears in the Log Masking tab with information about whether
it is activated, the logs to which it is applied, and so on. You can activate or deactivate the
configuration by clicking the Enabled toggle button.
Administering vRealize Log Insight
VMware, Inc. 35
Configuring Virtual Appliance Settings
You can modify virtual appliance settings, including storage capacity and memory or CPU
capacity.
Configure the Root SSH Password for the vRealize Log Insight Virtual
Appliance
You can configure the root SSH password from the VMware Remote Console or when you
deploy the vRealize Log Insight virtual appliance.
By default, the SSH connection to the vRealize Log Insight virtual appliance is activated. To SSH
to the virtual instance, you must configure the root password.
As a best practice, you must also set the root SSH password when you deploy thevRealize Log
Insight .ova file. For more information, see Deploy the vRealize Log Insight Virtual Appliance.
To activate SSH and set the root password from the VMware Remote Console, perform the
following steps:
Prerequisites
Verify that the vRealize Log Insight virtual appliance is deployed and running.
Procedure
1 In the vSphere Client inventory, click the vRealize Log Insight virtual appliance, and open the
Console tab.
2 Go to a command line by following the key combination specified on the splash screen.
3 In the console, type root, and press Enter. Leave the password empty and press Enter
again.
The following message is displayed in the console: Password change requested. Choose
a new password.
4 Leave the old password empty and press Enter.
5 Type a new password for the root user, press Enter, type the new password again for the
root user, and press Enter again.
The password must consist of at least eight characters, and must include at least one upper
case letter, one lower case letter, one digit, and one special character. You cannot repeat the
same character more than four times.
Results
The following message is displayed: Password changed.
Administering vRealize Log Insight
VMware, Inc. 36
What to do next
You can use the root password to establish SSH connections to the vRealize Log Insight virtual
appliance.
To troubleshoot issues in configuring the root SSH password, see the KB articles:
n https://kb.vmware.com/s/article/53649
n https://kb.vmware.com/s/article/90831
Change the Network Settings of the vRealize Log Insight Virtual
Appliance
You can change the network settings of the vRealize Log Insight virtual appliance by following
the steps described in https://kb.vmware.com/s/article/87992 and https://kb.vmware.com/s/
article/91258.
Note In a multi-node cluster, you must perform operations such as shutting down, adding
storage, and restarting, on one node at a time.
Increase the Storage Capacity of the vRealize Log Insight Virtual
Appliance
You can increase the storage resources allocated to vRealize Log Insight as your needs grow.
To increase the storage space of a vRealize Log Insight virtual appliance, you must add a new
virtual disk to the virtual appliance. This is the only supported option.
Instead of adding numerous smaller disks, It is recommended that you add fewer large disks of
up to 4 TB (+ OS drive) total addressable storage. The total can be a combination of two 2-TB
disks, or four 1-TB disks, and so on. To learn more, see vRealize Log Insight Configuration Limits.
Note
n You must add the same amount of storage to each node in a vRealize Log Insight cluster.
n In a multi-node cluster, you must perform operations such as shutting down, adding storage,
and restarting, on one node at a time.
Prerequisites
n Log in to the vSphere Client as a user who has privileges to modify the hardware of virtual
machines in the environment.
n Shut down the vRealize Log Insight virtual appliance safely. See Power off the vRealize Log
Insight Virtual Appliance
Procedure
1 In the vSphere Client inventory, right-click the vRealize Log Insight virtual machine and select
Edit Settings.
Administering vRealize Log Insight
VMware, Inc. 37
2 On the Hardware tab, click Add.
3 Select Hard Disk and click Next.
4 Select Create a new virtual disk and click Next.
a Type the disk capacity.
vRealize Log Insight supports virtual hard disks of up to 2 TB. If you need more capacity,
add more than one virtual hard disk.
b Select a disk format.
Option Description
Thick Provision Lazy Zeroed Creates a virtual disk in the default thick format. The space required
for the virtual disk is allocated when the virtual disk is created. The
data residing on the physical device is not erased during creation, but
is zeroed out on demand later, after first write from the virtual appliance.
Thick Provision Eager Zeroed Creates a type of thick virtual disk that supports clustering features such
as Fault Tolerance. The space required for the virtual disk is allocated
at creation time. In contrast to the flat format, the data residing on the
physical device is zeroed out when the virtual disk is created. It might
take much longer to create disks in this format than to create other types
of disks.
Create thick provisioned eager zeroed disks whenever possible for better
performance and operation of the vRealize Log Insight virtual appliance.
Thin Provision Creates a disk in thin format. Use this format to save storage space.
c (Required) To select a datastore, browse for the datastore location and click Next.
5 Accept the default virtual device node and click Next.
6 Review the information and click Finish.
7 Click OK to save your changes and close the dialog box.
Results
When you power on the vRealize Log Insight virtual appliance, the virtual machine discovers
the new virtual disk and automatically adds it to the default data volume. Completely power
off the virtual machine first. For information about powering on virtual appliances, see https://
www.vmware.com/support/pubs/vsphere-esxi-vcenter-server-6-pubs.html.
Caution After you add a disk to the virtual appliance, you cannot remove it safely. Removing
disks from the vRealize Log Insight virtual appliance may result in complete data loss.
Add Memory and CPU to the vRealize Log Insight Virtual Appliance
You can change the amount of memory and CPUs allocated to a vRealize Log Insight virtual
appliance after deployment.
Administering vRealize Log Insight
VMware, Inc. 38
You might need to adjust resource allocation if, for example, the number of events in your
environment increases.
Note In a multi-node cluster, you must perform operations such as shutting down, adding
storage, and restarting, on one node at a time.
Prerequisites
n Log in to the vSphere Client as a user who has privileges to modify the hardware of virtual
machines in the environment.
n Shut down the vRealize Log Insight virtual appliance safely. See Power off the vRealize Log
Insight Virtual Appliance
Procedure
1 In the vSphere Client inventory, right-click the vRealize Log Insight virtual machine and select
Edit Settings.
2 On the Hardware tab, click Add.
3 Adjust the amount of CPU and memory as needed.
4 Review the information and click Finish.
5 Click OK to save your changes and close the dialog box.
Results
When you power on the vRealize Log Insight virtual appliance, the virtual machine begins to
utilize the new resources.
Assign a License to vRealize Log Insight
You can use vRealize Log Insight only with a valid license key.
You obtain an evaluation license when you download vRealize Log Insight from the VMware
website. This license is valid for 60 days. When the evaluation license expires, you must assign a
permanent license to continue using vRealize Log Insight.
The vRealize Log Insight Operating System Instance (OSI) license model defines an OSI as a
single installation of an operating system on a non-virtualized physical server or virtual machine.
For vRealize Log Insight, an OSI can also be a single system identified by an IP address such as
virtualized physical servers, storage arrays, or network devices that can generate log messages.
When a host, server or other source stops sending logs to vRealize Log Insight, the OSI count
on the License page is unchanged during the retention period. The retention period is based on
license use calculated as the average of the OSI count over the last three months.
You use the Management section of the vRealize Log Insight web user interface to check the
vRealize Log Insight licensing status and manage your licenses.
Administering vRealize Log Insight
VMware, Inc. 39
As part of solution interoperability, VMware NSX users on Standard, Advanced, or Enterprise
editions can license vRealize Log Insight with their NSX license key. For more information, consult
VMware NSX documentation.
Prerequisites
n Obtain a valid license key from My VMware
™
.
n Verify that you are logged in to the vRealize Log Insight web user interface as a Super
Admin user, or a user associated with a role that has the relevant permissions. See Create
and Modify Roles for more information. The URL format of the web user interface is https://
log-insight-host
, where
log-insight-host
is the IP address or host name of the vRealize Log
Insight virtual appliance.
Procedure
1 Expand the main menu and navigate to Management > License.
2 In the License Key text box, enter your license key and click Set Key. If you have a VMware
NSX license key, enter it here.
3 Verify that the license status is Active, and the license type and expiry day are correct.
Log Storage Policy
The vRealize Log Insight virtual appliance uses a minimum of 100 GB of storage for incoming logs.
When the volume of logs imported into vRealize Log Insight reaches the storage limit, old log
messages are automatically and periodically retired on a first-come-first-retired basis. You can
increase the storage limit by adding more storage to the vRealize Log Insight virtual appliance.
See Increase the Storage Capacity of the vRealize Log Insight Virtual Appliance.
To preserve old messages, you can enable the archiving feature of vRealize Log Insight. See Data
Archiving.
Data stored by vRealize Log Insight is immutable. After a log has been imported, it cannot be
removed until it is automatically retired.
Managing System Notifications
vRealize Log Insight provides built-in system notifications about activity related to vRealize Log
Insight health, such as when disk space is almost exhausted and old log files are about to be
deleted.
System notifications inform you of critical issues that require immediate attention, provide you
with warnings that might require a response, and inform you of normal system activity. System
notifications are suspended during upgrade, but in effect at all other times.
To view system notifications, expand the main menu and navigate to Alerts > System Alerts.
With appropriate permissions, you can activate or deactivate the notifications. For more
information, see View and Manage Alerts in
Using vRealize Log Insight
.
Administering vRealize Log Insight
VMware, Inc. 40
You can specify where system notifications are sent by navigating to Configuration > General.
System notifications concerning vRealize Log Insight can also be sent to third-party applications.
vRealize Log Insight System Notifications
vRealize Log Insight provides you with two sets of notifications about system health, general
notifications, applicable for all product configurations, and notifications related to clusters for
cluster-based deployments.
To view system notifications, expand the main menu and navigate to Alerts > System Alerts.
With appropriate permissions, you can activate or deactivate the notifications. For more
information, see View and Manage Alerts in
Using vRealize Log Insight
.
Note In this topic, an Admin user refers to a user associated with the Super Admin role, or a role
that has the relevant permissions, as described in Create and Modify Roles.
The following tables list and describe system notifications for vRealize Log Insight.
General System Notifications
vRealize Log Insight issues notifications about conditions that might require administrative
intervention, including archival failure or alert scheduling delays.
Notification Name
Description
Oldest data will be unsearchable soon vRealize Log Insight is expected to start decommissioning old data
from the virtual appliance storage based on the expected size of
searchable data, storage space, and the current ingestion rate.
Data that has been rotated out is archived if you have configured
archiving, or deleted if you have not.
To address this, add storage or adjust the retention notification
threshold. For more information, see Configure vRealize Log Insight
to Send Health Notifications.
The notification is sent after each restart of the vRealize Log Insight
service.
Repository retention time A retention period is the length of time data is retained on the
local disk of your vRealize Log Insight instance. A retention period
is determined by the amount of data the system can hold and the
current ingestion rate. For example, if you are receiving 10 GB/day
of data (after indexing) and you have 300 GB of space, then your
retention rate is 30 days.
When your storage limit is reached, old data is removed to make
way for newly ingested data. This notification tells you when the
amount of searchable data that vRealize Log Insight can store
at the current ingestion rates exceeds the storage space that is
available on the virtual appliance.
You might run out of storage before the time period set with
the Retention Notification Threshold. Add storage or adjust the
retention notification threshold.
Administering vRealize Log Insight
VMware, Inc. 41
Notification Name Description
Dropped events vRealize Log Insight failed to ingest all incoming log messages.
n If a TCP Message drops, as tracked by vRealize Log Insight
server, a system notification is sent as follows:
n Once a day
n Each time the vRealize Log Insight service is restarted,
manually or automatically
n The email contains the number of messages dropped since last
notification email was sent and total message drops since the
last restart of vRealize Log Insight.
Note The time in the sent line is controlled by the email client,
and is in the local time zone, while the email body displays the UTC
time.
Corrupt index buckets Part of the on-disk index is corrupt. A corrupt index usually
indicates serious issues with the underlying storage system. The
corrupt part of the index is excluded from serving queries. A
corrupt index affects the ingestion of new data. vRealize Log Insight
checks the integrity of the index upon service start-up. If corruption
is detected, vRealize Log Insight sends a system notification as
follows:
n Once a day
n Each time the vRealize Log Insight service is restarted, manually
or automatically
Out of disk vRealize Log Insight is running out of allocated disk space. vRealize
Log Insight has most probably run into a storage-related issue.
Archive space will be full The disk space on the NFS server used for archiving vRealize Log
Insight data will be used up soon. If the amount of archived data
that the NFS server can hold at the current ingestion rate is less
than seven days, a system notification is sent. For example, if you
are archiving with a disk consumption rate of 708.9 MB per day
of data and you have 2000 MB space, you have about three days
of capacity, which is less than the threshold. In this case, you will
receive a notification that you are below this capacity.
Total disk space change The total size of the partition for the vRealize Log Insight data
storage has decreased. This notification usually signals a serious
issue in the underlying storage system. When vRealize Log Insight
detects the condition, it sends this notification as follows:
n Immediately
n Once a day
Pending archivings vRealize Log Insight cannot archive data as expected. The
notification usually indicates problems with the NFS storage that
you configured for data archiving.
Allocated log record storage volume reached
75 percent of the maximum log record storage
capacity
vRealize Log Insight is configured to ensure STIG compliance, and
the allocated log record storage volume reaches 75 percent of the
maximum log record storage capacity of the repository.
Note This notification is sent per node.
License is about to expire The license for vRealize Log Insight is about to expire.
Administering vRealize Log Insight
VMware, Inc. 42
Notification Name Description
License is expired The license for vRealize Log Insight has expired.
SSL certificate is about to expire The SSL certificate for the vRealize Log Insight cluster will expire in
30 days.
Unable to connect to AD server vRealize Log Insight is unable to connect to the configured Active
Directory server.
Cannot take over High Availability IP address
[IP Address] as it is already held by another
machine
The vRealize Log Insight cluster was unable to take over the
configured IP Address for the Integrated Load Balancer (ILB). The
most common reason for this notification is that another host
within the same network holds the IP address, and therefore the
IP address is not available to be taken over by the cluster.
You can resolve this conflict by either releasing the IP address from
the host that currently holds it, or configuring Log Insight Integrated
Load Balancer with a Static IP address that is available in the
network. When changing the ILB IP address, you must reconfigure
all clients to send logs to the new IP address, or to a FQDN/URL
that resolves to this IP address. You must also unconfigure and
reconfigure every vCenter Server integrated with vRealize Log
Insight from the vSphere integration page.
High Availability IP address [IP Address] is
unavailable due to too many node failures
The IP Address configured for the Integrated Load Balancer (ILB)
is unavailable. Clients trying to send logs to a vRealize Log Insight
cluster through the ILB IP address or a FQDN/URL that resolves
to this IP address will see it as unavailable. The most common
reason for this notification is that most of the nodes in the vRealize
Log Insight cluster are unhealthy, unavailable, or unreachable from
the primary node. Another common reason is that NTP time
synchronization has not been activated, or the configured NTP
servers have a significant time drift between each other. You can
confirm that the problem is still ongoing by trying to ping (if
allowed) the IP address to verify that it is not reachable.
You can resolve this problem by ensuring that most of your
cluster nodes are healthy and reachable, and enabling NTP time
synchronization to accurate NTP servers.
Too many migrations of High Availability IP
address [your IP Address] between vRealize Log
Insight nodes
The IP address configured for the Integrated Load Balancer (ILB)
has migrated too many times within the last 10 minutes.
Under normal operation, the IP address rarely moves between
vRealize Log Insight cluster nodes. However, the IP address might
move if the current owner node is restarted or put in maintenance.
The other reason can be the lack of time synchronization between
Log Insight cluster nodes, which is essential for proper cluster
functioning. For the latter, you can fix the problem by enabling NTP
time synchronization to accurate NTP servers.
Administering vRealize Log Insight
VMware, Inc. 43
Notification Name Description
SSL certificate error A syslog source has initiated a connection to vRealize Log Insight
over SSL but ended the connection abruptly. This notification
might indicate that the syslog source was unable to confirm the
validity of the SSL certificate. In order for vRealize Log Insight to
accept syslog messages over SSL, a certificate that is validated
by the client is required and the clocks of the systems must be
synchronized. There might be a problem with the SSL Certificate or
with the Network Time Service.
You can validate that the SSL Certificate is trusted by your syslog
source, reconfigure the source not to use SSL, or reinstall the
SSL Certificate. See Configure the vRealize Log Insight Agent SSL
Parameters and Install a Custom SSL Certificate.
vCenter collection failed vRealize Log Insight is unable to collect vCenter events, tasks, and
alarms. To look for the exact error that caused the collection failure
and to see if collection is working currently, look in the /var/log/
vmware/loginsight/plugins/vsphere/li-vsphere.log file.
vCenter Kubernetes Service event collection
failed
vRealize Log Insight is unable to collect vCenter Kubernetes
System events, tasks, and alarms. To look for the exact error that
caused the collection failure and to see if collection is working
currently, look in the /var/log/vmware/loginsight/plugins/
vsphere/li-vsphere.log file.
Event forwarder events dropped A forwarder drops events because of connection or overload
problems.
Example:
Log Insight Admin Alert: Event Forwarder Events
Dropped
This alert is about your Log Insight installation
on https://<your_url>
Event Forwarder Events Dropped triggered at
2016-08-02T18:41:06.972Z
Log Insight just dropped 670 events for forwarder
target 'Test',
reason: Pending queue is full.
Alert queries behind schedule vRealize Log Insight was unable to run a user-defined alert at its
configured time. The reason for the delay might be because of one
or more inefficient user-defined alerts or because the system is not
properly sized for the ingestion and query load.
Auto deactivated alert If a user-defined alert has run at least 10 times and its average run
time is more than one hour, the alert is considered inefficient and is
deactivated to prevent impacting other user-defined alerts.
Inefficient alert query If a user-defined alert takes more than one hour to finish, then the
alert is deemed to be inefficient.
New user created or user logged in for the first
time
vRealize Log Insight is configured to ensure STIG compliance, and
a new user is created or an Active Directory or VMware Identity
Manager user logs in for the first time.
Administering vRealize Log Insight
VMware, Inc. 44
System Notifications for Clusters
vRealize Log Insight sends notifications about cluster topology changes, including the addition of
new cluster members or transient node communication problems.
Sent by Notification Name Description
Primary node Approval needed for new worker
node
A worker node is sending a request
to join a cluster. An Admin user must
approve or reject the request.
Primary node New worker node approved An Admin user approved a
membership request from a worker
node to join a vRealize Log Insight
cluster.
Primary node New worker node denied An Admin user rejected a membership
request from a worker node to join
a vRealize Log Insight cluster. If the
request was denied by mistake, an
Admin user can place the request
again from the worker and then
approve it at the primary node.
Primary node Maximum supported nodes exceeded
due to worker node
The number of worker nodes in the
Log Insight cluster has exceeded the
maximum supported count due to a
new worker node.
Primary node Allowed nodes exceeded, new
worker node denied
An user attempted to add more nodes
to the cluster than the maximum
allowed node count and the node has
been denied.
Primary node Worker node disconnected A previously connected worker node
disconnected from the vRealize Log
Insight cluster.
Primary node Worker node reconnected A worker node reconnected to the
vRealize Log Insight cluster.
Primary node Worker node revoked by An Admin user revoked a worker node
membership and the node is no longer
a part of the vRealize Log Insight
cluster.
Primary node Unknown worker node rejected The vRealize Log Insight primary
node rejected a request by a worker
node because the worker node is
unknown to the primary. If the worker
is a valid node and it should be
added to the cluster, log in to the
worker node, remove its token file
and user configuration at /storage/
core/loginsight/config/, and run
restart loginsight service on
the worker node.
Administering vRealize Log Insight
VMware, Inc. 45
Sent by Notification Name Description
Primary node Worker node has entered into
maintenance mode
A worker node entered into
maintenance mode and an Admin
user has to remove the worker node
from maintenance mode before it
can receive configuration changes and
serve queries.
Primary node Worker node has returned to service A worker node exited maintenance
mode and returned to service.
Worker node Primary failed or disconnected from
worker node
The worker node that sends the
notification is unable to contact the
vRealize Log Insight primary node.
This notification might indicate that the
primary node failed, and might need to
be restarted. If the primary node failed,
the cluster cannot be configured and
queries cannot be submitted until it is
back online. Worker nodes continue to
ingest messages.
Note You might receive many such
notifications because many workers
might detect the primary node failure
independently and raise notifications.
Worker node Primary connected to worker node The worker node that sends the
notification is reconnected to the
vRealize Log Insight primary node.
Configuring Destinations for vRealize Log Insight System
Notifications
You can configure the action that vRealize Log Insight takes when a system notification is
triggered.
vRealize Log Insight generates system notifications when an important system event occurs, for
example when the disk space is almost exhausted and vRealize Log Insight must begin deleting
or archiving old log files.
Super Admin users and users with the relevant permissions can configure vRealize Log Insight
to send email notifications about these events. The From address of system notification emails
is configured on the SMTP configuration page, in the Sender text box. See Configure the SMTP
Server for vRealize Log Insight.
You can also send notifications to third-party applications. See Configure a Webhook.
Configure vRealize Log Insight to Send Health Notifications
You can configure vRealize Log Insight to send notifications related to its own health.
If an email message cannot be delivered, you are notified of the error on the Web interface.
Administering vRealize Log Insight
VMware, Inc. 46
Prerequisites
n Verify that you are logged in to the vRealize Log Insight web user interface as a Super
Admin user, or a user associated with a role that has the relevant permissions. See Create
and Modify Roles for more information. The URL format of the web user interface is https://
log-insight-host
, where
log-insight-host
is the IP address or host name of the vRealize Log
Insight virtual appliance.
n Verify that the SMTP server is configured for vRealize Log Insight. For more information, see
Configure the SMTP Server for vRealize Log Insight.
Procedure
1 Expand the main menu and navigate to Configuration > General.
2 Under the Alerts header, set the system notifications.
a In the Email System Notifications To text box, type the email addresses to be notified.
Use commas to separate multiple email addresses.
b Select the Retention notification threshold check box and set the threshold that triggers
the notifications.
A notification is sent when the amount of data the system can hold is insufficient for the
time period specified. This value is calculated based on the current ingestion rate.
3 Click Save.
4 Click Restart Log Insight to apply your changes.
Configure vRealize Log Insight System Notifications for Third-Party Products
You can configure vRealize Log Insight to send notifications related to its own health to third-
party applications.
vRealize Log Insight generates these notifications when an important system event occurs, for
example when the disk space is almost exhausted and vRealize Log Insight must start deleting
old log files.
Prerequisites
Verify that you are logged in to the vRealize Log Insight web user interface as a Super Admin
user, or a user associated with a role that has the relevant permissions. See Create and Modify
Roles for more information. The URL format of the web user interface is https://
log-insight-host
,
where
log-insight-host
is the IP address or host name of the vRealize Log Insight virtual appliance.
Procedure
1 Expand the main menu and navigate to Configuration > General.
Administering vRealize Log Insight
VMware, Inc. 47
2 Under the Alerts header, set the system notifications.
a In the Send HTTP Post System Notifications To text box, type the URLs to be notified.
b (Optional) Confirm that the Send a notification when capacity drops below check box
and associated threshold are configured correctly for your environment.
3 Click Save.
What to do next
Configure a webhook to send notifications to your third-party application. For more information,
see Configure a Webhook.
Webhook Format for a System Notification
The format of a vRealize Log Insight webhook depends on the type of query from which it is
created. System notifications, user alert message queries, and alerts generated from aggregate
user queries each have a different webhook format.
Note To configure vRealize Log Insight to send system notifications, you must be a user
associated with the Super Admin role, or a role with the relevant permissions. For more
information, see
Create and Modify Roles.
Webhook Format for System Notifications
The following example shows the vRealize Log Insight webhook format for system notifications.
{
"AlertName":" Admin Alert: Worker node has returned to service (Host =
127.0.0.2)",
"messages":[
{
"text":"This notification was generated from Log Insight node (Host =
127.0.0.2,
Node Identifier = a31cad22-65c2-4131-8e6c-27790892a1f9).
A worker node has returned to service after having been in maintenance mode.
The Log Insight primary node reports that worker node has finished maintenance
and exited maintenance mode. The node will resume receiving configuration
changes and
serving queries. The node is also now ready to start receiving incoming log
messages."
"timestamp":1458665320514,"fields":[]
}
]
}
Administering vRealize Log Insight
VMware, Inc. 48
Add a vRealize Log Insight Log Forwarding Destination
You can configure a vRealize Log Insight server to forward incoming log events to a syslog or
Ingestion API target.
Use log forwarding to send filtered or tagged logs to one or more remote destinations such as
vRealize Log Insight or syslog or both. Log forwarding can be used to support existing logging
tools such as SIEM and to consolidate logging over different networks such as DMZ or WAN.
Log forwarders can be standalone or clustered, but a log forwarder is a separate instance from
the remote destination. Instances configured for log forwarding also store logs locally and can be
used to query data.
The operators you use to create filters on the Log Forwarding page are different from the filters
used on the Explore Logs page. See Using Log Management Filters in Explore Logs for more
information about using the Run in Explore Logs page menu item to preview the results of your
log filter.
Prerequisites
Verify that you are logged in to the vRealize Log Insight web user interface as a Super Admin
user, or a user associated with a role that has the relevant permissions. See Create and Modify
Roles for more information. The URL format of the web user interface is https://
log-insight-host
,
where
log-insight-host
is the IP address or host name of the vRealize Log Insight virtual appliance.
Verify that the destination can handle the number of logs that are forwarded. If the destination
cluster is much smaller than the forwarding instance, some logs might be dropped.
Procedure
1 Expand the main menu, click Log Management and then click Log Forwarding.
2 Click New Destination and provide the following information.
Option
Description
Name A unique name for the new destination.
Host The IP address or fully qualified domain name.
Caution A forwarding loop is a configuration in which a vRealize Log
Insight cluster forwards logs to itself, or to another cluster, which then
forwards the logs back to the original cluster. Such a loop might create an
indefinite number of copies of each forwarded log. The vRealize Log Insight
Web interface does not permit you to configure a log to be forwarded to
itself. But vRealize Log Insight is not able to prevent an indirect forwarding
loop, such as vRealize Log Insight cluster A forwarding to cluster B, and B
forwarding the same logs back to A. When creating forwarding destinations,
take care not to create indirect forwarding loops.
Administering vRealize Log Insight
VMware, Inc. 49
Option Description
Protocol Ingestion API, syslog, or RAW. The default value is Ingestion API (CFAPI).
When logs are forwarded using the Ingestion API, the log's original source
is preserved in the source field. When logs are forwarded using syslog, the
log's original source is lost and the receiver can record the message's source
as the vRealize Log Insight forwarder's IP address or hostname. When logs
are forwarded using RAW, the behavior is similar to syslog, but syslog
RFC-compliance is not ensured. RAW forwards a log exactly the way it is
received, without a custom syslog header added by vRealize Log Insight.
This protocol is useful for third-party destinations, because they expect
syslog events in their original form.
Note The source field might have different values depending on the
protocol selected on the Log Forwarder:
a For the ingestion API, the source is the initial sender's (the log originator)
IP address.
b For syslog and RAW, the source is the Log Forwarder's vRealize Log
Insight instance IP address.
Use SSL You can optionally secure the connection with SSL for the ingestion API
or syslog. If the SSL certificate provided by the forwarding destination
is untrusted, you can accept the certificate when you test or save this
configuration.
Tags You can optionally add tag pairs with predefined values. Tags permit you to
more easily query logs. You can add multiple comma-separated tags.
Forward Complementary tags You can select whether to forward complementary tags for syslog.
Complementary tags are tags added by the cluster itself, such as
'vc_username' or 'vc_vmname.' and can be forwarded with the tags coming
directly from sources. Complementary tags are always forwarded when
Ingestion API is used.
Transport Select a transport protocol for syslog. You can select UDP or TCP.
3 To control which logs are forwarded, click Add Filter.
Select fields and constraints to define the desired logs. Only static fields are available for use
as filters. If you do not select a filter, all logs are forwarded. You can see the results of the
filter you are building by clicking Run in Explore Logs page.
Operator
Description
Matches Finds strings that match the string and wildcard specification, where *
means zero or more characters and ? means zero or any single character.
Prefix and postfix globbing is supported.
For example, *test* matches strings such as test123 or my-test-run.
does not match Excludes strings that match the string and wildcard specification, where *
means zero or more characters and ? means zero or any single character.
Prefix and postfix globbing is supported.
For example, test* excludes test123, but not mytest123. ?test*
excludes test123 and xtest123, but not mytest123.
Administering vRealize Log Insight
VMware, Inc. 50
Operator Description
starts with Finds strings that start with the specified character string.
For example, test finds test123 or test, but not my-test123.
does not start with Excludes strings that start with the specified character string.
For example, test filters out test123, but not my-test123.
4 (Optional) To modify the following forwarding information, click Show Advanced Settings.
Option Description
Port The port to which logs are sent on the remote destination. The default value
is set based on the protocol. Do not change unless the remote destination
listens on a different port.
Worker Count The number of simultaneous outgoing connections to use. Set a higher
worker count for a higher network latency to the forwarded destination and
for a greater number of forwarded logs per second. The default value is 8.
5 To verify your configuration, click Test.
6 If the forwarding destination provides an untrusted SSL certificate, a dialog box appears with
the details of the certificate. Click Accept to add the certificate to the truststores of all the
nodes in the vRealize Log Insight cluster.
If you click Cancel, the certificate is not added to the truststores and the connection with the
forwarding destination fails. You must accept the certificate for a successful connection.
7 Click Save.
If you did not test the configuration and the destination provides an untrusted certificate,
follow the instructions in step 7.
What to do next
You can edit or clone a log forwarding destination. If you edit the destination to change a log
forwarder name, all statistics are reset.
Using Log Management Filters in Explore Logs
Operators used in log management filters and operators used in filters in Explore Logs do not
have a one-to-one correspondence by name. However, you can select operators that produce
similar results for both formats.
This difference is important when you use the Run in Explore Logs page menu item from the
following tabs in the Log Management page:
n Log Masking
n Log Filtering
n Log Forwarding
n Cloud Forwarding
Administering vRealize Log Insight
VMware, Inc. 51
n Index Partitions
For example, if you have a log management filter of matches *foo* and select the menu item
Run in Explore Logs page, the Explore Logs query equates the log management filter to match
regexp ^.*foo.*$, which might not match all the same log events.
Another example is matches foo, which when run on Explore Logs is treated as contains foo.
Because the Explore Logs function also searches keyword queries,
contains foo is likely to match
more events than matches foo.
You can change the operators used by Explore Logs to address these differences.
n Change the contains operator to matches regex.
n Change occurrences of * from log management filters to .* and prefix filter terms with .*. For
example, change the event filter expression matches *foo* to matches regex .*foo.* for
Explore Logs.
n For the does not match operator from event filters, you can use the matches regex operator
with a regex look ahead value. For example, does not match *foo* is equivalent to matches
regex .*(?!foo).*
Configure Log Forwarding to vRealize Log Insight Cloud
Add a cloud forwarder to forward logs from a vRealize Log Insight server to vRealize Log Insight
Cloud without using a Cloud Proxy.
Use cloud forwarding to send filtered or tagged events to vRealize Log Insight Cloud. Cloud
forwarding lets you consolidate logging over different networks and eventually concentrate data
in vRealize Log Insight Cloud.
Prerequisites
Verify that you are logged in to the vRealize Log Insight web user interface as a Super Admin
user, or a user associated with a role that has the relevant permissions. See Create and Modify
Roles for more information. The URL format of the web user interface is https://
log-insight-host
,
where
log-insight-host
is the IP address or host name of the vRealize Log Insight virtual appliance.
Procedure
1 Expand the main menu, click Log Management, and then click Cloud Forwarding.
2 Click New Forwarder and provide the following information.
Option
Description
Name A unique name for the cloud forwarder.
Note Once you assign a name for the forwarder, you cannot modify the
name.
Cloud channel Select a cloud channel to use in your cloud forwarder. For more information,
see Add a Cloud Channel.
Administering vRealize Log Insight
VMware, Inc. 52
Option Description
Tags Optionally, add tag pairs with predefined values. Tags let you query logs
easily. You can add multiple comma-separated tags.
Filter Control which logs are forwarded to vRealize Log Insight Cloud.
Select static fields and constraints to define the desired logs. If you do not
select a filter, all logs are forwarded. You can see the results of the filter you
are building by clicking Run in Explore Logs page.
For information about using filters in a cloud forwarder, see Using Log
Management Filters in Explore Logs.
3 (Optional) To modify additional cloud forwarding information, click Show Advanced Settings.
Option Description
Worker Count The number of simultaneous outgoing connections to use. Set a higher
worker count for a higher network latency to vRealize Log Insight Cloud and
for a greater number of forwarded logs per second. The default value is 16.
4 Click Save.
Results
The relevant logs are forwarded to the vRealize Log Insight Cloud service. You can query these
logs in the Explore Logs page of the service.
Add a Cloud Channel
Add a cloud channel to forward logs from a vRealize Log Insight server to vRealize Log Insight
Cloud without using a Cloud Proxy.
Note You can add only one cloud channel in vRealize Log Insight.
Prerequisites
Verify that you are logged in to the vRealize Log Insight web user interface as a Super Admin
user, or a user associated with a role that has the relevant permissions. See Create and Modify
Roles for more information. The URL format of the web user interface is https://
log-insight-host
,
where
log-insight-host
is the IP address or host name of the vRealize Log Insight virtual appliance.
Procedure
1 Expand the main menu, click Integrations, and then click Cloud Connection.
2 Click Add New.
Administering vRealize Log Insight
VMware, Inc. 53
3 Provide the following information.
Option Description
Cloud Channel Name A unique name for the cloud channel.
Note Once you assign a name for the channel, you cannot modify the
name.
Cloud URL The API URL that appears in the pop-up window when you generate an API
key in vRealize Log Insight Cloud. For more information, see Securing Logs
with API Keys in
Using vRealize Log Insight Cloud
.
Cloud Key The API key generated in vRealize Log Insight Cloud.
Note
n The API key is unique for each connection and must not be used
anywhere else.
n When you regenerate the API key in vRealize Log Insight Cloud, ensure
that you update it here too.
4 Click Save.
What to do next
Use your cloud channel to configure a log forwarder to vRealize Log Insight Cloud. For more
information, see Configure Log Forwarding to vRealize Log Insight Cloud.
Synchronize the Time on the vRealize Log Insight Virtual
Appliance
You must synchronize the time on the vRealize Log Insight virtual appliance with an NTP server or
with the ESX/ESXi host on which you deployed the virtual appliance.
Time is critical to the core functionality of vRealize Log Insight.
By default, vRealize Log Insight synchronizes time with a pre-defined list of public NTP servers.
If public NTP servers are not accessible due to a firewall, you can use the internal NTP server of
your company. If no NTP servers are available, you can sync time with the ESX/ESXi host where
you have deployed the vRealize Log Insight virtual appliance.
Prerequisites
Verify that you are logged in to the vRealize Log Insight web user interface as a Super Admin
user, or a user associated with a role that has the relevant permissions. See Create and Modify
Roles for more information. The URL format of the web user interface is https://
log-insight-host
,
where
log-insight-host
is the IP address or host name of the vRealize Log Insight virtual appliance.
Procedure
1 Expand the main menu and navigate to Configuration > Time.
Administering vRealize Log Insight
VMware, Inc. 54
2 From the Sync time with drop-down menu, select the time source.
Option Description
NTP server Synchronizes the time on the vRealize Log Insight virtual appliance with one
of the listed NTP servers.
ESX/ESXi host Synchronizes the time on the vRealize Log Insight virtual appliance with the
ESX/ESXi host on which you have deployed the virtual appliance.
3 (Optional) If you selected NTP server synchronization, list the NTP server addresses, and click
Test.
Note Testing the connection to NTP servers might take up to 20 seconds per server.
4 Click Save.
Configure the SMTP Server for vRealize Log Insight
You can configure an SMTP to allow vRealize Log Insight to send email notifications.
System notifications are generated when vRealize Log Insight detects an important system event,
for example when the storage capacity on the virtual appliance reaches the thresholds that you
set.
Prerequisites
Verify that you are logged in to the vRealize Log Insight web user interface as a Super Admin
user, or a user associated with a role that has the relevant permissions. See Create and Modify
Roles for more information. The URL format of the web user interface is https://
log-insight-host
,
where
log-insight-host
is the IP address or host name of the vRealize Log Insight virtual appliance.
Procedure
1 Expand the main menu and navigate to Configuration > SMTP.
2 Enter the SMTP server address and port number.
3 If the SMTP server uses an encrypted connection, select the encryption protocol.
4 In the Sender text box, type an email address to use when sending system notifications.
The Sender address appears as the From address in system notification emails. It need not
be a real address, and can be something that represents the specific instance of vRealize Log
Insight. For example, [email protected].
5 Type a user name and password to authenticate with the SMTP server when sending system
notifications.
6 Type a destination email and click Send Test Email to verify the connection.
Administering vRealize Log Insight
VMware, Inc. 55
7 If the SMTP server provides an untrusted SSL certificate, a dialog box appears with the details
of the certificate. Click Accept to add the certificate to the truststores of all the nodes in the
vRealize Log Insight cluster.
If you click Cancel, the certificate is not added to the truststores and the connection with the
SMTP server fails. You must accept the certificate for a successful connection.
8 Click Save.
If you did not test the connection and the SMTP server provides an untrusted certificate,
follow the instructions in step 7.
Configure an HTTP Proxy
If your vRealize Log Insight appliance is restricted to the public network or the intranet, you can
configure an HTTP proxy to let vRealize Log Insight send webhook notifications to endpoints
such as Slack, PagerDuty, vRO, or a custom endpoint, which can be accessed through an isolated
network.
Prerequisites
Verify that you are logged in to the vRealize Log Insight web user interface as a Super Admin
user, or a user associated with a role that has the relevant permissions. See Create and Modify
Roles for more information. The URL format of the web user interface is https://
log-insight-host
,
where
log-insight-host
is the IP address or host name of the vRealize Log Insight virtual appliance.
Procedure
1 Expand the main menu and navigate to Configuration > Proxy.
2 Click ADD NEW HTTP PROXY.
3 In the Name text box, enter a unique name for your proxy.
4 In the Host/IP text box, enter the FQDN or IP address of your proxy server.
5 In the Proxy Port text box, enter the port of your proxy server.
6 In the Username and Password text boxes, enter the username and password for
authentication with your proxy server while sending webhook notifications.
7 To verify that the connection with your proxy works, click Test.
8 Click Save.
What to do next
You can use this HTTP proxy when you configure a webhook to send alert notifications. For more
information, see Configure a Webhook.
Note The cache settings on the proxy determines the validation frequency of the username and
password.
Administering vRealize Log Insight
VMware, Inc. 56
Configure a Webhook
You can configure a webhook to send alert notifications to a remote web server. Webhooks
provide notifications over HTTP POST/PUT.
Prerequisites
n Verify that you are logged in to the vRealize Log Insight web user interface as a Super
Admin user, or a user associated with a role that has the relevant permissions. See Create
and Modify Roles for more information. The URL format of the web user interface is https://
log-insight-host
, where
log-insight-host
is the IP address or host name of the vRealize Log
Insight virtual appliance.
n If you are creating a webhook with a vRealize Orchestrator (vRO) endpoint, ensure that
you have created a workflow in vRealize Orchestrator. For more information, see Create
Workflows in the vRealize Orchestrator Client.
Procedure
1 Expand the main menu and navigate to Alerts > Webhook.
2 Click New Webhook.
3 In the Name text box, enter a name for the webhook.
4 Enter the following information.
Option
Description
Endpoint Select the endpoint to which you want to send the notification, for example,
Slack, Pager Duty, vRO, or a custom endpoint. Based on the selected
endpoint type:
n The user interface provides additional input options.
n The user interface populates the webhook payload with a predefined
template, which you can customize according to your requirement.
Log Payload Select whether you want to send one webhook notification for each result
matching the corresponding alert query or one notification for all matching
results.
n To send one webhook notification for each matching result, select
Individual Logs.
Note If you select this option, you can send up to 10 notifications.
n To send one webhook notification for all matching results, select Log
Stream.
Webhook URL Enter the URL for the remote web server where you want to post the
webhook notifications. The URL format changes based on your endpoint
selection. The sample format is provided in the text box.
Note In a vRO endpoint URL, you must include the ID of the corresponding
workflow created in vRealize Orchestrator.
After entering the URL, click Test Alert to verify the connection.
You can enter multiple webhook URLs separated by a blank space.
Administering vRealize Log Insight
VMware, Inc. 57
Option Description
Web Proxy If you have Configure an HTTP Proxy, select a proxy from the drop-down
menu. vRealize Log Insight sends webhook notifications to the endpoint
through the selected proxy.
Integration Key If you select a Pager Duty endpoint, enter an integration key for webhook
requests.
Advanced Settings If you select a vRO or custom endpoint, enter additional information such as
content type, authorization, and so on.
n For a vRO endpoint, the default value for Content Type is JSON. You
can change it to XML if required. The webhook payload is generated
according to the selected content type.
Provide an authorization header to authorize vRO requests. Some of the
authorization options are:
n Basic authentication - Retain the default value Authorization in the
first text box. In the second text box, enter a value in the format
Basic Base64_encoded_string_for_username_and_password.
n Bearer token authentication - Retain the default value
Authorization in the first text box. In the second text box, enter
a value in the format
Bearer bearer_token.
n For a custom endpoint, the default value for Content Type is JSON and
Action is POST. You can customize these options and add additional
headers to the request under Custom Headers. If the configured
remote web server requires authorization to POST/PUT the webhook
notification, enter the user name and password to authenticate with
the server in the Authorization User and Authorization Password text
boxes.
Administering vRealize Log Insight
VMware, Inc. 58
Option Description
Webhook Payload This area is auto-populated based on your selection in the Endpoint drop-
down menu. You can customize the payload, which is the template of the
body sent as a part of the POST/PUT webhook notification request. The
body can be in XML or JSON format. The parameters in the payload are
replaced with the actual values while sending the webhook notification. For
example the parameter
$(AlertName)
is replaced with the name of the alert.
Note For a vRO endpoint, the parameters should match the input or output
parameters in the corresponding workflow created in vRealize Orchestrator.
Parameters You can use the list of parameters to construct or modify the webhook
payload.
n AlertName
n
AlertNameString
n AlertType
n AlertTypeString
n SearchPeriod
n SearchPeriodString
n HitOperator
n HitOperatorString
n messages
n messagesString
n HasMoreResults
n HasMoreResultsString
n Url
n UrlString
n EditUrl
n EditUrlString
n Info
n InfoString
n Recommendation
n RecommendationString
n NumHits
n NumHitsString
n TriggeredAt
n TriggeredAtString
n SourceInfo
n SourceInfoString
Note Except messagesString, all the other string parameter types have the
same content.
5 Click Save.
What to do next
Configure an alert to send webhook notifications to the selected endpoint. For more information,
see Add an Alert to Send Webhook Notifications.
Administering vRealize Log Insight
VMware, Inc. 59
After configuring the alert, you can view the webhook notifications in the endpoint. For example,
in vRO, the webhook notifications are listed as workflow runs. In each workflow run, you can see
the values for the payload parameters in the variables section.
Install a Custom SSL Certificate
By default, vRealize Log Insight installs a self-signed SSL certificate on the virtual appliance.
The self-signed certificate generates security warnings when you connect to the vRealize Log
Insight web user interface. If you do not want to use a self-signed security certificate, you
can install a custom SSL certificate. The only feature requiring a custom SSL certificate is
Log Forwarding through SSL. If you have a Cluster setup with ILB enabled, see Activate the
Integrated Load Balancer for the specific requirements of a custom SSL certificate.
Note The vRealize Log Insight Web user interface and the Log Insight Ingestion protocol cfapi
use the same certificate for authentication.
Prerequisites
n Verify that your custom SSL certificate meets the following requirements.
n The CommonName contains a wildcard or exact match for the primary node or FQDN
of the virtual IP address. Optionally, all other IP addresses and FQDNs are listed as
subjectAltName.
n The certificate file contains both a valid private key and a valid certificate chain.
n The private key is generated by the RSA or the DSA algorithm.
n The private key is not encrypted by a pass phrase.
n If the certificate is signed by a chain of other certificates, all other certificates are included
in the certificate file that you plan to import.
n The private key and all the certificates that are included in the certificate file are PEM-
encoded. vRealize Log Insight does not support DER-encoded certificates and private
keys.
n The private key and all the certificates that are included in the certificate file are in the
PEM format. vRealize Log Insight does not support certificates in the PFX, PKCS12, PKCS7,
or other formats.
n Verify that you concatenate the entire body of each certificate into a single text file in the
following order.
a The Private Key - your_domain_name.key
b The Primary Certificate - your_domain_name.crt
c The Intermediate Certificate - DigiCertCA.crt
d The Root Certificate - TrustedRoot.crt
Administering vRealize Log Insight
VMware, Inc. 60
n Verify that you include the beginning and ending tags of each certificate in the following
format.
-----BEGIN PRIVATE KEY-----
(Your Private Key: your_domain_name.key)
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
(Your Primary SSL certificate: your_domain_name.crt)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Your Intermediate certificate: DigiCertCA.crt)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Your Root certificate: TrustedRoot.crt)
-----END CERTIFICATE-----
n Verify that you are logged in to the vRealize Log Insight web user interface as a Super
Admin user, or a user associated with a role that has the relevant permissions. See Create
and Modify Roles for more information. The URL format of the web user interface is https://
log-insight-host
, where
log-insight-host
is the IP address or host name of the vRealize Log
Insight virtual appliance.
Procedure
1 Generate a Self-Signed Certificate
You can generate a self-signed certificate for Windows or Linux by using the OpenSSL tool.
2 Generate a Certificate Signing Request
Generate a certificate-signing request by using the OpenSSL tool for Windows.
3 Request a Signature from a Certificate Authority
Send your certificate signing request to a Certificate Authority of your choice and request a
signature.
4 Concatenate Certificate Files
Combine your key and certificate files into a PEM file.
5 Upload Signed Certificate
You can upload a signed SSL certificate.
6 Configure SSL Connection Between the vRealize Log Insight Server and the Log Insight
Agents
SSL function allows you to provide SSL only connections between the Log Insight Agents
and the vRealize Log Insight Server through the secure flow of Ingestion API. You can also
configure various SSL parameters of the Log Insight Agents.
Generate a Self-Signed Certificate
You can generate a self-signed certificate for Windows or Linux by using the OpenSSL tool.
Administering vRealize Log Insight
VMware, Inc. 61
Prerequisites
n Download the appropriate installer for OpenSSL from https://www.openssl.org/community/
binaries.html. Use the downloaded OpenSSL installer to install it on Windows.
n Edit the openssl.cfg file to add additional required parameters. Make sure the [req]
section has the req_extensions parameter defined.
[req]
.
.
req_extensions=v3_req #
n Add an appropriate Subject Alternative Name entry for the hostname or IP address of
your server, for example
server-01.loginsight.domain
. You cannot specify a pattern for the
hostname.
[v3_req]
.
.
subjectAltName=DNS:server-01.loginsight.domain
#subjectAltName=IP:10.27.74.215
Procedure
1 Create a folder to save your certificate files, for example C:\Certs\LogInsight.
2 Open a command prompt and run the following command.
C:\Certs\LogInsight>openssl req -x509 -nodes -newkey 2048 -keyout server.key -out
server.crt -days 3650
OpenSSL prompts you to supply certificate properties, including country, organization, and
so on.
3 Enter the exact IP address or hostname of your vRealize Log Insight server, or the vRealize
Log Insight cluster address if load balancing is enabled.
This property is the only one for which it is mandatory to specify a value.
Results
Two files are created, server.key and server.crt.
n server.key is a new PEM-encoded private key.
n server.crt is a new PEM-encoded certificate signed by server.key.
Generate a Certificate Signing Request
Generate a certificate-signing request by using the OpenSSL tool for Windows.
Administering vRealize Log Insight
VMware, Inc. 62
Prerequisites
n Install the OpenSSL tool. See http://www.openssl.org for information about obtaining the
OpenSSL tool.
n Edit the openssl.cfg file to add additional required parameters. Make sure the [req]
section has the req_extensions parameter defined.
[req]
.
.
req_extensions=v3_req #
n Add an appropriate Subject Alternative Name entry for the hostname or IP address of
your server, for example
server-01.loginsight.domain
. You cannot specify a pattern for the
hostname.
[v3_req]
.
.
subjectAltName=DNS:server-01.loginsight.domain
#subjectAltName=IP:10.27.74.215
Procedure
1 Create a folder to save your certificate files, for example C:\Certs\LogInsight.
2 Open a Command Prompt and run the following command to generate your private key.
C:\Certs\LogInsight>openssl genrsa -out server.key 2048
3 Create a certificate signing request by running the following command.
C:\Certs\LogInsight>openssl req -new -key server.key -out server.csr
Note This command runs interactively and asks you a number of questions. Your certificate
authority will cross check your answers. Your answers must match the legal documents
regarding the registration of your company.
4 Follow the onscreen instructions and enter the information that will be incorporated into your
certificate request.
Important In the Common Name field, enter the hostname or IP address of your server, for
example mail.your.domain. If you want to include all subdomains, enter *your.domain.
Results
Your certificate signing request file server.csr is generated and saved.
Administering vRealize Log Insight
VMware, Inc. 63
Request a Signature from a Certificate Authority
Send your certificate signing request to a Certificate Authority of your choice and request a
signature.
Procedure
u Submit your server.csr file to a Certificate Authority.
Note Request that the Certificate Authority encode your file in the PEM format.
The Certificate Authority processes your request and sends you back a server.crt file
encoded in the PEM format.
Concatenate Certificate Files
Combine your key and certificate files into a PEM file.
Procedure
1 Create a new server.pem file and open it in a text editor.
2 Copy the contents of your server.key file and paste it in server.pem using the following
format.
-----BEGIN RSA PRIVATE KEY-----
(Your Private Key: server.key)
-----END RSA PRIVATE KEY-----
3 Copy the contents of the server.crt file you received from a certificate authority and paste
it in server.pem using the following format.
-----BEGIN CERTIFICATE-----
(Your Primary SSL certificate: server.crt)
-----END CERTIFICATE-----
4 If the Certificate Authorities provided you with an intermediate or chained certificate, append
the intermediate or chained certificates to the end of the public certificate file in the following
format.
-----BEGIN RSA PRIVATE KEY-----
(Your Private Key: server.key)
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
(Your Primary SSL certificate: server.crt)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Your Intermediate certificate: DigiCertCA.crt)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Your Root certificate: TrustedRoot.crt)
-----END CERTIFICATE-----
Administering vRealize Log Insight
VMware, Inc. 64
5 Save your server.pem file.
Upload Signed Certificate
You can upload a signed SSL certificate.
Procedure
1 Expand the main menu and navigate to Configuration > SSL.
2 Browse to your custom SSL certificate and click Open.
3 Click Save.
4 Restart vRealize Log Insight.
What to do next
After vRealize Log Insight restarts, verify that syslog feeds from ESXi continue to arrive in
vRealize Log Insight.
Configure SSL Connection Between the vRealize Log Insight Server
and the
Log Insight Agents
SSL function allows you to provide SSL only connections between the Log Insight Agents and
the vRealize Log Insight Server through the secure flow of Ingestion API. You can also configure
various SSL parameters of the Log Insight Agents.
vRealize Log Insight Agents communicate over TLSv.1.2. SSLv.3/TLSv.1.0 is deactivated to meet
security guidelines.
Main SSL Functions
Understanding of the main SSL functions can help you configure the Log Insight Agents properly.
The vRealize Log Insight Agent stores certificates and uses them to verify the identity of the
server during all but the first connection to a particular server. If the server identity cannot
be confirmed, the vRealize Log Insight Agent rejects connection with server and writes an
appropriate error message to the log. Certificates received by the Agent are stored in cert
folder.
n For Windows go to C:\ProgramData\VMware\Log Insight Agent\cert.
n For Linux go to /var/lib/loginsight-agent/cert.
When the vRealize Log Insight Agent establishes secure connection with the vRealize Log Insight
Server, the Agent checks the certificate received from the vRealize Log Insight Server for validity.
The vRealize Log Insight Agent uses system-trusted root certificates.
n The Log Insight Linux Agent loads trusted certificates from /etc/pki/tls/certs/ca-
bundle.crt or /etc/ssl/certs/ca-certificates.crt.
n The Log Insight Windows Agent uses system root certificates.
Administering vRealize Log Insight
VMware, Inc. 65
If the vRealize Log Insight Agent has a locally stored self-signed certificate and receives a
different valid self-signed certificate with the same public key, then the agent accepts the new
certificate. This can happen when a self-signed certificate is regenerated using the same private
key but with different details like new expiration date. Otherwise, connection is rejected.
If the vRealize Log Insight Agent has a locally stored self-signed certificate and receives valid
CA-signed certificate, the vRealize Log Insight Agent silently replaces new accepted certificate.
If the vRealize Log Insight Agent receives self-signed certificate after having a CA-signed
certificate, the Log Insight Agent rejects it. The vRealize Log Insight Agent accepts self-signed
certificate received from vRealize Log Insight Server only when it connects to the server for the
first time.
If the vRealize Log Insight Agent has a locally stored CA-signed certificate and receives a valid
certificate signed by another trusted CA, the Agent rejects it. You can modify the configuration
options of the vRealize Log Insight Agent to accept the new certificate. See Configure the
vRealize Log Insight Agent SSL Parameters.
vRealize Log Insight Agents communicate over TLSv.1.2. SSLv.3/TLSv.1.0 is deactivated to meet
security guidelines.
Enforce SSL-Only Connections
You can use the vRealize Log Insight Web user interface to configure the vRealize Log Insight
Agents and the Ingestion API to allow only SSL connections to the server.
The vRealize Log Insight API is normally reachable through HTTP on port 9000 and through
HTTPS on port 9543. Both ports can be used by the vRealize Log Insight Agent or custom API
clients. All authenticated requests require SSL, but unauthenticated requests, including vRealize
Log Insight agent ingestion traffic, can be performed with either. You can force all API request
to use SSL connections. The option does not restrict syslog port 514 traffic or affect the vRealize
Log Insight user interface, for which HTTP port 80 requests continue redirecting to HTTPS port
443.
Prerequisites
Verify that you are logged in to the vRealize Log Insight web user interface as a Super Admin
user, or a user associated with a role that has the relevant permissions. See Create and Modify
Roles for more information. The URL format of the web user interface is https://
log-insight-host
,
where
log-insight-host
is the IP address or host name of the vRealize Log Insight virtual appliance.
Procedure
1 Expand the main menu and navigate to Configuration > SSL.
2 Under the API Server SSL, select Require SSL Connection.
3 Click Save.
Administering vRealize Log Insight
VMware, Inc. 66
Results
vRealize Log Insight API allows only SSL connections to the server. Non-SSL connections are
refused.
Configure the vRealize Log Insight Agent SSL Parameters
You can edit the vRealize Log Insight agent configuration file to change the SSL configuration,
add a path to the trusted root certificates, and say whether the agent accepts certificates.
This procedure applies to the vRealize Log Insight agents for Windows and Linux.
Prerequisites
For the vRealize Log Insight Linux agent:
n Log in as root or use sudo to run console commands.
n Log in to the Linux machine on which you installed the vRealize Log Insight Linux agent,
open a console and run pgrep liagent to verify that the vRealize Log Insight Linux agent is
installed and running.
For the vRealize Log Insight Windows agent:
n Log in to the Windows machine on which you installed the vRealize Log Insight Windows
agent and start the Services manager to verify that the vRealize Log Insight agent service is
installed.
Procedure
1 Navigate to the folder containing the liagent.ini file.
Operating system
Path
Linux /var/lib/loginsight-agent/
Windows %ProgramData%\VMware\Log Insight Agent
2 Open the liagent.ini file in any text editor.
Administering vRealize Log Insight
VMware, Inc. 67
3 Add the following keys to the [server]section of the liagent.ini file.
Key Description
ssl_ca_path Overrides the default storage path for root Certificate
Authority-signed certificates, which are used to verify
connection peer certificates.
When you provide a path for ssl_ca_path, you
override the defaults for both Linux and Windows
agents. You can use a file where multiple certificates
in PEM format are concatenated or a directory that
contains certificates are in PEM format and have names
of the form
hash.0. (See the -hash option of the x509
utility.)
Linux: If no value is specified, the agent uses the value
assigned to the LI_AGENT_SSL_CA_PATH environment
variable. If that value is not present, the agent attempts
to load trusted certificates from the/etc/pki/tls/
certs/ca-bundle.crt file or from the /etc/ssl/
certs/ca-certificates.crt file.
Windows: If no value is specified, the agent uses
the value specified by the LI_AGENT_SSL_CA_PATH
environment variable. If that value is not present, the
vRealize Log Insight Windows agent loads certificates
from the Windows root certificate store.
ssl_accept_any Defines whether any certificates are accepted by the
vRealize Log Insight agent. The possible values are yes,
1, no, or 0. When the value is set to yes or 1, the agent
accepts any certificate from the server and establish
secure connection for sending data. The default value is
no.
ssl_accept_any_trusted The possible values are yes, 1, no, or 0. If the vRealize
Log Insight agent has a locally stored trusted Certificate
Authority-signed certificate and receives a different
valid certificate signed by a different trusted Certificate
Authority, it checks the configuration option. If the
value is set to yes or 1, the agent accepts the new valid
certificate. If the value is set to no or 0, it rejects the
certificate and ends the connection. The default value is
no.
ssl_cn The Common Name of the self-signed certificate.
The default value is VMware vCenter Log Insight.
You can define a custom Common Name to be checked
against the certificate
Common Name
field. The vRealize
Log Insight agent compares the Common Name field of
the received certificate to the host name specified for
the
hostname key in the [server] section. If they do
not match, the agent checks the Common Name text box
against the
ssl_cn key in the liagent.ini file. If the
values match, the vRealize Log Insight agent accepts
the certificate.
Administering vRealize Log Insight
VMware, Inc. 68
Note These keys are ignored if SSL is deactivated.
4 Save and close the liagent.ini file.
Example: Configuration
The following is an example of the SSL configuration for CA-signed certificates.
proto=cfapi
port=9543
ssl=yes
ssl_ca_path=/etc/pki/tls/certs/ca-bundle.crt
ssl_accept_any=no
ssl_accept_any_trusted=yes
ssl_cn=LOGINSIGHT
The following is an example of the SSL configuration for accepting any type of certificates,
including self-signed.
proto=cfapi
port=9543
ssl=yes
ssl_accept_any=yes
View and Remove SSL Certificates
You can view the SSL certificates that have been accepted and added to the truststores of all the
nodes in your vRealize Log Insight cluster. You can also remove the certificates that you do not
require anymore.
Prerequisites
Verify that you are logged in to the vRealize Log Insight web user interface as a Super Admin
user, or a user associated with a role that has the relevant permissions. See Create and Modify
Roles for more information. The URL format of the web user interface is https://
log-insight-host
,
where
log-insight-host
is the IP address or host name of the vRealize Log Insight virtual appliance.
Procedure
1 Expand the main menu and navigate to Management > Certificates.
2 Do either of the following:
n To view the information about a certificate, click the information icon to the right of the
thumbprint of the certificate.
n To remove certificates, select the certificates and click Delete. Optionally, you can click
the delete icon to the right of the thumbprint of each certificate.
Tip You can sort and filter the certificates by using the options provided.
Administering vRealize Log Insight
VMware, Inc. 69
Change the Default Timeout Period for vRealize Log Insight
Web Sessions
By default, to keep your environment secure, vRealize Log Insight Web sessions expire in 30
minutes. You can increase or decrease the timeout duration.
Note The change in the timeout period is applicable only for newly created sessions.
Prerequisites
Verify that you are logged in to the vRealize Log Insight web user interface as a Super Admin
user, or a user associated with a role that has the relevant permissions. See Create and Modify
Roles for more information. The URL format of the web user interface is https://
log-insight-host
,
where
log-insight-host
is the IP address or host name of the vRealize Log Insight virtual appliance.
Procedure
1 Expand the main menu and navigate to Configuration > General.
2 In the Browser Session pane, specify a timeout value in minutes.
The value -1 deactivates session timeouts.
3 Click Save.
Retention and Archiving
You can retain log data in index partitions by defining different retention periods for different
types of logs. For example, you can define a short retention period for logs with sensitive
information. You can also archive the log data in a partition for an extended period of time. If you
enable archiving for an index partition, the data in the partition is moved to an NFS mount after
its retention period.
Configure an Index Partition
You can retain log data in a partition with a filter and a retention period. Index partitions let you
define different retention periods for different types of logs. For example, logs with sensitive
information might require a short retention period, such as five days. You can also archive the
data in an index partition to an NFS mount, to retain the logs for an extended period.
The log data that matches the filter criteria for an index partition is stored in the partition for
the specified retention period. If you activate archiving, the data is moved to an NFS storage
after the retention period. Logs that do not match the filter criteria in any of the defined index
partitions are stored in the default partition. This partition is always activated and stores data for
an unlimited amount of time. You can modify the retention period and activate archiving for the
default partition.
Note You can create a maximum of five index partitions.
Administering vRealize Log Insight
VMware, Inc. 70
Prerequisites
n If you want to activate archiving for an index partition, verify that you have access to an NFS
partition that meets the following requirements.
n The NFS partition must allow reading and writing operations for guest accounts.
n The mount must not require authentication.
n The NFS server must support NFS v3 or v4.
n If using a Windows NFS server, allow unmapped user UNIX access (by UID/GID).
For more information about archiving, see Data Archiving.
n Verify that you are logged in to the vRealize Log Insight web user interface as a Super
Admin user, or a user associated with a role that has the relevant permissions. See Create
and Modify Roles for more information. The URL format of the web user interface is https://
log-insight-host
, where
log-insight-host
is the IP address or host name of the vRealize Log
Insight virtual appliance.
Procedure
1 Expand the main menu, click Log Management and then click Index Partitions.
2 To view details for the default partition such as the retention period and archival location,
click the edit icon against the partition titled Default Partition. To modify the details for the
partition, click the edit icon and follow steps 7 through 9.
3 To create a partition, click New Partition and follow steps 5 through 9.
4 In the Partition Name text box, enter a name for the index partition.
5 Add one or more filters to refine the logs that you want to store in the index partition.
Optionally, click Run in Explore Logs page to preview the filtered log results.
6 In the Retention Period text box, enter the number of days for which you want to retain logs
in the index partition. Enter 0 for an unlimited retention period.
7 Click the Archive Location toggle button to archive the log data in the partition. In the text
box, enter the NFS location where you want to store the archived data, in the form nfs://
servername<:port-number>/exportname. The port number defaults to 2049.
Click Test to verify the connection with the NFS storage.
Administering vRealize Log Insight
VMware, Inc. 71
8 Click Save.
Note
n The index partition is activated by default. To deactivate it, use the toggle button against
the partition on the Index Partitions tab.
n Creating, modifying, and deleting index partitions requires you to restart vRealize Log
Insight on all the cluster nodes.
After vRealize Log Insight restarts, verify that syslog feeds from ESXi continue to arrive in
vRealize Log Insight.
Results
The index partition is listed in the Index Partitions tab with information about whether the
partition is activated, the filter criteria, retention period, storage used, and time of ingesting the
first log. You can view or modify the partition details by clicking the edit icon against the partition
name.
Data Archiving
Data archiving preserves old logs that might otherwise be removed from an index partition after
the retention period. vRealize Log Insight can store archived data to NFS mounts.
Note
n Data archiving happens during log ingestion, as described in Key Aspects of the Event Life
Cycle in
Getting Started with vRealize Log Insight
.
n vRealize Log Insight does not manage the NFS mount used for archiving purposes. If system
notifications are enabled, vRealize Log Insight sends an email when the NFS mount is about
to run out of space or is unavailable.
n Archived log events are no longer searchable. If you want to search archived logs, you must
import them into a vRealize Log Insight instance. For information about importing archived
log files, see Import a vRealize Log Insight Archive into vRealize Log Insight.
n Do not mount NFS permanently or change the /etc/fstab file. vRealize Log Insight itself
performs NFS mounting for you.
For information about enabling archiving in an index partition, see Configure an Index Partition.
Format of the vRealize Log Insight Archive Files
vRealize Log Insight archives data in a specific format.
vRealize Log Insight stores archive files on an NFS server and organizes them in hierarchical
directories based on archiving time. For example,
/backup/2014/08/07/16/bd234b2d-df98-44ae-991a-e0562f10a49/data.blob
Administering vRealize Log Insight
VMware, Inc. 72
where /backup is the NFS location, 2014/08/07/16 is the archiving time, bd234b2d-
df98-44ae-991a-e0562f10a49 is the bucket ID of the bucket that stores the log files, and
data.blob is the archived data for the bucket.
The archive data data.blob is a compressed file that uses vRealize Log Insight internal encoding.
It contains the original content for all of the messages stored in the bucket, together with the
static fields such as timestamp, host name, source, and appname.
You can import archived data to vRealize Log Insight, export archive data to a raw text file, and
extract message content from archive data. See Export a Log Insight Archive to a Raw Text File
or JSON and Import a vRealize Log Insight Archive into vRealize Log Insight.
Import a vRealize Log Insight Archive into vRealize Log Insight
Data archiving preserves old logs that might otherwise be removed from an index partition after
the retention period. See Data Archiving. You can use the command line to import logs that have
been archived in vRealize Log Insight.
Note Although vRealize Log Insight can handle historic data and real-time data simultaneously,
you are advised to deploy a separate instance of vRealize Log Insight to process imported log
files.
Prerequisites
n Verify that you have the root user credentials to log in to the vRealize Log Insight virtual
appliance.
n Verify that you have access to the NFS server where vRealize Log Insight logs are archived.
n Verify that the vRealize Log Insight virtual appliance has enough disk space to accommodate
the imported log files.
The minimum free space in the /storage/core partition on the virtual appliance must equal
approximately 10 times the size of the archived log that you want to import.
Procedure
1 Establish an SSH connection to the vRealize Log Insight vApp and log in as the root user.
2 Mount the shared folder on the NFS server where the archived data resides.
Administering vRealize Log Insight
VMware, Inc. 73
3 To import a directory of archived vRealize Log Insight logs, run the following command.
/usr/lib/loginsight/application/bin/loginsight repository import Path-To-Archived-Log-Data-
Folder.
Note
n To avoid the modification of the timestamp of the directory to be imported, ensure that
this command is executed from a directory other than the one you want to import.
Running the command from the directory you want to import results in the creation of a
JavaClient.log file and an update of the directory's modification timestamp.
n Importing archived data might take a long time, depending on the size of the imported
folder.
4 Close the SSH connection.
What to do next
You can search, filter, and analyze the imported log events.
Export a Log Insight Archive to a Raw Text File or JSON
You can use the command line to export a vRealize Log Insight archive to a regular raw text file
or in JSON format.
Note This is an advanced procedure. Command syntax and output formats might change in later
releases of vRealize Log Insight without backward compatibility.
Prerequisites
n Verify that you have the root user credentials to log in to the vRealize Log Insight virtual
appliance.
n Verify that the vRealize Log Insight virtual appliance has enough disk space to accommodate
the exported files.
Procedure
1 Establish an SSH connection to the vRealize Log Insight vApp and log in as the root user.
2 Create an archive directory on the vRealize Log Insight vApp.
mkdir /archive
3 Mount the shared folder on the NFS server where the archived data resides by running the
following command.
mount -t nfs archive-fileshare:archive directory path /archive
Administering vRealize Log Insight
VMware, Inc. 74
4 Check the available storage space on the vRealize Log Insight vApp.
df -h
5 Export a vRealize Log Insight archive to a raw text file.
/usr/lib/loginsight/application/sbin/repo-exporter -d archive-file-directory output-file
For example,
/usr/lib/loginsight/application/sbin/repo-exporter -d /archive/2014/08/07/16/bd234b2d-
df98-44ae-991a-e0562f10a49 /tmp/output.txt
6 Export a vRealize Log Insight archive message content in JSON format.
/usr/lib/loginsight/application/sbin/repo-exporter -F -d archive-file-directory output-file
For example,
/usr/lib/loginsight/application/sbin/repo-exporter -F -d /archive/2014/08/07/16/bd234b2d-
df98-44ae-991a-e0562f10a49 /tmp/output.json
7 Close the SSH connection.
Restart the vRealize Log Insight Service
You can restart vRealize Log Insight by using the Cluster page in the Web user interface.
Caution Restarting vRealize Log Insight closes all active user sessions. Users of the vRealize Log
Insight instance will be forced to log in again.
Prerequisites
Verify that you are logged in to the vRealize Log Insight web user interface as a Super Admin
user, or a user associated with a role that has the relevant permissions. See Create and Modify
Roles for more information. The URL format of the web user interface is https://
log-insight-host
,
where
log-insight-host
is the IP address or host name of the vRealize Log Insight virtual appliance.
Procedure
1 Expand the main menu and navigate to Management > Cluster.
2 Select a cluster node.
3 Click Restart Primary and click Restart.
What to do next
After vRealize Log Insight restarts, verify that syslog feeds from ESXi continue to arrive in
vRealize Log Insight.
Administering vRealize Log Insight
VMware, Inc. 75
Power off the vRealize Log Insight Virtual Appliance
To avoid data loss when powering off a vRealize Log Insight primary or worker node, you must
power off the node by following a strict sequence of steps.
You must power off the vRealize Log Insight virtual appliance before modifying the virtual
hardware of the appliance.
You can power off the vRealize Log Insight virtual appliance by using the Power > Shut Down
Guest menu option in the vSphere Client. You can also use the virtual appliance console or
establish an SSH connection to the vRealize Log Insight virtual appliance and run a command.
Prerequisites
n If you plan to connect to the vRealize Log Insight virtual appliance by using SSH, verify that
TCP port 22 is open.
n Verify that you have the root user credentials to log in to the vRealize Log Insight virtual
appliance.
Procedure
1 Establish an SSH connection to the vRealize Log Insight vApp and log in as the root user.
2 To power off the vRealize Log Insight virtual appliance, run shutdown -h now.
What to do next
You can safely modify the virtual hardware of the vRealize Log Insight virtual appliance.
Download a vRealize Log Insight Support Bundle
If vRealize Log Insight does not operate as expected because of a problem, you can send a copy
of the log and configuration files to VMware Support Services in the form of a support bundle.
Downloading a cluster-wide support bundle is necessary only if requested by VMware Support
Services. You can create the bundle either statically, which uses disk space on the node, or
by streaming, which uses no disk space on the node and stores the bundle on your initiating
machine by default.
The storage location for the support bundle depends on the option that you use to get the
support bundle:
Option
Support Bundle Location
API - POST appliance/vm-support-bundle This is a streaming version with no local file.
API - POST appliance/support-bundle
/tmp/ui-support/
Web user interface - Static support bundle
/tmp/ui-support/
Administering vRealize Log Insight
VMware, Inc. 76
Option Support Bundle Location
Web user interface - Streaming support bundle This is a streaming version with no local file.
Command line - scripts/loginsight-support The bundle is generated in the current directory.
Prerequisites
Verify that you are logged in to the vRealize Log Insight web user interface as a Super Admin
user, or a user associated with a role that has the relevant permissions. See Create and Modify
Roles for more information. The URL format of the web user interface is https://
log-insight-host
,
where
log-insight-host
is the IP address or host name of the vRealize Log Insight virtual appliance.
Procedure
1 Expand the main menu and navigate to Management > Cluster.
2 Under the Support header, click Download Support Bundle.
The vRealize Log Insight system collects the diagnostic information and sends the data to
your browser in a compressed tarball.
3 Choose the method to create the bundle.
n Select Static support bundle to create a bundle locally. Creation of the bundle consumes
disk space on the node.
n Select Streaming support bundle to start streaming the support bundle immediately. This
method uses no disk space on the node.
4 Click Continue.
5 In the File Download dialog box, click Save.
6 Select a location to which you want to save the tarball archive and click Save.
What to do next
You can review the contents of log files for error messages. When you resolve or close issues,
delete the outdated support bundle to save disk space.
Join or Leave the VMware Customer Experience
Improvement Program
You can join or leave the VMware Customer Experience Improvement Program (CEIP) after
deploying vRealize Log Insight.
You choose whether to participate in the CEIP when you install or upgrade vRealize Log Insight.
After installation or upgrade, you can join or leave the program by following these steps.
Administering vRealize Log Insight
VMware, Inc. 77
Prerequisites
Verify that you are logged in to the vRealize Log Insight web user interface as a Super Admin
user, or a user associated with a role that has the relevant permissions. See Create and Modify
Roles for more information. The URL format of the web user interface is https://
log-insight-host
,
where
log-insight-host
is the IP address or host name of the vRealize Log Insight virtual appliance.
Procedure
1 Expand the main menu and navigate to Configuration > General.
2 Under Customer Experience Improvement Program, select or clear the Join the VMware
Customer Experience Improvement Program check box.
When selected, the option activates the program for your organization and sends data to
VMware.
Note If you join the CEIP, vRealize Log Insight uses a third-party tool called Pendo to collect
analytics cookies. Pendo collects data based on your interaction with the user interface by
tracking where you click, to help VMware understand how vRealize Log Insight is used. This
data is used to improve the VMware services and design them better. For more information,
see the
Privacy Notice.
3 Click Save.
What to do next
After CEIP is enabled, when a user logs in to vRealize Log Insight, they see a banner at the top of
their window that asks whether they want Pendo to collect data based on their interaction with
the user interface.
n If the user clicks Accept, Pendo collects their data and sends it to VMware.
n If the user clicks Decline, Pendo does not collect their data.
Configure STIG Compliance for vRealize Log Insight
You can configure vRealize Log Insight to ensure STIG (Security Technical Implementation Guide)
compliance for better security. This configuration includes the DoD (Department of Defense)
consent agreement and additional password policy restrictions.
When you activate STIG compliance, vRealize Log Insight sends system notifications when:
n A new user is created or an Active Directory or VMware Identity Manager user logs in for the
first time.
n The allocated log record storage volume reaches 75 percent of the maximum log record
storage capacity of the repository. This notification is sent per node.
For more information, see vRealize Log Insight System Notifications.
Administering vRealize Log Insight
VMware, Inc. 78
Prerequisites
Verify that you are logged in to the vRealize Log Insight web user interface as a Super Admin
user, or a user associated with a role that has the relevant permissions. See Create and Modify
Roles for more information. The URL format of the web user interface is https://
log-insight-host
,
where
log-insight-host
is the IP address or host name of the vRealize Log Insight virtual appliance.
Procedure
1 Expand the main menu and navigate to Configuration > General.
2 In the Security Technical Implementation Guide pane, perform the relevant actions:
n Click the DoD Consent Agreement toggle button to display the mandatory DoD consent
agreement when a user logs in to vRealize Log Insight. Select a login message type - a
simple message on the login page, a login page with a check box to accept the consent
before logging in, or a consent dialog box with a button to accept the DoD consent
agreement. Add a consent title and description.
When the DoD consent agreement is activated, users can see the selected login message
type when they log in.
n Click the Password Policy Restriction toggle button to activate further password
restrictions for user accounts and additional rules to lock the accounts.
If the password policy restriction is activated, the following additional rules are applied to
passwords:
n A password must contain at least 15 characters.
n A user can change their password only once in 24 hours.
n When a user changes their password, they cannot use the last five passwords.
n When a user changes their password, at least eight characters of the new password
must be different from the old password.
If the password policy restriction is activated, a user account is locked if:
n The user has not logged in to vRealize Log Insight for 35 days.
n The user has not changed their password for 60 days.
Note Super Admin user accounts are never locked.
3 Click Save.
Activate FIPS for vRealize Log Insight
You can configure vRealize Log Insight to ensure FIPS (Federal Information Processing
Standards) compliance for better security. This set of standards describes document processing,
encryption algorithms, and other information technology standards for use within United States'
non-military government agencies and by government contractors and vendors who work with
Administering vRealize Log Insight
VMware, Inc. 79
the agencies. When you activate FIPS, vRealize Log Insight uses the FIPS 140-2 standard with
Security Level 1, which specifies basic security requirements to protect sensitive or valuable data.
For information about how different VMware products support FIPS 140-2, see https://
www.vmware.com/security/certifications/fips.html.
vRealize Log Insight uses Apache Thrift for node-to-node communication. Activating FIPS
automatically enables Thrift over SSL, which makes this communication more secure. However,
you can also enable Thrift over SSL without activating FIPS. For more information, see https://
kb.vmware.com/s/article/82299.
Prerequisites
Verify that you are logged in to the vRealize Log Insight web user interface as a Super Admin
user, or a user associated with a role that has the relevant permissions. See Create and Modify
Roles for more information. The URL format of the web user interface is https://
log-insight-host
,
where
log-insight-host
is the IP address or host name of the vRealize Log Insight virtual appliance.
Procedure
1 Expand the main menu and navigate to Configuration > General.
2 In the FIPS Mode pane, click the Activate FIPS Mode toggle button to activate FIPS.
Caution Once you activate FIPS, you cannot deactivate it.
3 Click Save.
Results
When you save the FIPS configuration, all the nodes are rebooted. You have to wait for a few
minutes before you can use vRealize Log Insight again.
Administering vRealize Log Insight
VMware, Inc. 80
Managing vRealize Log Insight
Clusters
5
You can add, remove, and upgrade the nodes of a vRealize Log Insight cluster.
Note vRealize Log Insight does not support WAN clustering. Current versions of vRealize Log
Insight do not support WAN clustering (also called geo-clustering, high-availability clustering, or
remote clustering). All nodes in the cluster should be deployed in the same Layer 2 LAN. In
addition, the ports described in Ports and External Interfaces must be opened between nodes for
proper communication.
This chapter includes the following topics:
n Add a Worker Node to a vRealize Log Insight Cluster
n Remove a Worker Node from a vRealize Log Insight Cluster
n Working with an Integrated Load Balancer
Add a Worker Node to a vRealize Log Insight Cluster
Deploy a new instance of the Log Insight virtual appliance and add it to an existing Log Insight
primary node.
Procedure
1 Deploy the vRealize Log Insight Virtual Appliance
Download the vRealize Log Insight virtual appliance. VMware distributes the vRealize Log
Insight virtual appliance as an .ova file. Deploy the vRealize Log Insight virtual appliance by
using the vSphere Client.
2 Join an Existing Deployment
After you deploy and set up a standalone vRealize Log Insight node, you can deploy a new
vRealize Log Insight instance and add it to the existing node to form a vRealize Log Insight
cluster.
Deploy the vRealize Log Insight Virtual Appliance
Download the vRealize Log Insight virtual appliance. VMware distributes the vRealize Log Insight
virtual appliance as an .ova file. Deploy the vRealize Log Insight virtual appliance by using the
vSphere Client.
VMware, Inc.
81
Prerequisites
n Verify that you have a copy of the vRealize Log Insight virtual appliance .ova file.
n Verify that you have permissions to deploy OVF templates to the inventory.
n Verify that your environment has enough resources to accommodate the minimum
requirements of the vRealize Log Insight virtual appliance. See Minimum Requirements.
n Verify that you have read and understand the virtual appliance sizing recommendations. See
Sizing the Log Insight Virtual Appliance.
Procedure
1 In the vSphere Client, select File > Deploy OVF Template.
2 Follow the prompts in the Deploy OVF Template wizard.
3 On the Select Configuration page, select the size of the vRealize Log Insight virtual appliance
based on the size of the environment for which you intend to collect logs.
Small is the minimum requirement for production environments.
vRealize Log Insight provides preset VM (virtual machine) sizes that you can select from
to meet the ingestion requirements of your environment. These presets are certified size
combinations of compute and disk resources, though you can add extra resources afterward.
A small configuration consumes the fewest resources while remaining supported. An extra
small configuration is suitable only for demos.
Preset Size
Log Ingest Rate Virtual CPUs Memory IOPS
Syslog Connections (Active
TCP Connections) Events per Second
Extra Small 6 GB/day 2 4 GB 75 20 400
Small 30 GB/day 4 8 GB 500 100 2000
Medium 75 GB/day 8 16 GB 1000 250 5000
Large 225 GB/day 16 32 GB 1500 750 15,000
You can use a syslog aggregator to increase the number of syslog connections that send
events to vRealize Log Insight. However, the maximum number of events per second is fixed
and does not depend on the use of a syslog aggregator. A vRealize Log Insight instance
cannot be used as a syslog aggregator.
Note If you select Large, you must upgrade the virtual hardware on the vRealize Log Insight
virtual machine after the deployment.
4 On the Select Storage page, select a disk format.
n Thick Provision Lazy Zeroed creates a virtual disk in a default thick format. Space
required for the virtual disk is allocated when the virtual disk is created. The data
remaining on the physical device is not erased during creation, but is zeroed out on
demand later, on first write from the virtual appliance.
Administering vRealize Log Insight
VMware, Inc. 82
n Thick Provision Eager Zeroed creates a type of thick virtual disk that supports clustering
features such as Fault Tolerance. Space required for the virtual disk is allocated at
creation time. In contrast to the flat format, the data remaining on the physical device
is zeroed out when the virtual disk is created. It might take much longer to create disks in
this format than to create other types of disks.
Important Deploy the vRealize Log Insight virtual appliance with thick provisioned eager
zeroed disks whenever possible for better performance and operation of the virtual
appliance.
n Thin Provision creates a disk in thin format. The disk expands as the amount of data
saved on it increases. If your storage device does not support thick provisioning disks or
you want to conserve unused disk space on the vRealize Log Insight virtual appliance,
deploy the virtual appliance with thin provisioned disks.
Note Shrinking disks on the vRealize Log Insight virtual appliance is not supported and might
result in data corruption or data loss.
5 (Optional) On the Select networks page, set the networking parameters for the vRealize Log
Insight virtual appliance. You can select the IPv4 or IPv6 protocol.
If you do not provide network settings, such as an IP address, DNS servers, and gateway
information, vRealize Log Insight uses DHCP to set those settings.
Caution Do not specify more than two domain name servers. If you specify more than two
domain name servers, all configured domain name servers are ignored in the vRealize Log
Insight virtual appliance.
Use a comma-separated list to specify domain name servers.
6 (Optional) On the Customize template page, set network properties if you are not using
DHCP.
Under Application, select the Prefer IPv6 addresses check box if you want to run the virtual
machine in a dual stack network.
Caution Do not select the Prefer IPv6 addresses check box if you want to use pure IPv4
even with IPv6 supported in your network. Select the check box only if your network has a
dual stack or pure stack support for IPv6.
7 (Optional) On the Customize template page, select Other Properties and set the root
password for the vRealize Log Insight virtual appliance.
The root password is required for SSH. You can also set this password through the VMware
Remote Console.
8 Follow the prompts to complete the deployment.
For information on deploying virtual appliances, see the
User's Guide to Deploying vApps and
Virtual Appliances
.
Administering vRealize Log Insight
VMware, Inc. 83
After you power on the virtual appliance, an initialization process begins. The initialization
process takes several minutes to complete. At the end of the process, the virtual appliance
restarts.
9 Navigate to the Console tab and verify the IP address of the vRealize Log Insight virtual
appliance.
IP Address Prefix Description
https:// The DHCP configuration on the virtual appliance is correct.
http:// The DHCP configuration on the virtual appliance failed.
a Power off the vRealize Log Insight virtual appliance.
b Right-click the virtual appliance and select Edit Settings.
c Set a static IP address for the virtual appliance.
What to do next
n If you want to configure a standalone vRealize Log Insight deployment, see Configure New
Log Insight Deployment.
The vRealize Log Insight Web interface is available at https://
log-insight-host
/ where
log-
insight-host
is the IP address or host name of the vRealize Log Insight virtual appliance.
Join an Existing Deployment
After you deploy and set up a standalone vRealize Log Insight node, you can deploy a new
vRealize Log Insight instance and add it to the existing node to form a vRealize Log Insight
cluster.
vRealize Log Insight can scale out by using multiple virtual appliance instances in clusters.
Clusters enable linear scaling of ingestion throughput, increase query performance, and allow
high-availability ingestion. In cluster mode, vRealize Log Insight provides primary and worker
nodes. Both primary and worker nodes are responsible for a subset of data. Primary nodes can
query all subsets of data and aggregate the results. You might require more nodes to support
site needs. You can use from three to 18 nodes in a cluster. This means that a fully functional
cluster must have a minimum of three healthy nodes. Most nodes in a larger cluster must be
healthy. For example, if three nodes of a six-node cluster fail, none of the nodes functions fully
until the failing nodes are removed.
Prerequisites
n In the vSphere Client, note the IP address of the worker vRealize Log Insight virtual appliance.
n Verify that you have the IP address or host name of the primary vRealize Log Insight virtual
appliance.
n Verify that you have a user account on the primary vRealize Log Insight virtual appliance with
the Super Admin role, a role that has the relevant permissions. See Create and Modify Roles
for more information.
Administering vRealize Log Insight
VMware, Inc. 84
n Verify that the versions of the vRealize Log Insight primary and worker nodes are in sync. Do
not add an older version vRealize Log Insight worker to a newer version vRealize Log Insight
primary node.
n You must synchronize the time on the vRealize Log Insight virtual appliance with an NTP
server. See Synchronize the Time on the Log Insight Virtual Appliance.
n For information on supported browser versions, see the vRealize Log Insight Release Notes.
Procedure
1 Use a supported browser to navigate to the web user interface of the vRealize Log Insight
worker.
The URL format is https://
log_insight-host
/, where
log_insight-host
is the IP address or host
name of the vRealize Log Insight worker virtual appliance.
The initial configuration wizard opens.
2 Click Join Existing Deployment.
3 Enter the IP address or host name of the vRealize Log Insight primary and click Go.
If the primary node provides an untrusted SSL certificate, a dialog box appears with the
details of the certificate. Click Accept to send a request to the vRealize Log Insight primary
node to join the existing deployment.
If you click Cancel, the join request is not sent to the primary node. You must accept the
certificate to ensure that the worker node joins the existing deployment.
4 Click Click here to access the Cluster Management page.
5 Log in as a Super Admin user or a user with the relevant permissions.
The Cluster page loads.
6 Click Allow.
The worker node joins the existing deployment and vRealize Log Insight begins to operate in
a cluster.
What to do next
n Add more worker nodes as needed. The cluster must have a minimum of three nodes.
Remove a Worker Node from a vRealize Log Insight Cluster
You can remove a worker node that is no longer working correctly from a vRealize Log Insight
cluster. Do not remove worker nodes that are operating correctly from a cluster.
Warning Removing a node results in data loss. If a node must be removed, ensure that it has
been backed up first. Avoid removing nodes within 30 minutes of adding new nodes.
Administering vRealize Log Insight
VMware, Inc. 85
Prerequisites
Verify that you are logged in to the vRealize Log Insight web user interface as a Super Admin
user, or a user associated with a role that has the relevant permissions. See Create and Modify
Roles for more information. The URL format of the web user interface is https://
log-insight-host
,
where
log-insight-host
is the IP address or host name of the vRealize Log Insight virtual appliance.
Procedure
1 Expand the main menu and navigate to Management > Cluster.
2 In the Workers table, find the node you want, click the pause icon, and click Continue.
The node is now in maintenance mode.
Note A node in maintenance mode continues to receive logs.
3 Click the cross icon to remove the node.
vRealize Log Insight removes the node from the cluster and sends out an email notification.
Working with an Integrated Load Balancer
The vRealize Log Insight integrated load balancer (ILB) supports vRealize Log Insight clusters and
ensures that incoming ingestion traffic is accepted by vRealize Log Insight even if some vRealize
Log Insight nodes become unavailable. You can also configure multiple virtual IP addresses.
Note External load balancers are not supported for use with vRealize Log Insight, including
vRealize Log Insight clusters.
It is a best practice to include the ILB in all deployments, including single-node instances. Send
queries and ingestion traffic to the ILB so that a cluster can easily be supported in the future if
needed. The ILB balances traffic across nodes in a cluster and minimizes administrative overhead.
The ILB ensures that incoming ingestion traffic is accepted by vRealize Log Insight even if some
vRealize Log Insight nodes become unavailable. The ILB also balances incoming traffic fairly
among available vRealize Log Insight nodes. vRealize Log Insight clients, using both the web user
interface and ingestion (through syslog or the Ingestion API), connect to vRealize Log Insight
through the ILB address.
ILB requires that all vRealize Log Insight nodes be on the same Layer 2 networks, such as behind
the same switch or otherwise able to receive ARP requests from and send ARP requests to each
other. The ILB IP address must be set up so that any vRealize Log Insight node can own it and
receive traffic for it. Typically, this means that the ILB IP address is in the same subnet as the
physical address of the vRealize Log Insight nodes. After you configure the ILB IP address, try to
ping it from a different network to ensure that it is reachable.
To simplify future changes and upgrades, you can have clients point to an FQDN that resolves to
the ILB IP address, instead of pointing directly to the ILB IP address.
Administering vRealize Log Insight
VMware, Inc. 86
About Direct Server Return Configuration
The vRealize Log Insight load balancer uses a Direct Server Return (DSR) configuration. In DSR,
all incoming traffic passes through the vRealize Log Insight node that is the current load balancer
node. Return traffic is sent from vRealize Log Insight servers directly back to the client without
needing to go through the load balancer node.
Multiple Virtual IP Addresses
You can configure up to 60 virtual IP addresses (vIPs) for the Integrated Load Balancer. You can
also configure a list of static tags to each vIP so that each log message received from the vIP is
annotated with the configured tags.
Activate the Integrated Load Balancer
When you activate the vRealize Log Insight integrated load balancer (ILB) on a vRealize Log
Insight cluster, you must configure one or more virtual IP addresses.
The Integrated Load Balancer supports one or more virtual IP addresses (vIPs). Each vIP balances
incoming ingestion and query traffic among available
vRealize Log Insight nodes. It is a best
practice to connect all vRealize Log Insight clients through a vIP and not directly to a node.
To simplify future changes and upgrades, you can have clients point to an FQDN that resolves
to the ILB IP address, instead of pointing directly to the ILB IP address. vSphere and vRealize
Operations integrations and alert messages use the FQDN if provided. Otherwise, they use the
ILB IP address. vRealize Log Insight can resolve the FQDN to the given IP address, which means
that the FQDN value you provide should match what is defined in DNS.
Prerequisites
n Verify that all vRealize Log Insight nodes and the specified Integrated Load Balancer IP
address are on the same network.
n If you are using vRealize Log Insight with NSX, verify that the Enable IP Discovery option is
deactivated on the NSX logical switch.
n The vRealize Log Insight primary and worker nodes must have the same certificates.
Otherwise, the vRealize Log Insight Agents configured to connect through SSL reject the
connection. When uploading a CA-signed certificate to vRealize Log Insight primary and
worker nodes, set the Common Name to the ILB FQDN (or IP address) during the certificate
generation request. See Generate a Certificate Signing Request .
n You must synchronize the time on the vRealize Log Insight virtual appliance with an NTP
server. See Synchronize the Time on the Log Insight Virtual Appliance.
Procedure
1 Expand the main menu and navigate to Management > Cluster.
2 In the Integrated Load Balancer section, select New Virtual IP Address and enter the virtual
IP (vIP) address to use for integrated load balancing.
Administering vRealize Log Insight
VMware, Inc. 87
3 (Optional) To configure multiple virtual IP addresses, click New Virtual IP Address and enter
the IP address. You can choose to enter the FQDN and tags.
n Each vIP should be in the same subnet as at least one network interface on each node
and the vIP must be available (not used by any other machine).
n Tags let you add fields with predefined values to events for easier querying. You can
add multiple comma-separated tags. All events coming into the system through a vIP are
marked with the vIP's tags.
n You can configure a list of static tags (key=value) for an ILB vIP, so that each log message
received from the vIP is annotated with the configured tags.
4 (Optional) To activate vRealize Log Insight users to access the cluster through FQDN, point
the clients to the FQDN instead of directly to the configured ILB IP address.
You might want to have clients point to an FQDN that resolves to an ILB IP address to
simplify future changes and upgrades. You can have clients point to the FQDN instead of
pointing directly to the ILB IP address.
5 Click Save.
The Integrated Load Balancer is managed by one node in the vRealize Log Insight cluster,
declared the leader for that service. The current leader is denoted by the text (ILB) next to
the node.
Administering vRealize Log Insight
VMware, Inc. 88
Configuring, Monitoring, and
Updating vRealize Log Insight
Agents
6
You can centrally manage the configuration of multiple vRealize Log Insight Agents, monitor their
status, and activate auto-update.
This chapter includes the following topics:
n Centralized Agent Configurations and Agent Groups
n Monitor the Status of the vRealize Log Insight Agents
n Activate Agent Auto-Update from the Server
Centralized Agent Configurations and Agent Groups
Using the vRealize Log Insight server, you can configure agents from within the application's user
interface. Agents poll the vRealize Log Insight server regularly to determine if new configurations
are available.
You can group agents that require the same configuration. For example, you might group all
vRealize Log Insight Windows agents separately from the vRealize Log Insight Linux agents.
In the All Agents menu, existing agent groups from content packs are listed automatically. The
agents listed relate to content packs that you have already installed (for example the vSphere
content pack), which use agent groups. All user-created agent groups appear under Content
Packs > Custom Content, when you click My Content or Shared Content.
A user with at least a view-only admin role can export content packs with the agent group
templates.
Note
n You cannot use the same content pack template more than once.
n Content pack groups are read-only.
VMware, Inc.
89
Only configuration sections beginning with [winlog], [filelog], [journaldlog] and
[parser] are used in content packs. Additional sections are not exported as part of a content
pack. Only single-line comments (lines beginning with ; ) under the [winlog], [filelog], and
[parser] sections, are preserved in a content pack.
Note A single agent can belong to multiple agent groups and inherits all the settings from the
centralized agent configuration.
You can create a configuration for the
All Agents
group as described in Create an Agent Group.
If an agent is configured from the combination of a centralized agent configuration and another
configuration, the agent configuration is a result of merging both the configurations. For more
information about merging, see Agent Group Configuration Merging.
Note Use agent groups whenever possible, and avoid using the
All Agents
configuration unless
needed.
See
Working with vRealize Log Insight Agents
for information about configuring agents and
merging local and server-side configurations.
n Agent Group Configuration Merging
With agent groups, agents can be part of multiple groups and they can belong to the default
group
All Agents
—activating centralized configuration.
n Create an Agent Group
You can create a group of agents that are configured with the same parameters.
n Edit an Agent Group
You can edit the name and description of an agent group, change the filters, and edit the
configuration.
n Add a Content Pack Agent Group as an Agent Group
You can add an agent group that was defined as part of a content pack to your active
groups and apply an agent configuration to the group.
n Delete an Agent Group
You can delete an agent group to remove it from the active groups list.
Agent Group Configuration Merging
With agent groups, agents can be part of multiple groups and they can belong to the default
group
All Agents
—activating centralized configuration.
Merging occurs server-side—and the resulting configuration is merged with the agent-side
configuration. The merged configuration is a result of the following rules.
n The individual group configurations have a higher priority and overrides the All Agents group
settings.
n The All Agents group configuration overrides the local configuration.
Administering vRealize Log Insight
VMware, Inc. 90
n You cannot configure sections with the same name in different groups except with the All
Agents groups. However, the sections in individual groups have a higher priority.
Note To prevent agent loss, the hostname and port parameters of an agent configuration
cannot be changed centrally from the server.
The merged configuration is stored in the agent-side liagent-effective.ini file. For windows
systems, this file is stored in %ProgramData%\VMware\Log Insight Agent and for Linux
systems it is stored in
/var/lib/loginsight-agent/.
Create an Agent Group
You can create a group of agents that are configured with the same parameters.
Prerequisites
Verify that you are logged in to the vRealize Log Insight web user interface as a Super Admin
user, or a user associated with a role that has the relevant permissions. See Create and Modify
Roles for more information. The URL format of the web user interface is https://
log-insight-host
,
where
log-insight-host
is the IP address or host name of the vRealize Log Insight virtual appliance.
Procedure
1 Expand the main menu and navigate to Management > Agents.
2 In the All Agents menu, Open the drop-down menu in the agent name field next to the
Refresh button and click New Group.
3 Provide a unique name and a description for the agent group and click New Group.
The agent group is created and appears in the All Agents list, but is not saved.
Administering vRealize Log Insight
VMware, Inc. 91
4 Specify one or more filters for the agent group. To create a filter, specify a field name, an
operator, and a value.
Filters can contain wildcards, such as * and ?. For example, you can select the OS filter
contains and specify the value windows to identify all your Windows agents for configuration.
a Choose one of the following fields to filter on:
n IP address
n hostname
n version
n OS
b Select an operator from the drop-down menu and specify a value.
Operator Description
matches Finds strings that match the specified string and wildcard specification,
where * means zero or more characters and ? means any single
character. Prefix and postfix globbing is supported.
For example, *test* matches strings such as test123 or my-test-run.
does not match Excludes strings that match the specified string and wildcard
specification, where * means zero or more characters and ? means any
single character. Prefix and postfix globbing is supported.
For example, test* filters out test123, but does not exclude
mytest123. %test* does not filters out test123, but does exclude
xtest123
starts with Finds strings that start with the specified character string.
For example, test finds test123 or test, but not my-test123.
does not start with Excludes strings that start with the specified character string.
For example, test filters out test123, but not my-test123.
5 Specify the agent configuration values in the Agent Configuration area and click Save New
Group.
Results
The agent configuration is applied after the next polling interval.
Edit an Agent Group
You can edit the name and description of an agent group, change the filters, and edit the
configuration.
Administering vRealize Log Insight
VMware, Inc. 92
Prerequisites
Verify that you are logged in to the vRealize Log Insight web user interface as a Super Admin
user, or a user associated with a role that has the relevant permissions. See Create and Modify
Roles for more information. The URL format of the web user interface is https://
log-insight-host
,
where
log-insight-host
is the IP address or host name of the vRealize Log Insight virtual appliance.
Procedure
1 Expand the main menu and navigate to Management > Agents.
2 In the All Agents menu, select the name of the appropriate agent group and click the pencil
icon to edit it.
3 Make your changes.
Item to Edit Action
Name or Description Make the necessary changes and click Save.
Filters or Configuration Make the necessary changes and click Save Group.
Add a Content Pack Agent Group as an Agent Group
You can add an agent group that was defined as part of a content pack to your active groups
and apply an agent configuration to the group.
Prerequisites
Verify that you are logged in to the vRealize Log Insight web user interface as a Super Admin
user, or a user associated with a role that has the relevant permissions. See Create and Modify
Roles for more information. The URL format of the web user interface is https://
log-insight-host
,
where
log-insight-host
is the IP address or host name of the vRealize Log Insight virtual appliance.
Procedure
1 Expand the main menu and navigate to Management > Agents.
2 In the All Agents menu, select an agent template for the Available Templates list.
3 Click Copy Template to copy the content pack agent group to your active groups.
4 Click Copy.
5 Select the required filters and click Save new group.
Results
The content pack agent group is added to the active groups and the agents are configured
according to the filters that you specified.
Delete an Agent Group
You can delete an agent group to remove it from the active groups list.
Administering vRealize Log Insight
VMware, Inc. 93
Prerequisites
Verify that you are logged in to the vRealize Log Insight web user interface as a Super Admin
user, or a user associated with a role that has the relevant permissions. See Create and Modify
Roles for more information. The URL format of the web user interface is https://
log-insight-host
,
where
log-insight-host
is the IP address or host name of the vRealize Log Insight virtual appliance.
Procedure
1 Expand the main menu and navigate to Management > Agents.
2 In the All Agents menu, select the name of the agent group to delete, by clicking the X icon
next to its name.
3 Click Delete.
Results
The agent group is removed from the active groups.
Monitor the Status of the vRealize Log Insight Agents
You can monitor the status of the vRealize Log Insight Windows and Linux agents and view
current statistics about their operation.
Only those agents that are configured to send data through CFAPI appear on the Agents page.
Agents that are configured to send data through syslog appear on the Hosts page, as with other
syslog sources. If protocol changes from CFAPI to syslog, stats are not updated and represented
on the Statistics page and Agent status is shown as "disconnected". Data represented there is
being sent from LI Agents every 30 sec. vRealize Log Insight can display information for up to
15,000 agents.
If you change protocol from CFAPI to syslog, statistics cease to be updated and represented on
the Agent page anymore and agent status is shown as disconnected. Data represented there is
being sent from vRealize Log Insight agent every thirty seconds.
Note If you change a host IP for a vRealize Log Insight server in agent configuration, the agent
resets page stats to zero.
Prerequisites
Verify that you are logged in to the vRealize Log Insight web user interface as a View Only Admin
user, or a user associated with a role that has the relevant permissions.. See Create and Modify
Roles for more information. The URL format of the web user interface is https://
log-insight-host
,
where
log-insight-host
is the IP address or host name of the vRealize Log Insight virtual appliance.
Procedure
u Expand the main menu and navigate to Management > Agents.
Status information for each agent that sends data with CFAPI appears.
Administering vRealize Log Insight
VMware, Inc. 94
What to do next
You can use the information from the Agents page to monitor the operation of the installed
vRealize Log Insight Windows and Linux agents. Click the agent hostname to go to the Explore
Logs page for that host. After setting the hostname parameter from the LI Agent, and if default
CFAPI proto is used and points to a Log Insight instance, you can monitor the connection by
opening the Agents statistics page and verifying that the agent appears in the list of agents. You
can use the links under the hostname column to navigate to the Insight Agents page and check
the logs coming from the mentioned Agent.
Activate Agent Auto-Update from the Server
You can activate auto-update for agent groups or all agents from the vRealize Log Insight server.
Auto-update applies the latest available update to the selected agent group or all agents
connected to the server. You can deactivate the auto-update feature for individual servers by
editing the agent's liagent.ini file.
Note
n If auto-update=yes is changed to auto-update=no in the client, you cannot activate auto-
update for the agent in the server.
n If the default configuration in the client is not changed (auto_update=yes), the configuration in
the server works. So, you can activate auto-update for all agents or agent groups using the
relevant option.
For more information, see
Working with vRealize Log Insight Agents
.
Auto-update is deactivated for the server by default.
Prerequisites
n Ensure that agents have an active status are version 4.3 or later.
n Ensure that the client-side agent configuration has
auto_update
set to yes.
Procedure
1 Expand the main menu and navigate to Management > Agents.
2 Do either of the following.
n To activate auto-update for all agents, in the upper-right corner of the Agents page, click
the toggle control for Enable auto-update for all agents.
n To activate auto-update for an agent group, select the agent group in the agent drop-
down menu and click the toggle control for Enable auto-update for selected Agent
Group.
Note This toggle control appears only when Enable auto-update for all agents is
deactivated.
Administering vRealize Log Insight
VMware, Inc. 95
Results
Agents in the selected agent group or all agents connected to this server are updated when an
update is present.
Administering vRealize Log Insight
VMware, Inc. 96
Monitoring vRealize Log Insight
7
You can monitor the vRealize Log Insight virtual appliance and the hosts and devices that send
log events to vRealize Log Insight.
This chapter includes the following topics:
n Check the Health of the vRealize Log Insight Virtual Appliance
n Monitor Hosts That Send Log Events
n Configure a System Notification to Report on Inactive Hosts
Check the Health of the vRealize Log Insight Virtual
Appliance
You can check available resources and active queries on the vRealize Log Insight virtual
appliance, and view current statistics about the operation of vRealize Log Insight.
Prerequisites
Verify that you are logged in to the vRealize Log Insight web user interface as a Super Admin
user, or a user associated with a role that has the relevant permissions. See Create and Modify
Roles for more information. The URL format of the web user interface is https://
log-insight-host
,
where
log-insight-host
is the IP address or host name of the vRealize Log Insight virtual appliance.
Procedure
1 Expand the main menu and navigate to Management > System Monitor.
2 If vRealize Log Insight is running as a cluster, click Show resources for and choose the node
you want to monitor.
VMware, Inc.
97
3 Click the buttons on the System Monitor page to view the information that you need.
Option Description
Resources View information about the CPU, memory, IOPS (read and write activity),
and storage usage on the vRealize Log Insight virtual appliance.
The charts on the right represent historical data for the last 24 hours,
and are refreshed at five-minute intervals. The charts on the left display
information for the last five minutes, and are refreshed every three seconds.
Active Queries View information about the queries that are currently active in vRealize Log
Insight.
Statistics View statistics about the log ingest operations and rates.
To view more detailed statistics, click Show advanced statistics.
What to do next
You can use the information from the System Monitor page to manage resources on the vRealize
Log Insight virtual appliance.
Monitor Hosts That Send Log Events
You can view a list of all hosts and devices that send log events to vRealize Log Insight and
monitor them.
Entries in host tables expire three months after the last ingested event.
Prerequisites
Verify that you are logged in to the vRealize Log Insight web user interface as a Super Admin
user, or a user associated with a role that has the relevant permissions. See Create and Modify
Roles for more information. The URL format of the web user interface is https://
log-insight-host
,
where
log-insight-host
is the IP address or host name of the vRealize Log Insight virtual appliance.
Procedure
u Expand the main menu and navigate to Management > Hosts.
Note If you have configured a vCenter Server to send events and alarms, but have not
configured the individual ESXi hosts to send logs, the Hostname column lists both the vCenter
Server and the individual ESXi hosts as the source instead of listing just the vCenter Server.
What to do next
Users with a Super Admin role or relevant privileges can set up a system notification that is sent
when hosts have been inactive. For more information, see Configure a System Notification to
Report on Inactive Hosts.
Administering vRealize Log Insight
VMware, Inc. 98
Configure a System Notification to Report on Inactive Hosts
vRealize Log Insight includes a built-in notification that you can use to learn about which hosts
have been inactive for a specified period of time.
You activate the notification from the Hosts screen and specify a threshold that triggers the
notification. You can apply this to all hosts or to smaller list of hosts.
Prerequisites
Verify that you are logged in to the vRealize Log Insight web user interface as a Super Admin
user, or a user associated with a role that has the relevant permissions. See Create and Modify
Roles for more information. The URL format of the web user interface is https://
log-insight-host
,
where
log-insight-host
is the IP address or host name of the vRealize Log Insight virtual appliance.
Procedure
1 Expand the main menu and navigate to Management > Hosts.
Note If you have configured a vCenter Server to send events and alarms, but have not
configured the individual ESXi hosts to send logs, the Hostname column lists both the vCenter
Server and the individual ESXi hosts as the source instead of listing just the vCenter Server.
2 Select Inactive hosts notification on the Hosts page to display a form for configuring when
and for which hosts the notification should be sent.
3 Specify how long the host should be inactive before sending a notification.
Values can range from 10 minutes to the maximum of the host Time to Live (TTL) period, for
which the default is three months.
For example
Send alert listing hosts that are inactive for 8 hours of last received event.
4 You control which hosts are monitored for notification with the Inactive hosts notification
acceptlist setting. When this setting is not selected, notifications are sent for all inactive
hosts.
n To have notifications sent for all inactive hosts, clear the check box.
n To have notifications sent for only some inactive hosts, select Inactive hosts notification
acceptlist and specify the host names in a comma-separated list.
5 Click Save.
Results
System notifications are sent to the address specified on the Configuration > SMTP page when a
host is inactive for longer than the specified limit.
Administering vRealize Log Insight
VMware, Inc. 99
Integrating vRealize Log Insight
with VMware Products
8
vRealize Log Insight can integrate with other VMware products to use events and log data, and
to provide better visibility into events that occur in a virtual environment.
Integration with VMware vSphere
You can set up vRealize Log Insight to connect to vCenter Server systems at two-minute
intervals, and collect events, alarms, and tasks data from these vCenter Server systems. In
addition,
vRealize Log Insight can configure ESXi hosts via vCenter Server. See Connect vRealize
Log Insight to a vSphere Environment.
Integration with VMware vRealize Operations
You can integrate vRealize Log Insight with vRealize Operations and vRealize Operations
Installable. Integrating with the Installable version requires additional changes to the vRealize
Operations configuration. For information about configuring vRealize Operations Installable to
integrate with vRealize Log Insight, see the
Log Insight Getting Started Guide
.
vRealize Log Insight and vRealize Operations can be integrated in two independent ways.
Notification Events
You can set up vRealize Log Insight to send notification events to vRealize Operations based
on queries that you create. See Configure vRealize Log Insight to Send Notifications and
Metrics to vRealize Operations.
Launch in Context
Launch in context is a feature in vRealize Operations that lets you launch an external
application via URL in a specific context. The context is defined by the active UI element and
object selection. Launch in context lets the vRealize Log Insight adapter add menu items to
a number of different views within the Custom user interface and the vSphere user interface
of vRealize Operations. See Activate Launch in Context for vRealize Log Insight in vRealize
Operations.
Note Notification events do not depend on the launch in context configuration. You can send
notification events from vRealize Log Insight to vRealize Operations even if you do not enable the
launch in context feature.
VMware, Inc.
100
Integration with VMware NSX Identity Firewall
You can set up vRealize Log Insight to integrate with an NSX Manager instance. Within the NSX
Manager scope, you can use NSX Identity Firewall(IDFW) to create identity based firewall rules.
After configuring the integration, add predefined third-party identity providers such as
GlobalProtect or ClearPass, or custom identity providers to the configuration. vRealize Log Insight
parses the auth logs from these providers, extracts user ID-to-IP mapping information, and sends
the data to NSX Manager. Based on this data, IDFW defines identity based firewall rules and
applies the rules to users for access control.
If the environment changes, you can:
n Change, add, or remove vSphere systems from vRealize Log Insight.
n Change or remove the instance of vRealize Operations to which alert notifications are sent.
n Change or remove the NSX Manager instance.
n Change the passwords that are used to connect to vSphere systems, vRealize Operations,
and NSX Identity Firewall.
,
This chapter includes the following topics:
n Connect vRealize Log Insight to a vSphere Environment
n Configure vRealize Log Insight to Pull Events, Tasks, and Alarms from vCenter Server Instance
n Using vRealize Operations with vRealize Log Insight
n vRealize Operations Content Pack for vRealize Log Insight
n Integrate vRealize Log Insight with NSX Identity Firewall
Connect vRealize Log Insight to a vSphere Environment
Before you configure vRealize Log Insight to collect alarms, events, and tasks data from your
vSphere environment, you must connect vRealize Log Insight to one or more vCenter Server
systems.
vRealize Log Insight can collect two types of data from vCenter Server instances and the ESXi
hosts that they manage.
n Events, tasks, and alerts are structured data with specific meaning. If configured,vRealize Log
Insight pulls events, tasks, and alerts from the registered vCenter Server instances.
Administering vRealize Log Insight
VMware, Inc. 101
n Logs contain unstructured data that can be analyzed in vRealize Log Insight. ESXi hosts
or vCenter Server Appliance instances can push their logs to vRealize Log Insight through
syslog.
Tip Tags let you add fields with pre-defined values to events coming from vSphere and
configured ESXi hosts for easier querying. Note that comma (,) and equal (=) symbols are not
supported in the tag values. The tags configured during vSphere integration can be assigned
only to the logs coming from vCenter itself or from the logs coming from vCenter's ESXi hosts.
Tagging is based on the ESXi host configuration through integration.
Prerequisites
n For the level of integration that you want to achieve, verify that you have user credentials
with enough privileges to perform the necessary configuration on the vCenter Server system
and its ESXi hosts.
Level of Integration Required Privileges
Events, tasks, and alarms
collection
n System.View
Note System.View is a system-defined privilege. When you add a custom
role and do not assign any privileges to it, the role is created as a Read Only
role with three system-defined privileges: System.Anonymous, System.View, and
System.Read.
Syslog configuration on
ESXi hosts
n Host.Configuration.Change settings
n Host.Configuration.Network configuration
n Host.Configuration.Advanced Settings
n Host.Configuration.Security profile and firewall
Note
You must configure the permission on the top-level folder within the vCenter Server
inventory, and verify that the Propagate to children check box is selected.
n Verify that you know the IP address or domain name of the vCenter Server system.
n Verify that you are logged in to the vRealize Log Insight web user interface as a Super
Admin user, or a user associated with a role that has the relevant permissions. See Create
and Modify Roles for more information. The URL format of the web user interface is https://
log-insight-host
, where
log-insight-host
is the IP address or host name of the vRealize Log
Insight virtual appliance.
Procedure
1 Expand the main menu and navigate to Integration > vSphere.
2 Enter the IP address and service account credentials for a vCenter Server, and click Test
Connection.
Administering vRealize Log Insight
VMware, Inc. 102
3 If the vSphere environment provides an untrusted SSL certificate, a dialog box appears with
the details of the certificate. Click Accept to add the certificate to the truststores of all the
nodes in the vRealize Log Insight cluster.
If you click Cancel, the certificate is not added to the truststores and the connection with the
vSphere environment fails. You must accept the certificate for a successful connection.
4 (Optional) To register another vCenter Server, click Add vCenter Server and repeat steps 3
through 5.
Note Do not register vCenter Server systems with duplicate names or IP addresses. vRealize
Log Insight does not check for duplicate vCenter Server names. You must verify that the list
of registered vCenter Server systems does not contain duplicate entries.
5 Click Save.
If you did not test the connection and the vSphere environment provides an untrusted
certificate, follow the instructions in step 4.
What to do next
n Collect events, tasks, and alarms data from the vCenter Server instance that you registered.
See Configure vRealize Log Insight to Pull Events, Tasks, and Alarms from vCenter Server
Instance.
n Collect syslog feeds from the ESXi hosts that the vCenter Server manages. See Configure an
ESXi Host to Forward Log Events to vRealize Log Insight.
vRealize Log Insight as a Syslog Server
vRealize Log Insight includes a built-in syslog server that is constantly active when the vRealize
Log Insight service is running.
The syslog server listens on ports 514/TCP, 1514/TCP, and 514/UDP, and is ready to ingest log
messages that are sent from other hosts. Messages that are ingested by the syslog server
become searchable in the vRealize Log Insight web user interface near real time. The maximum
syslog message length that vRealize Log Insight accepts is 10 KB.
Syslog formats RFC-6587, RFC-5424, and RFC-3164 are supported.
Configure an ESXi Host to Forward Log Events to vRealize Log
Insight
ESXi hosts or vCenter Server Appliance instances generate unstructured log data that can be
analyzed in vRealize Log Insight.
Administering vRealize Log Insight
VMware, Inc. 103
You use the vRealize Log Insight Integration interface to configure ESXi hosts on a registered
vCenter Server to push syslog data to vRealize Log Insight.
Caution Running parallel configuration tasks might result in incorrect syslog settings on the
target ESXi hosts. Verify that no other user is configuring the ESXi hosts that you intend to
configure.
A vRealize Log Insight cluster can use an integrated load balancer to distribute ESXi and vCenter
Server Appliance syslog feeds between the individual nodes of the cluster.
For information on filtering syslog messages on ESXi hosts before messages are sent to vRealize
Log Insight, see the
Configure Log Filtering on ESXi Hosts
topic in the Setting Up ESXi section, of
the vSphere Installation and Setup guide.
For information on configuring syslog feeds from a vCenter Server Appliance, see Configure
vCenter Server to Forward Log Events to vRealize Log Insight.
Note vRealize Log Insight can receive syslog data from ESXi hosts version 5.5 and later.
Prerequisites
n Verify that the vCenter Server that manages the ESXi host is registered with your vRealize
Log Insight instance. Or, you can register the ESXi host and configure vCenter Server in a
single operation.
n Verify that you have user credentials with enough privileges to configure syslog on ESXi
hosts.
n Host.Configuration.Advanced settings
n Host.Configuration.Security profile and firewall
Note You must configure the permission on the top-level folder within the vCenter Server
inventory, and verify that the Propagate to children check box is selected.
Procedure
1 Expand the main menu and navigate to Integration > vSphere.
2 In the vCenter Server table, locate the vCenter Server instance that manages the ESXi host
from which you want to receive syslog feeds and click Edit.
3 Select the Configure ESXi hosts to send logs to Log Insight check box in the opened edit
view.
By default, vRealize Log Insight configures all reachable ESXi hosts of version 5.5 and later to
send their logs through UDP.
4 (Optional) To modify the default configuration values, click Advanced Options.
n To change the protocol for all ESXi hosts, select Configure all ESXi hosts, select a
protocol, and click OK.
Administering vRealize Log Insight
VMware, Inc. 104
n To set up specific ESX hosts logging only or to change the protocol for selected ESXi
hosts, use the following steps:
a Select Configure specific ESXi hosts.
b Select one or more hosts from the Filter by host list.
c Select the syslog protocol.
Note If you select SSL as your syslog protocol, you must manually download the
vRealize Log Insight certificate and add it to the ESXi certificate store for each ESXi
host you configure in step 4b.
d Click OK.
5 (Optional) If you are using clusters, open the drop-down menu for the Target text box and
select the hostname or IP address for the load balancer that distributes syslog feeds.
6 Click Save.
What to do next
The ESXi host configurations are shown in the ESXi hosts configured column of the vCenter
Server table. If the hosts are configured, you can click View details in the hosts configured
column to view detailed information for the configured ESXi hosts.
Modify an ESXi Host Configuration for Forwarding Log Events to
vRealize Log Insight
ESXi hosts or vCenter Server Appliance instances generate unstructured log data that can be
analyzed in vRealize Log Insight.
You use the vRealize Log Insight Integration interface to configure ESXi hosts on a registered
vCenter Server to push syslog data to vRealize Log Insight.
Caution Running parallel configuration tasks might result in incorrect syslog settings on the
target ESXi hosts. Verify that no other user is configuring the ESXi hosts that you intend to
configure.
After the initial configuration is set up, you can enable an option to periodically look for
and automatically configure both existing and newly added vSphere ESXi hosts that are
not configured yet. The currently configured protocol is used to configure the ESXi hosts
automatically.
A vRealize Log Insight cluster can use an integrated load balancer to distribute ESXi and vCenter
Server Appliance syslog feeds between the individual nodes of the cluster.
For information on filtering syslog messages on ESXi hosts before configured messages are sent
to vRealize Log Insight, see the
Configure Log Filtering on ESXi Hosts
topic in the Setting Up ESXi
section, of the vSphere Installation and Setup guide.
Administering vRealize Log Insight
VMware, Inc. 105
For information on configuring syslog feeds from a vCenter Server Appliance, see Configure
vCenter Server to Forward Log Events to vRealize Log Insight.
vRealize Log Insight can receive syslog data from ESXi hosts version 5.5 and later.
Prerequisites
n Verify that the vCenter Server that manages the ESXi host is registered with your vRealize
Log Insight instance.
n Verify that you have user credentials with enough privileges to configure syslog on ESXi
hosts.
n Host.Configuration.Advanced settings
n Host.Configuration.Security profile and firewall
Note You must configure the permission on the top-level folder within the vCenter Server
inventory, and verify that the Propagate to children check box is selected.
Procedure
1 Expand the main menu and navigate to Integration > vSphere.
2 Select the Configure ESXi hosts to send logs to Log Insight check box.
3 Click Advanced Options.
4 To change the protocol for selected ESXi hosts, use the following steps:
a Select one or more hosts from the Filter by host list.
b Verify that the current protocol is what you want, or select another protocol.
c To enable the automatic configuration of ESXi hosts with the currently configured
protocol, select Automatically configure all ESXi hosts. When enabled, vRealize Log
Insight periodically looks for and configures both existing and newly added vSphere ESXi
hosts that are not configured yet.
d Click Configure to begin the configuration of the selected hosts. The ESXi dialog box
closes.
e Click OK in the message dialog box.
f If you changed the protocol setting, click Save in the main window after you close the
ESXi configuration dialog box.
5 (Optional) If you are using clusters, you can specify a load balancer by opening the drop-
down menu for the Target text box on the vSphere Integration page and selecting the
hostname or IP address for the load balancer.
vRealize Log Insight Notification Events in vRealize Operations
You can configure vRealize Log Insight to send notification events to vRealize Operations based
on the alert queries that you create.
Administering vRealize Log Insight
VMware, Inc. 106
When you configure a notification alert in vRealize Log Insight, you select a resource in vRealize
Operations that is associated with the notification events. See Add an Alert Query in Log Insight
to Send Notification Events to vRealize Operations.
Listed below are sections of the vRealize Operations UI where notification Events appear.
n Home > Recommendations dashboard > Top Health Alerts For Descendants widget
n Home > Alerts Tab
n On all Custom Dashboards that include widgets with notification events
For additional information on where notification events appear, see the VMware vRealize
Operations Documentation Center.
Configure vCenter Server to Forward Log Events to vRealize Log Insight
The vSphere Integration collects task and events from vCenter Server, but not the low-level
internal logs from each vCenter Server component. These logs are used by the vSphere Content
Pack.
For vCenter Server 6.5 and later releases, the preferred way to use native integration from
vRealize Log Insight and install a vRealize Log Insight agent on it. Alternatively, the configuration
can be done through the vCenter Server Appliance Management Interface.
For more information about how to forward log events from vCenter Server, see the vSphere
documentation about redirecting vCenter Server Appliance log files to another machine.
For earlier versions of vSphere, although the vCenter Server Appliance contains a syslog daemon
that can be used to route logs, the preferred method is to install a vRealize Log Insight agent.
For information about installing vRealize Log Insight agents, see
Working with vRealize Log
Insight Agents
.
The vSphere content pack contains agent groups defining specific log files to
collect from vCenter Server installations. The configuration is visible at https://
LogInsightServerFqdnOrIP/contentpack?contentPackId=com.vmware.vsphere.
For information about working with agent groups, see Centralized Agent Configurations and
Agent Groups
For information about vCenter Server log file locations, see http://kb.vmware.com/kb/
1021804 and http://kb.vmware.com/kb/1021806.
Configure vRealize Log Insight to Pull Events, Tasks, and
Alarms from vCenter Server Instance
Events, tasks, and alerts are structured data with specific meaning. You can configure vRealize
Log Insight to collect alarms, events, and tasks data from one or more vCenter Server systems.
Administering vRealize Log Insight
VMware, Inc. 107
You use the Integration UI to configure vRealize Log Insight to connect to vCenter Server
systems. The information is pulled from the vCenter Server systems by using the vSphere Web
Services API and appears as a vSphere content pack in the vRealize Log Insight web user
interface.
Note that vSphere 6.5 has a new native high availability solution. For more information on HA and
the use of load balancers, see the white paper
What's New in VMware vSphere 6.5
available on
www.vmware.com.
Note vRealize Log Insight can pull alarms, events, and tasks data only from vCenter Server 5.5
and later.
Prerequisites
Verify that you have user credentials with System.View privileges.
Note You must configure the permission on the top-level folder within the vCenter Server
inventory, and verify that the Propagate to children check box is selected.
Procedure
1 Expand the main menu and navigate to Integration > vSphere.
2 In the vCenter Server table, locate the vCenter Server instance from which you want to
collect data.
3 Select the Collect vCenter Server events, tasks, and alarms check box in the opened edit
view.
4 Click Save.
Results
vRealize Log Insight connects to the vCenter Server every two minutes and ingests all new
information since the last successful poll.
What to do next
n Analyze vSphere events using the vSphere content pack or custom queries.
n Enable vSphere content pack alerts or custom alerts.
Using vRealize Operations with vRealize Log Insight
Requirements for Integrating With vRealize Operations
As part of integrating vRealize Log Insight with vRealize Operations, you must specify credentials
for vRealize Log Insight to authenticate against vRealize Operations.
Administering vRealize Log Insight
VMware, Inc. 108
vRealize Operations supports both local user accounts and multiple LDAP sources. Both the
vRealize Operations and VMware Identity Manager integrations are configured by a vRealize Log
Insight Super Admin user or a user with Integration permissions.
If your deployment uses a VMware Identity Manager integration in vRealize Log Insight, the
VMware Identity Manager fallback URL (Redirect URL Host) and the target field on the vRealize
Operations integration page should have the exact same value.
Prerequisites
Verify that the integration user account has permissions to manipulate objects in vRealize
Operations. See Minimum Required Permissions for a Local or Active Directory User Account.
Procedure
u To determine the user name for a local user account:
a Select Access Control from the vRealize Operations web interface.
b Identify or create the integration user. The Source Type field is Local User.
c Note the value of the User Name field. You specify this user name when you configure
the integration in the vRealize Log Insight user interface.
u To determine the user name format for the LDAP user account that must be provided in
vRealize Log Insight, follow these instructions:
a Select Access Control from the vRealize Operations web interface.
b Identify or create the integration user. Note the User Name and Source Type fields. For
example, a user named [email protected] from the source Active Directory -
ad.
c Select Authentication Sources.
d Identify the authentication source corresponding to the Source Type from Step b. Note
the Source Display Name field. For example, "ad".
e The user name entered in the vRealize Log Insight user interface is combined
from Step 3 and Step 5, in the form UserName@SourceDisplayName. For example,
Minimum Required Permissions for a Local or Active Directory User Account
To integrate vRealize Log Insight with vRealize Operations, you must specify credentials for
vRealize Log Insight to authenticate against vRealize Operations. To manipulate objects in
vRealize Operations, a user account must have the required permissions.
If you assign permissions to a user for Launch in Context, the user can also configure alert
integration. Use the information in the alert integration table to assign permissions for alert
integration only.
Administering vRealize Log Insight
VMware, Inc. 109
Table 8-1. Alert Integration
Action Permissions and Objects to Select
Create a custom role with the listed
permissions.
1 Administration -> Rest APIs
a All other, Read, Write APIs
b Read access to APIs
Assign the preceding role to the
local or Active Directory user (new
or existing) and select objects/
object hierarchies to assign.
1 Adapter Instance -> vRealizeOpsMgrAPI [Check All]
2 vSphere Hosts and Clusters [Check All]
3 vSphere Networking [Check All]
4 vSphere Storage [Check All]
Table 8-2. Launch in Context Integration
Action Permissions and Objects to Select
Create a custom role with the listed permissions. 1 Administration -> Rest APIs
a All other, Read, Write APIs
b Read access to APIs
c Delete resource
2 Administration -> Configuration -> Manage Resource
Relationships
3 Administration -> Resource Kind Management
a Create
b Edit
4 Administration -> Resource Management
a Create
b Delete
c Read
5 Administration -> Access -> Access Control -> Add,
Edit, or Delete a Role.
Note This permission is required for vRealize
Operations versions 7.0 and earlier.
Assign the preceding role to the local or Active
Directory user (new or existing) and select objects/object
hierarchies to assign.
Select Allow Access to All Objects in the System.
Configure vRealize Log Insight to Send Notifications and Metrics to
vRealize Operations
You can configure vRealize Log Insight to send alert notifications and metrics to vRealize
Operations.
You can integrate vRealize Log Insight with vRealize Operations and vRealize Operations
Installable. Integrating with the Installable version requires additional changes to the vRealize
Operations configuration. For information about configuring vRealize Operations Installable to
integrate with vRealize Log Insight, see the
Log Insight Getting Started Guide
.
Administering vRealize Log Insight
VMware, Inc. 110
Integrating vRealize Log Insight alerts with vRealize Operations allows you to view all information
about your environment in a single user interface.
You can send notification events from multiple vRealize Log Insight instances to a single vRealize
Operations instance. You can activate launch in context for a single vRealize Log Insight instance
per vRealize Operations instance.
vRealize Log Insight uses the vRealize Operations REST API to create resources and relationships
in vRealize Operations for configuring the launch-in-context adapter.
Prerequisites
n Create an integration user account in vRealize Operations with required permissions. For
more information, see Requirements for Integrating With vRealize Operations.
n Verify that you know the IP address or host name of the target vRealize Operations instance.
n Verify that you are logged in to the vRealize Log Insight web user interface as a Super
Admin user, or a user associated with a role that has the relevant permissions. See Create
and Modify Roles for more information. The URL format of the web user interface is https://
log-insight-host
, where
log-insight-host
is the IP address or host name of the vRealize Log
Insight virtual appliance.
Note In an environment running a vRealize Operations cluster with a configured load balancer,
you can use the load balancer IP address if one is available.
Procedure
1 Expand the main menu and navigate to Integration > vRealize Operations.
2 Enter the IP address or host name of the primary node or the load balancer if one is
configured. Use a vRealize Operations user credential and click Test Connection. vRealize
Log Insight uses the credentials to push notification events to vRealize Operations. Make sure
that the configured user has the minimum permissions required for the integration to work.
See Minimum Required Permissions for a Local or Active Directory User Account.
3 If vRealize Operations provides an untrusted SSL certificate, a dialog box appears with the
details of the certificate. Click Accept to add the certificate to the truststores of all the nodes
in the vRealize Log Insight cluster.
If you click Cancel, the certificate is not added to the truststores and the connection with
vRealize Operations fails. You must accept the certificate for a successful connection.
4 In the vRealize Operations pane, select the relevant check boxes according to your
preference:
n To send alerts to vRealize Operations, select Enable alerts integration.
n To let vRealize Operations open vRealize Log Insight and query for object logs, select
Enable launch in context. For more information, see Activate Launch in Context for
vRealize Log Insight in vRealize Operations.
Administering vRealize Log Insight
VMware, Inc. 111
n To calculate and send metrics to vRealize Operations, select Enable metric calculation.
5 Click Save.
If you did not test the connection and vRealize Operations provides an untrusted certificate,
follow the instructions in step 4.
What to do next
n See relevant pages in the vRealize Operations UI to view the notification events that vRealize
Log Insight sends.
Activate Launch in Context for vRealize Log Insight in vRealize
Operations
You can configure vRealize Operations to display menu items related to vRealize Log Insight and
launch vRealize Log Insight with an object-specific query.
You can integrate vRealize Log Insight with vRealize Operations vApp and vRealize Operations
Installable.
Integrating with vApp install and Installable (Windows, Linux) requires additional changes to
the vRealize Operations configuration. See the topic about installing the vRealize Log Insight
Management Pack (Adapter) in vRealize Operations 6.x and later in the vRealize Log Insight
documentation.
Note The vRealize Log Insight Management Pack is pre-installed in vRealize Operations 6.0 and
later and does not require configuration changes.
vRealize Operations Installable (Windows version) is discontinued from vRealize Operations 6.5
and later.
Important One instance of vRealize Operations supports launch in context for only one instance
of vRealize Log Insight. Because vRealize Log Insight does not check whether other instances are
already registered with vRealize Operations, you might override the settings of another user.
Prerequisites
n Verify that you are logged in to the vRealize Log Insight web user interface as a Super
Admin user, or a user associated with a role that has the relevant permissions. See Create
and Modify Roles for more information. The URL format of the web user interface is https://
log-insight-host
, where
log-insight-host
is the IP address or host name of the vRealize Log
Insight virtual appliance.
n Verify that you know the IP address or host name of the target vRealize Operations instance.
n Verify that you have the required user credentials. See Minimum Required Permissions for a
Local or Active Directory User Account.
Administering vRealize Log Insight
VMware, Inc. 112
n If you are using vRealize Operations 6.5 or later, use the procedure for enabling launch
in context in
Configuring vRealize Log Insight with vRealize Operations
in the
vRealize
Operations Configuration Guide
.
Procedure
1 Expand the main menu and navigate to Integration > vRealize Operations.
2 Enter the IP address or FQDN of the vRealize Operations primary node or load balancer if one
is configured and click Test Connection.
Note For Launch in Context functionality, you must provide a vRealize Operations user with
administrator privileges.
3 Click Save.
Results
vRealize Log Insight configures the vRealize Operations instance. This operation might take a few
minutes.
Items related to vRealize Log Insight appear in the menus of vRealize Operations.
What to do next
Launch a vRealize Log Insight query from the vRealize Operations instance. See vRealize Log
Insight Launch in Context
vRealize Log Insight Launch in Context
When you activate launch in context for vRealize Log Insight, a vRealize Log Insight resource is
created in vRealize Operations.
The resource identifier contains the IP address of the vRealize Log Insight instance, and is used
by vRealize Operations to open vRealize Log Insight.
Launch in Context in vRealize Operations 6.5 and Later
For information about enabling launch in context, see the vRealize Operations information center.
Launch in Context in the vSphere User Interface of vRealize Operations 6.4 and Earlier
The launch in context options that are related to vRealize Log Insight appear in the Actions
drop-down menu of the vSphere user interface. You can use these menu items to open vRealize
Log Insight, and search for log events from an object in vRealize Operations.
The available launch in context action depends on the object that you select in vRealize
Operations inventory. The time range of the queries is limited to 60 minutes before you click
a launch in context option.
Administering vRealize Log Insight
VMware, Inc. 113
Table 8-3. Objects in vRealize Operations UI and Their Corresponding Launch in Context Options
and Actions
Object selected
in vRealize
Operations
Launch in Context Option in the
Actions Drop-Down Menu
Action in vRealize
Operations Action in vRealize Log Insight
World Open vRealize Log Insight Opens vRealize Log
Insight.
vRealize Log Insight displays the
Explore Logs page.
vCenter Server Open vRealize Log Insight Opens vRealize Log
Insight.
vRealize Log Insight displays the
Explore Logs page.
Data center Search for logs in vRealize Log
Insight
Opens vRealize Log
Insight and passes the
resource names of all
host systems under the
selected data center
object.
vRealize Log Insight displays
the Explore Logs page and
performs a query to find log
events that contain names of
hosts within the data center.
Cluster Search for logs in vRealize Log
Insight
Opens vRealize Log
Insight and passes the
resource names of all
host systems under the
selected Cluster object.
vRealize Log Insight displays
the Explore Logs page and
performs a query to find log
events that contain names of
hosts within the cluster.
Host System Search for logs in vRealize Log
Insight
Opens vRealize Log
Insight and passes the
resource name of the
selected Host object.
vRealize Log Insight displays
the Explore Logs page and
performs a query to find log
events that contain the name of
the selected Host system.
Virtual Machine Search for logs in vRealize Log
Insight
Opens vRealize Log
Insight and passes the IP
address of the selected
virtual machine and the
resource name of the
related host system.
vRealize Log Insight displays
the Explore Logs page and
performs a query to find log
events that contain the IP
address of the virtual machine,
and the name of the host where
the virtual machine resides.
On the Alerts tab, if you select an alert and select Search for logs in Log Insight from the
in-context menu, the time range of the query is limited to one hour before the alert is triggered.
For example, if an alert was triggered at 2:00 PM, the query in vRealize Log Insight displays all
log messages that occurred between 1:00 PM and 2:00 PM. This helps you identify events that
might have triggered the alert.
You can open vRealize Log Insight from metric charts in vRealize Operations. The time range of
the query thatvRealize Log Insight runs matches the time range of the metric chart.
Note The time that you see in vRealize Log Insight and vRealize Operations metric charts might
differ if the time setting of the virtual appliances is different.
Administering vRealize Log Insight
VMware, Inc. 114
Launch in Context in the vRealize Operations 6.4 and Earlier User Interface
The launch in context icon appears on several pages of the user interface, but you can
launch vRealize Log Insight only from the pages that display vRealize Log Insight notification
events:
n The Alerts Overview page.
n The Alert Summary page of a vRealize Log Insight notification alert.
n The Alerts widgets on your dashboards, when a vRealize Log Insight notification alert is
selected.
When you select a vRealize Log Insight notification event in the Custom user interface, you can
choose between two launch in context actions.
Table 8-4. Launch in Context Options and Actions in vRealize Operations UI
Launch in Context Option in vRealize
Operations Action in vRealize Operations Action in vRealize Log Insight
Open vRealize Log Insight Opens vRealize Log Insight. vRealize Log Insight displays the
Dashboards page and loads the
vSphere Overview dashboard.
Search for Logs in vRealize Log Insight Opens vRealize Log Insight and
passes the ID of the query that
triggered the notification event.
vRealize Log Insight displays the
Explore Logs page and performs the
query that triggered the notification
event.
When you select an alert that has not originated from vRealize Log Insight, the launch in context
menu contains the Search for VM and Host Logs in vRealize Log Insight menu item. If you select
this menu item, vRealize Operations opens vRealize Log Insight and passes the identifiers of the
object that triggered the alert. vRealize Log Insight uses the resource identifiers to perform a
search in the available log events.
Two-Way Launch in Context
Launch in Context is also available from vRealize Log Insight to vRealize Operations.
If you integrate vRealize Log Insight with vRealize Operations, you can perform a Launch in
Context from a vRealize Log Insight event by selecting the gear icon to the left of the event and
selecting the option to view in vRealize Operations.
For information about Launch in Context from vRealize Operations to vRealize Log Insight, see
vRealize Log Insight Launch in Context.
Procedure
1 In vRealize Log Insight, navigate to the Explore Logs page.
2 Locate an event that contains inventory mapping fields and hover over the event.
Administering vRealize Log Insight
VMware, Inc. 115
3 Click the gear icon and select Open Analysis in vRealize Operations from the drop-down
menu.
A new browser tab opens directing you to the vRealize Operations instance integrated with
vRealize Log Insight. Once you authenticate, you are directed to the Environment > Analysis
section of vRealize Operations with the object selected.
Note When multiple vRealize Log Insight instances are connected to the same vRealize
Operations instance, only the last vRealize Log Insight instance integrated with vRealize
Operations has the Launch in Context feature. This also means that the Launch in Context
feature is overridden whenever a vRealize Log Insight instance is integrated with a vRealize
Operations instance that was previously integrated with a different vRealize Log Insight
instance.
Deactivate Launch in Context for vRealize Log Insight in vRealize
Operations
You can uninstall the vRealize Log Insight adapter from the vRealize Operations instance to
remove menu items related to
vRealize Log Insight from the vRealize Operations user interface.
You use the vRealize Log Insight UI to deactivate launch in context. If you do not have access
to vRealize Log Insight or if the vRealize Log Insight instance is deleted before the connection
with vRealize Operations is deactivated, you can unregister vRealize Log Insight from the
Administration UI of vRealize Operations. See the Help in the vRealize Operations Administration
portal.
Caution One instance of vRealize Operations supports launch in context for only one instance
of vRealize Log Insight. If another instance of vRealize Log Insight has been registered after you
registered the instance that you want to deactivate, the second instance overrides the settings of
the first one without notifying you.
Prerequisites
n Verify that you are logged in to the vRealize Log Insight web user interface as a Super
Admin user, or a user associated with a role that has the relevant permissions. See Create
and Modify Roles for more information. The URL format of the web user interface is https://
log-insight-host
, where
log-insight-host
is the IP address or host name of the vRealize Log
Insight virtual appliance.
Procedure
1 Expand the main menu and navigate to Integration > vRealize Operations.
2 Deselect the Enable Launch in Context check box.
3 Click Save.
Administering vRealize Log Insight
VMware, Inc. 116
Results
vRealize Log Insight configures the vRealize Operations instance to remove the vRealize Log
Insight adapter. This operation might take a few minutes.
Add a DNS Search Path and Domain
You can add a DNS search path and domain to improve the vRealize Operations inventory
matching.
Adding a DNS search path and domain improves matching when a virtual machine label and
search domain resolve to the IP address of the host that sends log messages to vRealize Log
Insight. For example, if you have a virtual machine named linux_01 in vRealize Operations and the
host name linux_01.company.com resolves to 192.168.10.10, then adding a search domain allows
vRealize Log Insight to recognize and match that resource.
Procedure
1 Perform a guest shutdown of the vRealize Log Insight virtual appliance.
2 Once the virtual machine is powered down, select Edit Settings.
3 Select the vApp Options tab.
4 From vApp Options > Authoring, click Properties.
5 Find the vami.searchpath.VMware_vCenter_Log_Insight and
vami.domain.VMware_vCenter_Log_Insight keys.
If the keys do not exist, create them.
For the search path keys, use the following values:
n Category is Networking Properties
n Label is DNS searchpath
n Key class ID is vami
n Key instance ID is VMware_vCenter_Log_Insight.
n Type is Static property, String and User configurable.
For domain keys, use the same values, substituting DNS domain for Label and domain for
Key ID.
6 Set the DNS search path and domain. For example, ny01.acme.local.
7 Power on the virtual appliance.
What to do next
After vRealize Log Insight boots, you can validate the DNS configuration by logging in and
viewing the contents of the /etc/resolv.conf file. You should see the search and domain
options near the end of the file.
Administering vRealize Log Insight
VMware, Inc. 117
Remove the vRealize Log Insight Adapter
When you activate launch in context on a vRealize Operations 6.2 and later instance, vRealize
Log Insight creates an instance of the vRealize Log Insight adapter on the vRealize Operations
instance.
The instance of the adapter remains in the vRealize Operations instance when you uninstall
vRealize Log Insight. As a result, the launch in context menu items continue to appear in the
actions menus, and point to a vRealize Log Insight instance that no longer exists.
To deactivate the launch in context functionality in vRealize Operations, you must remove the
vRealize Log Insight adapter from the vRealize Operations instance.
You can use the command line utility cURL to send REST calls to vRealize Operations.
Note These steps are only required if Launch in Context was activated.
Prerequisites
n Verify that cURL is installed on your system. Note that this tool is preinstalled in the vRealize
Operations virtual appliance and the steps can be performed from the appliance using IP
address 127.0.0.1.
n Verify that you know the IP address or host name of the target vRealize Operations instance.
n Depending on the vRealize Operations license that you own, verify that you have the
minimum credentials required to remove the management pack. See Minimum Required
Permissions for a Local or Active Directory User Account.
Procedure
1 In cURL, run the following query on the vRealize Operations virtual appliance to find the
vRealize Log Insight adapter.
curl -k -u "admin" https://ipaddress/suite-api/api/adapterkinds/LogInsight/resourcekinds/
LogInsightLogServer/resources
Where
admin
is the administrator login name and
ipaddress
is the IP address (or hostname)
of the vRealize Operations instance. You are prompted to enter the password for the user:
admin
.
From the curl output find the GUID value assigned to the identifier: <ops:resource
creationTime="{TIMESTAMP}" identifier=“{GUID}”>. You can use this GUID value in
the below command that removes the adapter instance.
2 Run the following command to remove the vRealize Log Insight adapter.
curl -k -u "admin" -X DELETE https://ipaddress/suite-api/api/adapters/{GUID}
Where
admin
is the administrator login name and
ipaddress
is the IP address (or hostname)
of the vRealize Operations instance. You are prompted to enter the password for the user:
admin
.
Administering vRealize Log Insight
VMware, Inc. 118
Results
vRealize Log Insight launch in context items are removed from the menus in vRealize Operations.
For more information about launch in context, see the topic
vRealize Log Insight Launch in
Context
of the vRealize Log Insight in-product help.
vRealize Operations Content Pack for vRealize Log Insight
The vRealize Operations content pack for vRealize Log Insight contains dashboards, extracted
fields, saved queries, and alerts that are used to analyze all logs redirected from a vRealize
Operations instance.
The vRealize Operations content pack provides a way to analyze all logs redirected from a
vRealize Operations instance. The content pack contains dashboards, queries, and alerts to
provide diagnostics and troubleshooting capabilities to the vRealize Operations administrator.
The dashboards are grouped according to the major components of vRealize Operations such
as Analytics, UI, and Adapters to provide better manageability. You can enable various alerts to
send notification events in vRealize Operations and emails to administrators.
You can download the vRealize Operations content pack from VMware Marketplace.
See Working with Content Packs.
Integrate vRealize Log Insight with NSX Identity Firewall
Create a configuration to connect vRealize Log Insight to an NSX Manager instance. Within the
NSX Manager scope, you can use NSX Identity Firewall(IDFW) to create identity based firewall
rules.
Prerequisites
Verify that you are logged in to the vRealize Log Insight web user interface as an Enterprise
Admin user. The URL format of the web user interface is https://
log-insight-host
, where
log-
insight-host
is the IP address or host name of the vRealize Log Insight virtual appliance.
Procedure
1 Expand the main menu and navigate to Integration > NSX Identity Firewall.
2 Enter the IP address or host name and admin credentials for an NSX Manager instance, and
click Test.
3 If the NSX Manager instance provides an untrusted SSL certificate, a dialog box appears with
the details of the certificate. Click Accept to add the certificate to the truststores of all the
nodes in the vRealize Log Insight cluster.
If you click Cancel, the certificate is not added to the truststores and the connection with the
NSX Manager instance fails. You must accept the certificate for a successful connection.
Administering vRealize Log Insight
VMware, Inc. 119
4 Click Save.
If you did not test the connection and the NSX Manager instance provides an untrusted
certificate, follow the instructions in step 4.
What to do next
After configuring the integration, add predefined or custom identity providers to the
configuration. For more information, see Add an Identity Provider to an NSX Identity Firewall
Integration.
Add an Identity Provider to an NSX Identity Firewall Integration
After configuring the integration of vRealize Log Insight with NSX Identity Firewall(IDFW), add a
predefined third-party identity provider such as GlobalProtect or ClearPass to the configuration.
You can also add a custom identity provider.
Prerequisites
n Verify that you are logged in to the vRealize Log Insight web user interface as a Super
Admin user, or a user associated with a role that has the relevant permissions. See
Create
and Modify Roles for more information. The URL format of the web user interface is https://
log-insight-host
, where
log-insight-host
is the IP address or host name of the vRealize Log
Insight virtual appliance.
n Verify that you have an IDFW integration configuration in vRealize Log Insight.
Procedure
1 Expand the main menu and navigate to Integration > NSX Identity Firewall.
2 Under Provider, click New Provider.
3 Enter the following information:
Option
Description
Name A unique name for your identity provider.
Type The identity provider type. You can select a predefined provider such as GlobalProtect or ClearPass,
or a custom provider.
If you select a predefined provider, the regex patterns for Username, IP Address, Domain, and
Event Type are populated based on the provider. You can modify these values.
If you select a custom provider, you must enter the regex patterns for Username, IP Address, and
Domain.
Username The regex pattern to identify the user name in the logs from your provider.
IP Address The regex pattern to identify the IP address in the logs from your provider.
Domain The regex pattern to identify the domain in the logs from your provider.
Administering vRealize Log Insight
VMware, Inc. 120
Option Description
Event Type The regex pattern to identify the event type in the logs from your provider.
The event type for custom providers is Login and is not mandatory. If you want another value,
enter a regex pattern to identify the event type.
Source One or more source IP addresses or FQDNs. You can separate multiple entries by using commas.
vRealize Log Insight parses the logs only from the sources that you enter for your provider, for
optimal performance and security.
n To ensure optimal performace, vRealize Log Insight applies the regex patterns only to the logs
from the selected sources.
n To ensure security, vRealize Log Insight sends only valid data from known sources to NSX
Manager.
Note
n For custom providers that are sending logs through syslog, the regex patterns for the
fields are applied to the message, and not the syslog headers.
n regex patterns are case sensitive.
n For regex field definitions, you must use Java-based regex.
n Forwarding logs from a vRealize Log Insight instance can change the source, which is
used for provider configuration. Instead, send logs directly from the identity provider to
vRealize Log Insight.
n Ensure that a provider source is unique within the scope of an NSX IDFW integration
configuration.
n Predefined providers are configured for certain versions of the identity providers, which
are available in the vRealize Log Insight user interface. The pre-populated regex pattern
might not be accurate for other versions.
4 Click Save.
Results
vRealize Log Insight parses the auth logs from your identity provider, extracts user ID-to-IP
mapping information, and sends the data to NSX Manager. Based on this data, IDFW defines
identity based firewall rules and applies the rules to users for access control.
Example: regex Parsing for GlobalProtect and ClearPass Logs
n Consider the following log sample from a GlobalProtect provider:
Apr 8 14:35:19 PA-500-GW-1-EAT1
1,2021/04/08 14:35:19,009401010000,USERID,login,2049,2021/04/08
14:35:19,vsys1,10.20.30.40,vmware\john,UID-
SJC31,0,1,10800,0,0,agent,,79021111,0x8000000000000000,0,0,0,0,,PA-500-GW-1-
EAT1,1,,2021/04/08 14:35:28,1,0x80000000,vmware\john
Administering vRealize Log Insight
VMware, Inc. 121
The following table shows the mapping between the regex patterns and the values in the log
sample, which vRealize Log Insight sends to NSX Manager.
Option regex Pattern Log Value
Username \\(\w+)\, john
IP Address \,(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\, 10.20.30.40
Domain \,(\w+)\\ vmware
Event Type USERID\,(\w+)\, login
n Consider the following log sample from a ClearPass provider:
2021-08-19 13:47:46,797 10.10.100.10 Insight Logs
10000111 1 0 Auth.Username=smith,Auth.Service=SOF6 vrealize
SSID EAP-TLS Service,Auth.NAS-IP-Address=10.02.20.02,Auth.Host-MAC-
Address=111aaaaab10b,Auth.Protocol=RADIUS,Auth.Login-Status=9002,Auth.Enforcement-
Profiles=[Deny Access Profile]
The following table shows the mapping between the regex patterns and the values in the log
sample, which vRealize Log Insight sends to NSX Manager.
Option
regex Pattern Log Value
Username Username=(\w+) smith
IP Address Address=(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) 10.02.20.02
Domain SOF6\s+(\w+) vrealize
Event Type Auth.(\w+)-Status= Login
Administering vRealize Log Insight
VMware, Inc. 122
Security Considerations for
vRealize Log Insight
9
Use vRealize Log Insight features to safeguard your environment from attack.
This chapter includes the following topics:
n Ports and External Interfaces
n vRealize Log Insight Configuration Files
n vRealize Log Insight Public Key, Certificate, and Keystore
n vRealize Log Insight License and EULA File
n vRealize Log Insight Log Files
n vRealize Log Insight User Accounts
n vRealize Log Insight Firewall Recommendations
n Security Updates and Patches
Ports and External Interfaces
vRealize Log Insight uses specific required services, ports, and external interfaces.
To view information about the ports and protocols of vRealize Log Insight, see the VMware Ports
and Protocols tool.
Communication Ports
vRealize Log Insight uses the communication ports and protocols listed in the Ports and Protocols
tool. The required ports are organized based on whether they are required for sources, for the
user interface, between clusters, for external services, or whether a firewall can safely block
them. Some ports are used only if you enable the corresponding integration.
Note vRealize Log Insight does not support WAN clustering (also called geo-clustering, high-
availability clustering, or remote clustering). All nodes in the cluster should be deployed in the
same Layer 2 LAN. Also, communication ports must be opened between nodes for proper
exchange of information.
vRealize Log Insight network traffic has several sources.
Admin Workstation
VMware, Inc.
123
The machine that an administrator uses to manage the vRealize Log Insight virtual appliance
remotely.
User Workstation
The machine on which a vRealize Log Insight user uses a browser to access the Web
interface of vRealize Log Insight.
System sending logs
The endpoint that sends logs to vRealize Log Insight for analysis and search. For example,
endpoints include ESXi hosts, virtual machines or any system with an IP address.
Log Insight Agents
The agent that resides on a Windows or Linux machine and sends operating system events
and logs to vRealize Log Insight over APIs.
vRealize Log Insight appliance
Any vRealize Log Insight virtual appliance, primary, or worker where the vRealize Log Insight
services reside. The base operating system of the appliance is SUSE 11 SP3.
Ports Required for Sources Sending Data
These ports must be open to network traffic from sources that send data to vRealize Log Insight,
both for connections from outside the cluster and connections load-balanced between cluster
nodes.
Ports Required for the User Interface
These ports must be open to network traffic that must use the vRealize Log Insight user
interface, both for connections outside the cluster and connections load-balanced between
cluster nodes.
Ports Required Between Cluster Nodes
These ports should only be open on a vRealize Log Insight primary node for network access from
worker nodes for maximum security. These ports are in addition to the ports used for sources
and UI traffic that are load-balanced between cluster nodes.
Ports Required for External Services
These ports must be open for outbound network traffic from vRealize Log Insight cluster nodes
to remote services.
Administering vRealize Log Insight
VMware, Inc. 124
vRealize Log Insight Configuration Files
Some configuration files contain settings that affect vRealize Log Insight security.
Note All security-related resources are accessible by the root account. Protecting this account is
critical to the security of vRealize Log Insight.
Table 9-1. Log Insight Configuration Files
File Description
/usr/lib/loginsight/application/etc/
loginsight-config-base.xml
The default system configuration for vRealize Log Insight.
/storage/core/loginsight/config/loginsight-
config.xml#number
The modified (from the default) system configuration
forvRealize Log Insight.
/usr/lib/loginsight/application/etc/jaas.conf
The configuration for active directory integration.
/usr/lib/loginsight/application/etc/
3rd_config/server.xml
The system configuration for Apache Tomcat server.
/storage/var/loginsight/apache-tomcat/conf/
tomcat-users.xml
The system configuration for Apache Tomcat server.
/usr/lib/loginsight/application/3rd_party/
apache-tomcat-*/conf/server.xml
The system configuration for Apache Tomcat server.
/usr/lib/loginsight/application/3rd_party/
apache-tomcat-*/conf/tomcat-users.xml
User information for Apache Tomcat server.
vRealize Log Insight Public Key, Certificate, and Keystore
The public key, the certificate, and the keystore of vRealize Log Insight are located on the
vRealize Log Insight virtual appliance.
Note All security-related resources are accessible by the root account. Protecting this account is
critical to the security of vRealize Log Insight.
n /usr/lib/loginsight/application/etc/public.cert
n /usr/lib/loginsight/application/etc/loginsight.pub
n /usr/lib/loginsight/application/etc/3rd_config/keystore
n /usr/lib/loginsight/application/etc/truststore
n /usr/lib/loginsight/application/3rd_party/apache-tomcat-*/conf/keystore
Administering vRealize Log Insight
VMware, Inc. 125
vRealize Log Insight License and EULA File
The end-user license agreement (EULA) and license file are located on the vRealize Log Insight
virtual appliance.
Note All security-related resources are accessible by the root account. Protecting this account is
critical to the security of vRealize Log Insight.
File Location
License
/usr/lib/loginsight/application/etc/license/loginsight_dev.dlf
License
/usr/lib/loginsight/application/etc/license/loginsight_cpu.dlf
License
/usr/lib/loginsight/application/etc/license/loginsight_osi.dlf
License Key file
/usr/lib/loginsight/application/etc/license/loginsight_license.bak
End-user license agreement
/usr/lib/loginsight/application/etc/license/release/eula.txt
vRealize Log Insight Log Files
The files that contain system messages are on the vRealize Log Insight virtual appliance.
The following table lists each file and its purpose.
If you need information on log rotation or log archiving for these files, see Log Rotation Schemes
Supported by vRealize Log Insight Agents in
Working with vRealize Log Insight Agents
and Data
Archiving in
Administering vRealize Log Insight
.
File
Description
/var/log/vmware/loginsight/alert.log
Used to track information about user-defined alerts that have
been triggered.
/var/log/vmware/loginsight/apache-tomcat/logs/
*.log
Used to track events from the Apache Tomcat server.
/var/log/vmware/loginsight/cassandra.log
Used to track cluster configuration storage and replication in
Apache Cassandra.
/var/log/vmware/loginsight/plugins/vsphere/li-
vsphere.log
Used to trace events related to integration with vSphere
Web Client.
/var/log/vmware/loginsight/
loginsight_daemon_stdout.log
Used for the standard output of vRealize Log Insight
daemon.
/var/log/vmware/loginsight/phonehome.log
Used to track information about trace data collection sent to
VMware (if enabled).
/var/log/vmware/loginsight/pi.log
Used to track database start or stop events.
/var/log/vmware/loginsight/runtime.log
Used to track all run time information related to vRealize Log
Insight.
/var/log/firstboot/stratavm.log
Used to track the events that occur at first boot and
configuration of the vRealize Log Insight virtual appliance.
Administering vRealize Log Insight
VMware, Inc. 126
File Description
/var/log/vmware/loginsight/systemalert.log
Used to track information about system notifications that
vRealize Log Insight sends. Each alert is listed as a JSON
entry.
/var/log/vmware/loginsight/
systemalert_worker.log
Used to track information about system notifications that a
vRealize Log Insight worker node sends. Each alert is listed
as a JSON entry.
/var/log/vmware/loginsight/ui.log
Used to track events related to the vRealize Log Insight user
interface.
/var/log/vmware/loginsight/ui_runtime.log
Used to track runtime events related to the vRealize Log
Insight user interface.
/var/log/vmware/loginsight/upgrade.log
Used to track events that occur during a vRealize Log Insight
upgrade.
/var/log/vmware/loginsight/usage.log
Used to track all queries.
/var/log/vmware/loginsight/
vrops_integration.log
Used to track events related to the vRealize Operations
integration.
/var/log/vmware/loginsight/watchdog_log*
Used to track the run time events of the watch dog process,
which is responsible for restarting vRealize Log Insight if it is
shut down for some reason.
/var/log/vmware/loginsight/api_audit.log
Used to track the API calls to Log Insight.
/var/log/vmware/loginsight/pattern_matcher.log
Used to track the pattern matching times and timeouts for
field extraction.
/var/log/vmware/loginsight/audit.log
Used to track how vRealize Log Insight is used. For more
information, see Audit Logs in vRealize Log Insight.
Log Messages Related to Security
The ui_runtime.log file contains user audit log messages in the following format.
n [2019-05-10 11:28:29.709+0000] ["https-jsse-nio-443-exec-9"/10.153.234.136
DEBUG] [com.vmware.loginsight.web.actions.misc.LoginActionBean] [User
login success: vIDM: SAM=myusername, Domain=vmware.com,
n [2019-05-10 11:28:45.812+0000] ["https-jsse-nio-443-exec-3"/10.153.234.136
INFO] [com.vmware.loginsight.web.actions.misc.LoginActionBean] [User
logged out: vIDM: SAM=myusername, Domain=vmware.com,
n [2019-05-10 11:28:29.709+0000] ["https-jsse-nio-443-exec-9"/10.153.234.136
DEBUG] [com.vmware.loginsight.web.actions.misc.LoginActionBean] [User
login success: Active Directory User: SAM=myusername,
Domain=vmware.com,[email protected]]
Administering vRealize Log Insight
VMware, Inc. 127
n [2019-05-10 11:28:45.812+0000] ["https-jsse-nio-443-exec-3"/10.153.234.136
INFO] [com.vmware.loginsight.web.actions.misc.LoginActionBean] [User
logged out: Active Directory User: SAM=myusername,
Domain=vmware.com,[email protected]]
n [2019-05-10 11:29:28.330+0000] ["https-jsse-nio-443-exec-6"/10.153.234.136
DEBUG] [com.vmware.loginsight.web.actions.misc.LoginActionBean] [User
login success: Local User: Name=myusername]
n [2019-05-10 11:29:47.078+0000] ["https-
jsse-nio-443-exec-10"/10.153.234.136 INFO]
[com.vmware.loginsight.web.actions.misc.LoginActionBean] [User logged out:
Local User: Name=myusername]
n [2019-05-10 11:29:23.559+0000] ["https-jsse-nio-443-exec-7"/10.153.234.136
WARN] [com.vmware.loginsight.web.actions.misc.LoginActionBean] [User login
failure: Bad username/password attempt (username: incorrectUser)]
n [2019-05-10 11:45:37.795+0000] ["https-jsse-nio-443-exec-7"/10.153.234.136
INFO] [com.vmware.loginsight.web.actions.settings.UsersActionBean]
[Created new user: Local User: Name=myusername]
n [2019-05-10 11:09:50.493+0000] ["https-jsse-nio-443-exec-6"/10.153.234.136
INFO] [com.vmware.loginsight.web.actions.settings.UsersActionBean]
[Created new user: vIDM: SAM=myusername, Domain=vmware.com,
n [2019-05-10 11:47:05.202+0000] ["https-
jsse-nio-443-exec-10"/10.153.234.136 INFO]
[com.vmware.loginsight.web.actions.settings.UsersActionBean] [Created new
group: (directoryType= VIDM, domain=vmware.com, group=vidm_admin)]
n [2019-05-10 11:58:11.902+0000] ["https-
jsse-nio-443-exec-4"/10.153.234.136 INFO]
[com.vmware.loginsight.web.actions.settings.UsersActionBean] [Removed
groups: [class com.vmware.loginsight.database.dao.RBACADGroupDO<vidm/
vmware.com/vidm_admin>]]
Administering vRealize Log Insight
VMware, Inc. 128
Some logs are available in debug level. For information about enabling the debug level for each
node, see Activate Debug Level for User Audit Log Messages.
Tip If you are an administrator, you can modify the logging level without restarting the vRealize
Log Insight service. Go to http://
<your_Log_Insight_host>
/internal/config, update the value of
the logging level for the relevant logs, and click Save. For example:
<self-logging>
<logger name="root" level="INFO" />
</self-logging>
You can change the logging level to OFF, FATAL, ERROR, WARN, INFO, DEBUG, TRACE, or ALL.
Note Each node in a vRealize Log Insight cluster has its own ui_runtime.log file. You can
examine the log files of the nodes to monitor the cluster.
Activate Debug Level for User Audit Log Messages
You can activate the debug level for user audit log messages to include the log messages in the
ui_runtime.log file.
Prerequisites
Verify that you have the root user credentials to log in to the vRealize Log Insight virtual
appliance.
Procedure
1 Navigate to the location /usr/lib/loginsight/application/etc/ and open the
configuration file loginsight-config-base.xml in any text editor.
2 Add a new logger for LoginActionBean with the DEBUG login level:
<loggers>
<logger name="com.vmware.loginsight.web" level="${uiLevel}" additivity="false">
<appenderRef ref="UI_RUNTIME_FILE"/>
</loggers>
3 Save and close the loginsight-config-base.xml file.
4 Run the service loginsight restart command to apply your changes.
Tip You can also activate the debug level for user audit logs without restarting the vRealize
Log Insight service. For more information, see vRealize Log Insight Log Files.
Audit Logs in vRealize Log Insight
Audit logs track how vRealize Log Insight is used.
The audit log file audit.log is located in /var/log/vmware/loginsight/. This file logs the
following actions:
Administering vRealize Log Insight
VMware, Inc. 129
Category Logged Actions
User authentication n Login, logout, and authentication failures.
Access control n Creating, removing, and modifying users, groups,
roles, and datasets.
Configuration n Creating and removing forwarders, vSphere and
vRealize Operations integrations, and so on.
n Changing configuration values such as session
timeout, SSL, SMTP configuration, and so on.
Content packs n Installing, uninstalling, and upgrading.
n Importing and exporting.
Dashboards and widgets n Creating, removing, and modifying.
n Sharing dashboards.
Administration n Configuring agents and enabling auto-update.
n Upgrading clusters.
n Adding and removing certificates and licenses.
Alerts n Creating, removing, and modifying.
Explore logs n Creating, removing, and modifying snapshots and
extracted fields.
vRealize Log Insight
User Accounts
You must set up a system and a root account to administer vRealize Log Insight.
vRealize Log Insight Root User
vRealize Log Insight currently uses the root user account as the service user. No other user is
created.
Unless you set the root password property during deployment, the default root password is
blank. You must change the root password when you log in to the vRealize Log Insight console
for the first time.
SSH is deactivated until the default root password is set.
The root password must meet the following requirements.
n Must be at least eight characters long
n Must contain at least one uppercase letter, one lowercase letter, one digit, and one special
character
n Must not repeat the same character four times
Administering vRealize Log Insight
VMware, Inc. 130
vRealize Log Insight Admin User
When you start the vRealize Log Insight virtual appliance for the first time, vRealize Log Insight
creates the admin user account for its Web user interface, which is a user associated with the
Super Admin role.
The default password for admin is blank. You must change the admin password in the Web user
interface during the initial configuration of vRealize Log Insight.
Active Directory Support
vRealize Log Insight supports integration with Active Directory. When configured, vRealize Log
Insight can authenticate or authorize a user against Active Directory.
See Enable User Authentication Through Active Directory.
Privileges Assigned to Default Users
The vRealize Log Insight service user has root privileges.
The Web user interface admin user has the Super Admin privileges only to the vRealize Log
Insight web user interface.
vRealize Log Insight Firewall Recommendations
To protect sensitive information gathered by vRealize Log Insight, place the server or servers on
a management network segment protected by a firewall from the rest of your internal network.
Required Ports
The following ports must be open to network traffic from sources that send data to vRealize Log
Insight.
Port
Protocol
514/UDP, 514/TCP Syslog
1514/TCP, 6514/TCP Syslog-TLS (SSL)
9000/TCP vRealize Log Insight Ingestion API
9543/TCP vRealize Log Insight Ingestion API - TLS (SSL)
The following ports must be open to network traffic that must use the vRealize Log Insight UI.
Port
Protocol
80/TCP HTTP
443/TCP HTTPS
The following set of ports should only be open on a vRealize Log Insight primary node for
network access from worker nodes for maximum security.
Administering vRealize Log Insight
VMware, Inc. 131
Port Protocol
16520:16580/TCP Thrift RPC
59778/TCP log4j server
12543/TCP database server
To view information about the ports and protocols of vRealize Log Insight, see the VMware Ports
and Protocols tool.
Security Updates and Patches
The vRealize Log Insight virtual appliance uses VMware Photon 3.0 as the guest operating
system.
vRealize Log Insight 8.0 or later comes with a Photon operating system. Photon is more secure
than the SLES operating system, which accompanies vRealize Log Insight 4.8 or earlier.
VMware releases patches to address security issues in maintenance releases. You can download
these patches from the vRealize Log Insight download page.
Before you apply an upgrade or patch to the guest operating system, consider the
dependencies. See Ports and External Interfaces .
Administering vRealize Log Insight
VMware, Inc. 132
Backup, Restore, and Disaster
Recovery
10
To guard against expensive data center downtime, follow these best practices for performing
vRealize Log Insight backup, restoration, and disaster recovery operations.
This chapter includes the following topics:
n Backup, Restore, and Disaster Recovery Overview
n Using Static IP Addresses and FQDN
n Planning and Preparation
n Backup Nodes and Clusters
n Backup Linux or Windows Agents
n Restore Nodes and Clusters
n Changing Configurations After Restoration
n Verify Restorations
n Disaster Recovery
Backup, Restore, and Disaster Recovery Overview
VMware delivers a comprehensive, integrated portfolio of Business Continuity and Disaster
Recovery (BCDR) solutions that provide high availability, data protection, and disaster recovery.
Use the backup, restore, and disaster recovery information in this document for vRealize Log
Insight components, including the primary node, worker node, and forwarder.
n For information about primary and worker cluster members, including configuration, log data,
and customization, see Backup Nodes and Clusters.
n For information about Linux or Windows agent local configuration, see Backup Linux or
Windows Agents.
The information in this document does not apply to the following tools and products. You must
obtain information about these tools and products from multiple resources.
n Third-party tools used for backup, restore, and disaster recovery. For more information, see
the vendor documentation.
VMware, Inc.
133
n vSphere Data Protection, Site Recovery Manager, and Veritas NetBackup. For additional
information on VMware BCDR solutions, see https://www.vmware.com/solutions/business-
continuity-disaster-recovery-draas.html.
n Backup, restore, and disaster recovery capability for products that integrate with vRealize
Log Insight.
n vRealize Operations
n vSphere Web Client server
n ESXi hosts
Using Static IP Addresses and FQDN
You can use static IP addresses and FQDN to avoid risk during backup, restoration, and disaster
recovery operations.
Static IP Addresses for vRealize Log Insight Cluster Nodes and Load
Balancer
When you use static IP addresses for all nodes in a vRealize Log Insight cluster, you eliminate the
need to update the IP addresses of the cluster nodes when the IP addresses change.
vRealize Log Insight includes all node IP addresses in each cluster node configuration file as
described in Knowledge Base article 2123058
All products that integrate with vRealize Log Insight (ESXi, vSphere, vRealize Operations) use the
cluster primary node's fully qualified domain name (FQDN) or IP address as the syslog target.
Those products might use the FQDN or IP address of the load balancer, if configured, as the
syslog target. Static IP addresses reduce the risk of constantly updating the syslog target IP
address in multiple locations.
Provide static IP addresses and optional virtual IP addresses for the load balancer. When
configuring an integrated load balancer, provide the optional FQDN for the virtual IP address.
The FQDN is used when an IP address is not reachable for any reason.
FQDN for vRealize Log Insight Cluster Nodes and Worker Node
When you use an FQDN for all nodes in the vRealize Log Insight cluster, you can save time
on post-restoration and recovery configuration changes, assuming that the same FQDN can be
resolved on the recovery site.
For the primary node (load balancer when used), a fully resolvable FQDN is required. Otherwise,
the ESXi hosts fail to feed the syslog messages to vRealize Log Insight or to any remote target.
For system notifications, vRealize Log Insight uses FQDN host names, if available, instead of IP
addresses.
Administering vRealize Log Insight
VMware, Inc. 134
You can reasonably assume that only the underlying IP addresses change after backup and
restoration or disaster recovery operations. Using FQDN eliminates the need to change the
syslog target address (primary node FQDN or internal load balancer FQDN) on all the external
devices that feed logs to the vRealize Log Insight cluster.
Verify that join requests from a vRealize Log Insight worker node use the FQDN of the vRealize
Log Insight primary node.
The primary node host value in the configuration file on each of the nodes is based on the value
used by the first worker node sending a join request. Using the FQDN of the primary node for the
join request prevents making any manual changes to the primary node host value post-disaster
recovery. Otherwise, the worker nodes cannot rejoin the primary node until the primary node
host name is updated in the configuration files on all restored cluster nodes.
Planning and Preparation
Before implementing a backup, restoration, or disaster recovery procedure, review the planning
and preparation information in this topic.
The following recommendations should be included in a backup, restoration, and disaster
recovery plan.
Test Backup Operations
Perform a test run of the backup, restoration, and disaster recovery operations in a test or
staging environment before performing these operations on a live production setup.
Perform a full backup of the entire vRealize Log Insight cluster. Do not rely on automatic
procedures to back up individual files and configurations.
Verify Fixes
Verify that fixes are implemented and warnings and errors are addressed before performing
backup, restoration, and disaster recovery operations. Backup, restoration, and disaster recovery
tools usually provide visual validations and steps to ensure that backup, restoration, and disaster
recovery configurations are successfully created.
Scheduling Backups
Depending on the cluster configuration, the first backup operation is usually a full backup.
You should allow for an extended period of time for the first backup to complete. Successive
backups, which can be incremental or full backups, finish relatively faster compared to the first
backup operation.
Additional Documentation and Tools
Verify that you are following the documentation for allocating resources for the vRealize Log
Insight backup, restoration, and disaster recovery tools.
Administering vRealize Log Insight
VMware, Inc. 135
Verify that you are following the tool-specific best practices and recommendations for third-
party backup, restoration, and disaster recovery tools.
For virtual machines deployed using VMware products, use additional tools that can provide
special features and configurations to support backup, restoration, and disaster recovery.
Forwarders and Clusters
For forwarders, apply the backup, restoration, and disaster recovery steps for the main vRealize
Log Insight cluster. See Restore Nodes and Clusters.
Based on the customer requirements, you might have a single or multiple vRealize Log Insight
forwarders. In addition, the forwarders can be installed as a standalone node or as a cluster.
For the purpose of backup, restoration, and disaster recovery operations, vRealize Log Insight
forwarders are identical to the primary vRealize Log Insight cluster nodes and handled the same
way.
Backup Nodes and Clusters
It is a best practice to set up scheduled backups or replication for vRealize Log Insight nodes and
clusters.
Prerequisites
n Verify that no configuration problems exist on source and target sites before performing the
backup or replication operations.
n Verify that cluster resource allocation is not at capacity.
In configurations with reasonable ingestion and query loads, the memory and swap usage
can reach almost 100% capacity during backup and replication operations. Because the
memory is near capacity in a live environment, part of the memory spike is due to the
vRealize Log Insight cluster usage. Also, the scheduled backup and replication operations can
contribute significantly to the memory spike.
Sometimes, worker nodes are disconnected momentarily for 1–3 minutes before rejoining
primary nodes, possibly because of high memory usage.
n Reduce the memory throttling on vRealize Log Insight nodes by doing one or both of the
following:
n Allocate additional memory over the vRealize Log Insight recommended configurations.
n Schedule the recurring backups during off-peak hours.
Procedure
1 Enable regular backup or replication of vRealize Log Insight forwarders by using the same
procedures that you use for the vRealize Log Insight server.
2 Verify that the backup frequency and backup types are appropriately selected based on the
available resources and customer-specific requirements.
Administering vRealize Log Insight
VMware, Inc. 136
3 If the resources are not a problem and if it is supported by the tool, enable concurrent cluster
node backups to speed up the backup process.
4 Back up all the nodes at the same time.
For information about how to back up the nodes, see the
Backup and Restore, and Disaster
Recovery
section in the vRealize Suite documentation.
What to do next
Monitoring—As the backup is in progress, check any environment or performance problems
in the vRealize Log Insight setup. Most backup, restore, and disaster recovery tools provide
monitoring capabilities.
During the backup process, check all the relevant logs in the production system because the user
interface might not display all problems.
Backup Linux or Windows Agents
You backup agents by backing up installation and configuration information on the server side. A
separate backup of the agent node is not required.
Agents are typically installed on Linux or Windows systems that also used for some other
application or service and might be included in existing backup procedures. A full file-level or
block-level backup of the machine that includes the entire agent installation and its configuration
is sufficient for recovery. Agents support both local and server-provided configuration.
If the agent is configured entirely from the vRealize Log Insight server, without any local change
to the liagent.ini configuration file, you can avoid creating a backup of the agent installation
at all. Instead, perform a fresh installation of the agent and retrieve the server backup.
If the agent has a custom local configuration, backup the liagent.ini file and restore it along
with a fresh installation of the agent. If you use the agent nodes for more than installing the agent
software and if these nodes need a full backup, follow the same backup procedure as for any
other virtual machine.
If the agent configuration is done on the client side (on the agents) and if the agent nodes are
used only for vRealize Log Insight agent software installation, making a backup of the agent
configuration file is sufficient.
Prerequisites
Verify that the agent configuration is on the vRealize Log Insight server side.
Procedure
1 Backup the liagent.ini file.
2 Replace the file on the recovered agent or Linux or Windows machine with the backup file.
Administering vRealize Log Insight
VMware, Inc. 137
Restore Nodes and Clusters
Nodes must be restored in a specific order and some restoration scenarios might require manual
configuration changes.
Depending on the tool used for restoring, you can restore the virtual machines to the same host,
a different host on the same data center, or a different host on a target remote data center. See
Changing Configurations After Restoration
Prerequisites
n Verify that the restored nodes are in the powered off state.
n Verify that the cluster instances are powered off before restoring the cluster to a new site.
n Verify that no split-brain behavior occurs when the same IP addresses and FQDNs are used
on the recovery site.
n Verify that no one is accidentally using a partially working cluster on the primary site.
Procedure
1 Restore the primary node first before restoring worker nodes.
2 Restore worker nodes in any order.
3 (Optional) Restore the forwarders if configured.
Be sure the vRealize Log Insight server (the primary node and all the worker nodes in a
cluster setup) are restored before restoring the forwarders.
4 Restore any recovered agents.
What to do next
n When restoring a vRealize Log Insight cluster, if the same IP addresses are used, verify that
all restored node IP addresses and FQDNs are associated with their original counterparts.
For example, the following scenario fails. In a three-node cluster with nodes A, B, and C, node
A is restored with IP address B, node B is restored with IP address C, and node C is restored
with the IP address A.
n If the same IP addresses are used for only a subset of restored nodes, verify that for
these nodes, all restored images are associated with their original IP addresses.
n Most backup restoration and disaster recovery tools provide a monitoring view for watching
the progress of the restoration operations for failures or warnings. Take appropriate actions
on any identified problems.
n If manual configuration changes are required before the site can be fully restored, follow
the guidelines in the Changing Configurations After Restoration.
n When a successful restoration is finished, perform a spot check of the cluster that was
restored.
Administering vRealize Log Insight
VMware, Inc. 138
Changing Configurations After Restoration
The recovery target and IP customizations applied during the backup configuration determine
which manual configuration changes are required. You must apply configuration changes to one
or more vRealize Log Insight nodes before the restored site can become fully functional.
Restore to the Same Host
Recovering a vRealize Log Insight cluster to the same host is straightforward and can be
performed by any tool.
Prerequisites
Review important information about Planning and Preparation.
Procedure
1 Power off the existing cluster before beginning the restoration operation. By default, the
same IP addresses and FQDNs are used for the restored cluster nodes.
2 (Optional) Provide a new name for the cluster.
During the restoration process, the original copy of the cluster is overwritten with the
restored version unless a new name is provided to the virtual machine.
3 (Optional) If possible, verify that all network, IP, and FQDN settings that are used for the
production environment are preserved in the restored and recovered site.
What to do next
After a successful restoration and a sanity check, delete the old copy to conserve resources and
to prevent accidental split-brain situations if a user powers on the old copy.
Restore to a Different Host
When you perform a restoration to a different host, you must make configuration changes on the
vRealize Log Insight cluster.
Modifying the configuration files directly from the appliance console is not officially supported in
vRealize Log Insight 3.0 and later releases. See Knowledge Base article 2123058 for information
about how to modify these files by using the Web UI interface.
These configuration changes are specific to vRealize Log Insight builds that can be used with any
backup recovery tool.
Recovering to a different host requires manual configuration changes on the vRealize Log Insight
cluster. You can assume that the restored vRealize Log Insight nodes have different IP addresses
and FQDNs than their source counterparts from which a backup was taken.
Prerequisites
Review important information about Planning and Preparation.
Administering vRealize Log Insight
VMware, Inc. 139
Procedure
1 List all new IP addresses and FQDNs that were assigned to each vRealize Log Insight node.
2 Make the following configuration changes on the primary node by using the steps described
in Knowledge Base article 2123058.
a In the vRealize Log Insight config section, look for lines that resemble the following lines.
<distributed overwrite-children="true">
<daemon host="prod-es-vrli1.domain.com" port="16520" token="c4c4c6a7-f85c-4f28-
a48f-43aeea27cd0e">
<service-group name="standalone" />
</daemon>
<daemon host="192.168.1.73" port="16520" token="a5c65b52-
aff5-43ea-8a6d-38807ebc6167">
<service-group name="workernode" />
</daemon>
<daemon host="192.168.1.74" port="16520" token="a2b57cb5-
a6ac-48ee-8e10-17134e1e462e">
<service-group name="workernode" />
</daemon>
</distributed>
The code shows three nodes. The first node is the primary node, which shows <service-
group name=standalone>, and the remaining two nodes are worker nodes, which show
<service-group name="workernode">
b For the primary node, in the newly recovered environment, verify that the DNS entry that
was used in the pre-recovery environment can be reused.
n If the DNS entry can be reused, update only the DNS entry to point to the new IP
address of the primary node.
n If the DNS entry cannot be reused, replace the primary node entry with a new DNS
name (pointing to the new IP address).
n If the DNS name cannot be assigned, as a last option, update the configuration entry
with the new IP address.
c Update the worker node IP addresses as well to reflect the new IP addresses.
Administering vRealize Log Insight
VMware, Inc. 140
d In the same configuration file, verify that you have entries that represent NTP, SMTP, and
database and appenders sections.
<ntp>
<ntp-servers value="ntp1.domain.com, ntp2.domain.com" />
</ntp>
<smtp>
<server value="smtp.domain.com" />
<default-sender value="[email protected]" />
</smtp>
<database>
<password value="xserttt" />
<host value="vrli-node1.domain.com" />
<port value="12543" />
</database>
n If the configured NTP server values are no longer valid in the new environment,
update these values in the
<ntp>...</ntp> section.
n If the configured SMTP server values are no longer valid in the new environment,
update these values in the <smtp>...</smtp> section.
n Optionally, change the default-sender value in the SMTP section. The value can be
any value but as a good practice, represent the source from where the email is being
sent.
n In the <database>..</database> section, change the host value to point to the
primary node FQDN or IP address.
e In the same configuration file, update the vRealize Log Insight ILB configuration section.
<load-balancer>
<leadership-lease-renewal-secs value="5" />
<high-availability-enabled value="true" />
<high-availability-ip value="10.158.128.165" />
<high-availability-fqdn value="LB-FQDN.eng.vmware.com" />
<layer4-enabled value="true" />
<ui-balancing-enabled value="true" />
</load-balancer>
f Under the <load-balancer>...</load-balancer> section, update the high-
availability-ip value if it is different from the current setting.
g Ensure that you also update the FQDN of the load balancer.
Administering vRealize Log Insight
VMware, Inc. 141
h Restart from the Web UI through the Cluster subtab on the Administration tab. For each
node listed, select its host name or IP address to open the details panel and click Restart
Log Insight.
The configuration changes are automatically applied to all cluster nodes.
i Wait 2 minutes after the vRealize Log Insight service starts to allow enough time for the
Cassandra service to start before bringing other worker nodes online.
What to do next
Verify that the restored vRealize Log Insight nodes have been assigned different IP addresses
and FQDNs than their source counterparts from which a backup was taken.
Verify Restorations
You must verify that all restored vRealize Log Insight clusters are fully functional.
Prerequisites
Confirm that the backup and restoration process is finished before verifying node and cluster
configurations.
Procedure
1 Log in to vRealize Log Insight using the internal load balancer (ILB) IP address or the FQDN (if
configured).
2 Expand the main menu and navigate to Management > Cluster.
3 Verify the following:
a Verify that you can access all individual cluster nodes using the respective IP addresses
or FQDNs.
b Verify the status of cluster nodes from the cluster page and ensure that the ILB, if
configured, is also in an active state.
c Verify the vSphere integration. If necessary, reconfigure the integration. Reconfiguration
is required when the ILB or the primary node IP address or FQDN is changed post-
recovery.
d Verify the vRealize Operations integration and reconfigure again if needed.
e Verify that all content packs and UI features are functioning properly.
f Verify that vRealize Log Insight forwarders and agents are functioning properly, if
configured.
4 Verify that other key features of vRealize Log Insight are functioning as expected.
Administering vRealize Log Insight
VMware, Inc. 142
What to do next
Make any necessary adjustments to your backup and recovery plan to address any issues that
may have been identified during your backup, restoration, and verification operations.
Disaster Recovery
A well-documented and well-tested recovery plan is essential to quickly returning a cluster to a
working state.
The choice of replication type is critical when configuring a virtual machine for disaster recovery.
Consider the Recovery Point Objective (RPO), the Recovery Time Objective (RTO), and the cost
and scalability when deciding on a replication type.
In a disaster recovery scenario, sometimes you cannot restore to the same site if the primary
site is fully down. But based on the option you choose, some manual steps are required to fully
restore and return the vRealize Log Insight cluster to a running state.
Unless the vRealize Log Insight cluster is fully down and inaccessible, verify that the cluster
instances are powered off before restoring the cluster to a new site.
During an outage or disaster, recover the vRealize Log Insight cluster as soon as possible.
Administering vRealize Log Insight
VMware, Inc. 143
Troubleshooting vRealize Log
Insight
11
You can solve common problems related to vRealize Log Insight administration before calling
VMware Support Services.
This chapter includes the following topics:
n Cannot Log In to vRealize Log Insight on Internet Explorer
n vRealize Log Insight Runs Out of Disk Space
n Import of Archived Data Might Fail
n Use the Virtual Appliance Console to Create a Support Bundle of vRealize Log Insight
n Reset the Admin User Password
n Reset the Root User Password
n Alerts Could Not Be Delivered to vRealize Operations
n Unable to Log In Using Active Directory Credentials
n SMTP does not work with STARTTLS option activated
n Upgrade Fails Because the Signature of the .pak file Cannot Be Validated
n Upgrade Fails with an Internal Server Error
n Missing vmw_object_id Field in the First Log Message After Integration with VMware
Products
Cannot Log In to vRealize Log Insight on Internet Explorer
vRealize Log Insight authentication fails on Internet Explorer.
Problem
The vRealize Log Insight web client requires LocalStorage or DOM storage support, but your
filesystem integrity level prohibits Internet Explorer from using LocalStorage. The console and
debugger display the error SCRIPT5: Access is Denied.
VMware, Inc.
144
Cause
vRealize Log Insight cannot access LocalStorage or DOM Storage support. Internet Explorer
keeps this storage data in the folder set with the CachePath parameter, nominally at
%USERPROFILE%\AppData\LocalLow\Microsoft\Internet Explorer\DOMstore. If this folder
has an integrity level other than low, Internet Explorer is unable to use LocalStorage.
Solution
You can use the following command to set the integrity level of a user account.
icacls %userprofile%\Appdata\LocalLow /t /setintegritylevel (OI)(CI)L
vRealize Log Insight Runs Out of Disk Space
A vRealize Log Insight primary or worker node might run out of disk space if you are using a
small virtual disk, and archiving is not activated.
Problem
vRealize Log Insight runs out of disk space if the rate of incoming logs exceeds 3 percent of the
storage space per minute, or when vRealize Log Insight cannot delete the oldest buckets from
the storage.
Cause
In normal situations, vRealize Log Insight never runs out of disk because every minute it checks
if the free space is less than 3 percent. If the free space on the vRealize Log Insight virtual
appliance drops below 3 percent, old data buckets are retired.
If archiving is activated, vRealize Log Insight archives the bucket before marking it as archived
and retiring in future. If the free space is filled before the old bucket is archived and retired,
vRealize Log Insight runs out of disk.
Solution
Verify whether the data archival location is available and has enough free space. See Data
Archiving.
Note If none of the solutions are applicable, contact customer support.
Import of Archived Data Might Fail
The import of archived data might fail if the vRealize Log Insight vRealize Log Insight virtual
appliance runs out of disk space.
Administering vRealize Log Insight
VMware, Inc. 145
Problem
The vRealize Log Insight repository import utility does not check for available disk space on the
vRealize Log Insight virtual appliance. Therefore, the import of archived logs might fail if the
virtual appliance runs out of disk space.
Solution
Increase the storage capacity of the vRealize Log Insight virtual appliance and start the import
again. Note, though, that information that was successfully imported before failure will be
duplicated.
Use the Virtual Appliance Console to Create a Support
Bundle of vRealize Log Insight
If you cannot access the vRealize Log Insight Web user interface, you can download the support
bundle by using the virtual appliance console or after establishing an SSH connection to the
vRealize Log Insight virtual appliance.
Prerequisites
n Verify that you have the root user credentials to log in to the vRealize Log Insight virtual
appliance.
n If you plan to connect to the vRealize Log Insight virtual appliance by using SSH, verify that
TCP port 22 is open.
Procedure
1 Establish an SSH connection to the vRealize Log Insight vApp and log in as the root user.
2 To generate the support bundle, run loginsight-support.
To generate a support bundle and include only files that have changed within a certain
time period, execute the loginsight-support command with the --days constraint. For
example, --days=1 will only include files that have changed within 1 day.
Results
The support information is collected and saved in a *.tar.gz file that has the following naming
convention: loginsight-support-YYYY-MM-DD_HHMMSS.xxxxx.tar.gz, where xxxxx is the
process ID under which the loginsight-support process ran.
What to do next
Forward the support bundle to VMware Support Services as requested.
Administering vRealize Log Insight
VMware, Inc. 146
Reset the Admin User Password
If an admin user forgets the password to the Web user interface, the account becomes
unreachable.
Prerequisites
n Verify that you have the root user credentials to log in to the vRealize Log Insight virtual
appliance.
n To enable SSH connections, verify that TCP port 22 is open.
Problem
If vRealize Log Insight has only one admin user and the admin user forgets the password, the
application cannot be administered. If an admin user is the only user of vRealize Log Insight, the
whole Web user interface becomes inaccessible.
Cause
If a user does not remember their current password, vRealize Log Insight does not provide a user
interface for admin users to reset their own passwords.
Note Admin users who can log in can reset the password of other admin users. Reset the admin
user password only when all admin user accounts' passwords are unknown.
Solution
1 Establish an SSH connection to the vRealize Log Insight virtual appliance and log in as the
root user.
2 Run the script that resets the admin user password:
li-reset-admin-passwd.sh
The script resets the admin user password, generates a new password, and displays it on the
screen.
What to do next
Log in to the vRealize Log Insight Web user interface with the new password and change the
admin user password.
Reset the Root User Password
If you forget the password of the root user, you can no longer establish SSH connections or use
the console of the vRealize Log Insight virtual appliance.
Administering vRealize Log Insight
VMware, Inc. 147
You might not be able to log in as root for various reasons including:
n You have not changed the default password. By default, vRealize Log Insight sets a blank
password for the root user and deactivates SSH access. Once the password is set, SSH
access for the root user is activated.
n You set an SSH key during the deployment of the vRealize Log Insight virtual appliance. If an
SSH key is specified through OVF, then password authentication is deactivated. Either log in
with the set SSH key or see the solution steps below.
n You entered the password incorrectly multiple times and you are now temporarily locked out.
In this case, entering the correct password will not get you in until the lockout period has
elapsed. You can either wait or restart the virtual appliance.
Because the vRealize Log Insight virtual appliance resides on a Photon OS, the following steps
describe how to reset the root password on a Photon OS machine.
Problem
If you cannot establish SSH connections or use the console of the vRealize Log Insight virtual
appliance, you cannot accomplish some of the administration tasks, nor can you reset the
password of the admin user.
Solution
1 Restart the vRealize Log Insight virtual machine running Photon OS.
2 As the Photon OS restarts and the splash screen appears, enter the letter e immediately to
go to the GNU GRUB edit menu.
Note Because Photon OS reboots quickly, you will not have much time to enter e. In vSphere
and Workstation, you might have to bring the console into focus by clicking the console
window before it accepts input from your keyboard.
3 In the GNU GRUB edit menu, at the end of the line that starts with linux, enter a space and
add the following code:
rw init=/bin/bash
4 Press F10 to open the command prompt.
5 Mount the root file system.
mount -o remount,rw /
6 Run the following command:
passwd
7 Follow the instructions to enter and reenter a new root password that conforms to the
password complexity rules of Photon OS. Ensure that you remember the password.
Administering vRealize Log Insight
VMware, Inc. 148
8 When you see a message saying that the password has been updated, run the following
command:
umount /
9 Run the following command.
reboot -f
Note You must include the -f option to force a reboot. Otherwise, the kernel enters a state
of panic.
What to do next
After vRealize Log Insight reboots, validate that you can log in with the new root user password.
Alerts Could Not Be Delivered to vRealize Operations
vRealize Log Insight notifies you if an alert event cannot be sent to vRealize Operations. vRealize
Log Insight retries sending the alert every minute until the problem is resolved.
Problem
A red sign with an exclamation mark appears in the vRealize Log Insight toolbar when an alert
could not be delivered to vRealize Operations.
Cause
Connectivity problems prevent vRealize Operations vRealize Log Insight from sending alert
notifications to vRealize Operations.
Solution
u Click on the red icon to open the list of error messages, and scroll down to view the latest
message.
The red sign disappears from the toolbar when you open the list of error messages, or if the
problem is resolved.
u To fix the connectivity problem with vRealize Operations, try the following.
n Verify that the vRealize Operations vApp is not shut down.
n Verify that you can connect to vRealize Operations via the Test Connection button in the
Integration > vRealize Operations page of the vRealize Log Insight Web user interface.
n Verify that you have the correct credentials by logging directly into vRealize Operations.
n Check vRealize Log Insight and vRealize Operations logs for messages related to
connectivity problems.
n Verify that no alerts are filtered out in vRealize Operations vSphere User Interface.
Administering vRealize Log Insight
VMware, Inc. 149
Unable to Log In Using Active Directory Credentials
You cannot log in to the vRealize Log Insight Web user interface when you use Active Directory
credentials.
Problem
You cannot log in to vRealize Log Insight by using your Active Directory domain user credentials,
despite that an administrator has added your Active Directory account to vRealize Log Insight.
Cause
The most common causes are expired passwords, incorrect credentials, connectivity problems,
or lack of synch between the vRealize Log Insight virtual appliance and Active Directory clocks.
Solution
n Verify that your credentials are valid, your password has not expired, and your Active
Directory account is not locked.
n If you have not specified a domain to use with Active Directory authentication,
verify that you have an account on the default domain stored in the latest
vRealize Log Insight configuration at /storage/core/loginsight/config/loginsight-
config.xml#[number] where [number] is the largest.
n Find the latest configuration file: /storage/core/loginsight/config/loginsight-
config.xml#[number] where [number] is the largest.
n Verify vRealize Log Insight has connectivity to the Active Directory server.
n Navigate to Configuration > Authentication, fill in your user credentials, and click the Test
Connection button.
n Check the vRealize Log Insight /var/log/vmware/loginsight/runtime.log for
messages related to DNS problems.
n Verify that the vRealize Log Insight and Active Directory clocks are in synch.
n Check the vRealize Log Insight /var/log/vmware/loginsight/runtime.log for
messages related to clock skew.
n Use an NTP server to synchronize the vRealize Log Insight and Active Directory clocks.
SMTP does not work with STARTTLS option activated
When you configure the SMTP server with the STARTTLS option activated, test emails fail. Add
your SSL certificate for the SMTP server to the Java truststore to resolve the problem.
Prerequisites
n Verify that you have the root user credentials to log in to the vRealize Log Insight virtual
appliance.
Administering vRealize Log Insight
VMware, Inc. 150
n If you plan to connect to the vRealize Log Insight virtual appliance by using SSH, verify that
TCP port 22 is open.
Procedure
1 Establish an SSH connection to the vRealize Log Insight vApp and log in as the root user.
2 Copy the SSL certificate for the SMTP server to the vRealize Log Insight vApp.
3 Run the following command.
`/usr/java/jre-vmware/bin/keytool -import -alias certificate_name -file
path_to_certificate -keystore /usr/java/jre-vmware/lib/security/cacerts`
Note The outer quotes are inserted by using the back quote symbol that is on the same key
as tilde on your keyboard. Do not use single quotes.
4 Enter the default the password changeit.
5 Run the service loginsight restart command.
What to do next
Navigate to Configuration > SMTP and use Send Test Email to test your settings. See Configure
the SMTP Server for vRealize Log Insight
Upgrade Fails Because the Signature of the .pak file Cannot
Be Validated
vRealize Log Insight upgrade fails because of a corrupted .pak file, expired license or insufficient
disk space.
Problem
Upgrading vRealize Log Insight fails and you see an error message Upgrade Failed. Failed
to upgrade: Signature of the PAK file cannot be validated.
Cause
The error might occur for the following reasons:
n The uploaded file is not a .pak file.
n The uploaded .pak file is not complete.
n The license of vRealize Log Insight has expired.
n The vRealize Log Insight virtual appliance root file system does not have enough disk space.
Solution
u Verify that you are uploading a .pak file.
Administering vRealize Log Insight
VMware, Inc. 151
u Verify the md5sum of the .pak file against the VMware download site.
u Verify that at least one valid license is configured on vRealize Log Insight.
u Log in to the vRealize Log Insight virtual appliance and run df -h to check the available disk
space.
Note Do not put files on the vRealize Log Insight virtual appliance root file system.
Upgrade Fails with an Internal Server Error
vRealize Log Insight upgrade fails with an Internal Server Error because of a connection problem.
Problem
Upgrading vRealize Log Insight fails and you see an error message Upgrade Failed. Internal
Server Error.
Cause
A connection problem occurred between the client and the server. For example, when you
attempt to upgrade from a client that is on a WAN.
Solution
u Upgrade LI from a client on the same LAN as the server.
Missing vmw_object_id Field in the First Log Message After
Integration with VMware Products
After integrating vRealize Log Insight with VMware products, the first log message does not
contain the vmw_object_id field.
Problem
The first log message that you receive after you integrate vRealize Log Insight with vCenter
Server and vRealize Operations does not contain the associated vmw_object_id field. The
missing field can have an impact on the alert delivery mechanism when a vRealize Operations
object is specified as an alert target.
Note Ensure that the vCenter Server is also integrated with vRealize Operations.
Solution
Wait for two minutes. The next log message that you receive will contain the vmw_object_id
field.
Administering vRealize Log Insight
VMware, Inc. 152
