I just deployed version 3.3.1 .There is missing Import Content Pak Icon.

So we currently have both VMWare Log Insight and Q-Radar, what I'm trying to figure out is if there is any added value to deploying both products.  I know Q-Radar does log algorithms and system analysis.  My main question is are we just duplicating?  I'm sure there are small differences, but from a high level over view can an administrator use Q-Radar to see the same info as Log Insight?

We have vCloud Suite Advanced which I am questioning if it licenses Log Insight.

When querying the WWW and looking at the "VMware, vRealize Suite & vCloud Suite, Licensing, Pricing, Packaging" paper, it seems to indicate it "is" supported, but then again the paper refers to vRealize Suite 7.0.

Is the same support available for vRealize Suite 6.0?

I cannot find a white paper detailing vRealize Suite 6.0 license support.

The licenses we use return "invalid serial number"

Currently looking at a design whereby the LI agent is being used to forward logs to both LI and a SIEM. The issue the SIEM integrator is having, is the format of the logs compared to some other syslog agents which enable easier parsing.

Example from LI Agent

{"@timestamp":"2016-03-23T13:25:30.959Z",

"message":"<38>1 2016-03-23T13:24:21.095731Z aaa-xxx-ss-test.XXX.XXX Microsoft-Windows-Security-Auditing - 4688 [liagent@6876 eventrecordid=\"50747\" keywords=\"Audit Success\" opcode=\"Info\" tas

k=\"Process Creation\"] A new process has been created.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tXXX-XXX-SS-TEST$\r\n\tAccount Domain:\t\tXXXX\r\n\tLogon ID:\t\t0x3E7\r\n\r\nProcess Information:\r\n\tNew Proc

ess ID:\t\t0x11bc\r\n\tNew Process Name:\tC:\\Program Files (x86)\\McAfee\\VirusScan Enterprise\\x64\\Scan64.Exe\r\n\tToken Elevation Type:\tTokenElevationTypeDefault (1)\r\n\tCreator Process ID:\t0xb24\r\n\tProcess Command Line:\t\r\n\r

\nToken Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.\r\n\r\nType 1 is a full token with no privileges removed or groups disabled.  A full token is only us

ed if User Account Control is disabled or if the user is the built-in Administrator account or a service account.\r\n\r\nType 2 is an elevated token with no privileges removed or groups disabled.  An elevated token is used when User Acco

unt Control is enabled and the user chooses to start the program using Run as administrator.  An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privil

ege, and the user is a member of the Administrators group.\r\n\r\nType 3 is a limited token with administrative privileges removed and administrative groups disabled.  The limited token is used when User Account Control is enabled, the a

pplication does not require administrative privilege, and the user does not choose to start the program using Run as administrator.",

"@version":"1",

"tags":["multiline"],

"host":"xx.xx.xx.xx",

"port":13681,

"type":"loginsight",

"logstash_checksum":"aad474d7b793eb5fa3ff0b30e0c72950142d206cffbb4d16bf6972a3dc444767"}

 

 

 

 

 

Example format from NXLog:

 

 

{

  "_index": "XXX,

  "_type": "winevt",

  "_id": "AVPLvPVAhiObdUc_LyEB",

  "_score": null,

  "_source": {

    "EventTime": "2016-03-31 09:14:26",

    "Hostname": "XXXX",

    "Keywords": -9214364837600035000,

    "EventType": "AUDIT_SUCCESS",

    "SeverityValue": 2,

    "Severity": "INFO",

    "EventID": 4688,

    "SourceName": "Microsoft-Windows-Security-Auditing",

    "ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",

    "Version": 1,

    "Task": 13312,

    "OpcodeValue": 0,

    "RecordNumber": 3913469,

    "ProcessID": 4,

    "ThreadID": 24120,

    "Channel": "Security",

    "Message": "A new process has been created.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-21-286448784-2901391547-1905694321-1188\r\n\tAccount Name:\t\ttest\r\n\tAccount Domain:\t\ttest\r\n\tLogon ID:\t\t0x288C8A3\r\n\r\nProcess Information:\r\n\tNew Process ID:\t\t0x4424\r\n\tNew Process Name:\tC:\\Program Files (x86)\\Java\\jre1.8.0_51\\bin\\jp2launcher.exe\r\n\tToken Elevation Type:\tTokenElevationTypeLimited (3)\r\n\tCreator Process ID:\t0x1944\r\n\tProcess Command Line:\t\"C:\\Program Files (x86)\\Java\\jre1.8.0_51\\bin\\jp2launcher.exe\" -secure -javaws -jre \"C:\\Program Files (x86)\\Java\\jre1.8.0_51\" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzICh4ODYpXEphdmFcanJlMS44LjBfNTFcbGliXGRlcGxveS5qYXIALURqYXZhLnNlY3VyaXR5LnBvbGljeT1maWxlOkM6XFByb2dyYW0gRmlsZXMgKHg4NilcSmF2YVxqcmUxLjguMF81MVxsaWJcc2VjdXJpdHlcamF2YXdzLnBvbGljeQAtRHRydXN0UHJveHk9dHJ1ZQAtWHZlcmlmeTpyZW1vdGUALURqbmxweC5ob21lPUM6XFByb2dyYW0gRmlsZXMgKHg4NilcSmF2YVxqcmUxLjguMF81MVxiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURzdW4uYXd0Lndhcm11cD10cnVlAC1YYm9vdGNsYXNzcGF0aC9hOkM6XFByb2dyYW0gRmlsZXMgKHg4NilcSmF2YVxqcmUxLjguMF81MVxsaWJcamF2YXdzLmphcjtDOlxQcm9ncmFtIEZpbGVzICh4ODYpXEphdmFcanJlMS44LjBfNTFcbGliXGRlcGxveS5qYXI7QzpcUHJvZ3JhbSBGaWxlcyAoeDg2KVxKYXZhXGpyZTEuOC4wXzUxXGxpYlxwbHVnaW4uamFyAC1Eam5scHguanZtPUM6XFByb2dyYW0gRmlsZXMgKHg4NilcSmF2YVxqcmUxLjguMF81MVxiaW5camF2YXcuZXhl -ma LVNTVkJhc2VsaW5lVXBkYXRlAC1ub3RXZWJKYXZh\r\n\r\nToken Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.\r\n\r\nType 1 is a full token with no privileges removed or groups disabled.  A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.\r\n\r\nType 2 is an elevated token with no privileges removed or groups disabled.  An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator.  An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.\r\n\r\nType 3 is a limited token with administrative privileges removed and administrative groups disabled.  The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.",

    "Category": "Process Creation",

    "Opcode": "Info",

    "SubjectUserSid": "S-1-5-21-286448784-2901391547-1905694321-1188",

    "SubjectUserName": "test",

    "SubjectDomainName": "test",

    "SubjectLogonId": "0x288c8a3",

    "NewProcessId": "0x4424",

    "NewProcessName": "C:\\Program Files (x86)\\Java\\jre1.8.0_51\\bin\\jp2launcher.exe",

    "TokenElevationType": "%%1938",

    "CommandLine": "\"C:\\Program Files (x86)\\Java\\jre1.8.0_51\\bin\\jp2launcher.exe\" -secure -javaws -jre \"C:\\Program Files (x86)\\Java\\jre1.8.0_51\" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzICh4ODYpXEphdmFcanJlMS44LjBfNTFcbGliXGRlcGxveS5qYXIALURqYXZhLnNlY3VyaXR5LnBvbGljeT1maWxlOkM6XFByb2dyYW0gRmlsZXMgKHg4NilcSmF2YVxqcmUxLjguMF81MVxsaWJcc2VjdXJpdHlcamF2YXdzLnBvbGljeQAtRHRydXN0UHJveHk9dHJ1ZQAtWHZlcmlmeTpyZW1vdGUALURqbmxweC5ob21lPUM6XFByb2dyYW0gRmlsZXMgKHg4NilcSmF2YVxqcmUxLjguMF81MVxiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURzdW4uYXd0Lndhcm11cD10cnVlAC1YYm9vdGNsYXNzcGF0aC9hOkM6XFByb2dyYW0gRmlsZXMgKHg4NilcSmF2YVxqcmUxLjguMF81MVxsaWJcamF2YXdzLmphcjtDOlxQcm9ncmFtIEZpbGVzICh4ODYpXEphdmFcanJlMS44LjBfNTFcbGliXGRlcGxveS5qYXI7QzpcUHJvZ3JhbSBGaWxlcyAoeDg2KVxKYXZhXGpyZTEuOC4wXzUxXGxpYlxwbHVnaW4uamFyAC1Eam5scHguanZtPUM6XFByb2dyYW0gRmlsZXMgKHg4NilcSmF2YVxqcmUxLjguMF81MVxiaW5camF2YXcuZXhl -ma LVNTVkJhc2VsaW5lVXBkYXRlAC1ub3RXZWJKYXZh",

    "EventReceivedTime": "2016-03-31 09:14:26",

    "SourceModuleName": "eventlog",

    "SourceModuleType": "im_msvistalog",

    "@version": "1",

    "@timestamp": "2016-03-31T08:14:31.377Z",

    "host": "10.X.X.X:1063",

    "type": "winevt"

  },

As you can see from the two examples the LI and (in this case) nxlog have very different outputs for windows events.

Can the LI agent pre-parse and add the fields ready for use?

Thanks

Hi,

I'm trying to add Log Insight intelligence into my automation model. I want to be able to automate the exportation of results from a log insight query into a powershell environment. I've not yet found a way to do this.

I'm hoping someone can point me in the right direction.

Thanks,

Shane

I'm pretty sure the answer is no but can someone confirm is it possible to turn off the Log Insight compression?

Is a two node Log Insight Cluster supported/ possible?

Good morning,

I've recently deployed Log Insight 3.3 and everything works great with the exception of the vCenter Server - Application dashboard.

I've loaded the LI Agent on the vCenter server and i've setup the vSphere 5.x - vCenter (Windows) agent group as a new group and assigned my vCenter server in the filter. All file logs are enabled and i can see on the vCenter server the liconfig was merged properly.. I can see the vpxd events and things of that nature through the General dashboard but it doesnt seem to be linking up to the vCenter Server - Application dashboard.. Any thoughts?

I'm using the latest Log Insight OVA and the latest LI Agent on the vCenter host (which is windows).

Thank you,

Adam

Hi all,

I am running a 3 node Log Insight cluster version 3.0.0-3021606. Been very happy with it.

I have windows agents on our domain controllers sending the event logs in to the load balanced IP. Connectivity is fine. I am able to parse the security event log for the most part, but here is the problem.

Up until recently I was using this to filter on a specific security event ID (5136) and notify me. Worked great. I changed nothing and just let it ride.

It now appears that much of the data stored for this specific event ID is no longer there. Let me see if I can clarify.

If I look at the servers, the event log has all the data in it I would expect.

If I look at Log Insight analytics, there is practically nothing. Only a single field from the event (named 'DS Type'). Again, this worked fine several weeks ago but no longer does.

I have not yet upgraded the Log Insight version or patched it recently etc.

I have removed any other line from the filter, just show me event ID 5136 on anything. Same thing, just the one field. There are many DCs logging to Log Insight. All the data is effectively missing from all of them for this event.

I do have an alert tied to this filter but that's not new.

I am able to view the data from many other event IDs in the security event log such as 4624 and 4634 and they look great, however this 5136 is just not working.

The Log Insight agent log on the DC itself reports no dropped events. Indeed the analytics filter shows the 5136 events just not much in them.

I am probably not going to post proof of security events in this forum but if I can clarify my explanation or show a log, I will be happy to.

Thanks for any input!

Charlie

So I have a three node Log Insight cluster and enabled the Integrated Load Balancer, entered the IP and FQDN which my clients are pointing to. All good so far.

I'd like to understand how the load balancing actually works, i.e. If one of the nodes becomes unavailable id still expect to be able to ping the ILB address?  the behavouir I'm seeing at the moment is when the Master is down so is the ILB address, is this expected?

I have tried integrating Log Insight 3.3.1 with vROps 6.2

I have a 3 node cluster with ILB setup. The integration was successful, but the link that shows up in vROps points to the Log insight hostname (not fqdn) of the node I tried to integrate it from.

Is there a way to change the links in vROps that point to LogInsight to point to the ILB fqdn or the fqdn of the master?

Hello,

We are using Log Insight to view NSX information, we have a Tag setup that sends us blocks, for the most port we se source/destionation, protocol and port, however we are seeing some data where we get the Source and Destination however the Ports are empty and the firewall_protocol is coming over as "PROTO 1".  It's really hard to make rules from that since we don't know Ports, we do know the Traffic is coming from a F5 load balancer to a VM.

Any idea  how we can add a rule to allow this traffic without opening it up all the way?

-Daniel

I'm doing some testing on the upgrade procedure from 3.0 to 3.3.1. When I connect to the master node IP address and import the pak file after a while it tells me the upgrade is sucessfull and to the monitor the cluster status. I click on the cluster status and see the second node is now upgrading... After a few mins the admin web page for the master node is now unresponsive!  When I connect to third node and look at the cluster status,  all nodes are showing version 3.0 and status connected, it seems the upgrade is hung or something!

I'm trying to monitor a number differnent types of log files within a main directory (i.e. c:\temp)  and subdirectories, can a wildcard be used to monitor sub directories as well?

i.e.

filelog| temp]

directory=C:\temp\*.*   (doesnt appear to be supported

include=*.log;*.txt;*..csv

or do I have to specifically state each folder?

filelog| temp]

directory=C:\temp\

directory=C:\temp\Folder1

directory=C:\temp\Folder2

include=*.log;*.txt;*.csv

Hi, I am trying to configure LogInsight agent to read SQL log files. Here are the INI files -

; VMware Log Insight Agent configuration. Please save as UTF-8 if you use non-ASCII names / values !

; Actual configuration is this file joined with settings from server to form liagent-effective.ini

; Note: It may be more efficient to configure from server's Agents page !

[server]

hostname=10.6.3.90

; Hostname or IP address of your Log Insight server / cluster load balancer. Default:

;hostname=LOGINSIGHT

; Protocol can be cfapi (Log Insight REST API), syslog. Default:

;proto=cfapi

; Log Insight server port to connect to. Default ports for protocols (all TCP):

; syslog: 514; syslog with ssl: 6514; cfapi: 9000; cfapi with ssl: 9543. Default:

;port=9000

; SSL usage. Default:

;ssl=no

; Example of configuration with trusted CA:

;ssl=yes

;ssl_ca_path=/etc/pki/tls/certs/ca.pem

; Time in minutes to force reconnection to the server.

; This option mitigates imbalances caused by long-lived TCP connections. Default:

;reconnect=30

[logging]

; Logging verbosity: 0 (no debug messages), 1 (essentials), 2 (verbose with more impact on performance).

; This option should always be 0 under normal operating conditions. Default:

debug_level=1

[storage]

; Max local storage usage limit (data + logs) in MBs. Valid range: 100-2000 MB.

;max_disk_buffer=200

; Uncomment the following sections to collect these channels.

; The recommended way is to enable Windows content pack from LI server.

;[winlog|Application]

;channel=Application

;[winlog|Security]

;channel=Security

;[winlog|System]

;channel=System

The Windows logs are flowing but SQL logs are not coming. What am I doing wrong?

Thanks

Maneesh

I have Log Insight 3.3.1 deployed, when trying to integrate it with AD with the following params

Default Domain: FQDN for the AD Domain

Connection Type: Standard

I get the following error:

Unable to validate Active Directory credentials. Please check your Active Directory DNS name, port, and SSL settings as well as your username and password.

Details:

LoginException: Client not found in Kerberos database (6);

Asn1Exception: Identifier doesn't match expected value (906)

Are there any additional steps to be performed, ex: Joining the log insight server to the domain?

Hi,

I have installed Log Insight on a number of customer sites, since VMware released it with vCenter (25 OSI Pack). If you did not know this. Go ahead and install Log Insight for free. It is a great addition to you trouble shooting toolbox. Also it gets syslogs away from you vCenter, it that is not already the case.

You can setup LI to do AD authentication very easily, but you do not want that to happened on a self signed SSL certificate, since anyone can catch you login credentials. The obvious solution would be to install a SSL certificate from you own approved PKI infrastructure, but wait that is not possible with the Free version!

This is the message you get on the web interface when going to the SSL tab:

Log Insight is currently operating with a license that does not allow using custom SSl certificates.

In order to enable this functionality, you will need to purchase a full-feature license for Log Insight.

Please contact you VMware Account Manager or purchase directly from VMware.

?? WHAT !! Log Insight is running on a Linux Open Source platformon TOMCAT, and you want us to pay for the ability to change the SSL certificate? I can not I my wildest dream imagine who came up with that idea.

Here it my silent protest against this. VMware this is Ludacris! You want you products to be safe, not to have them make the customer network insecure!

I will properly get in trouble for what I am about to post, but I chose to intrepid VMware's License statement, in the sense that you are paying to use the Web interface to change the SSL certificate. I refuse to believe that they are charging you money to use open source tools, on a open source platform, to tighten security on a product that would otherwise be insecure. I got a statement from VMware when asking about this. They responded that "requiring a cost for SSL certificates is a common practice and not specific to VMware"

So here goes. These are the steps to change the certificate the free and manual way:

This guide is based on the script found on the Log Insight Appliance: /opt/vmware/bin/li.ssl-cert.sh

WARNING: Everything you read here is used on you own risk, and I will take no responsebility if it breakes your enrivonment, or any other misfortune it will bring you. I am pretty sure that VMware Support will not be able to help you and you might be in violation of license policy. I other words, I am covered in Teflon.

All commands a run using putty on the log insight (LI) appliance logged in as user root. And requires you to know how the get around in Linux and change files.

1. Shut down your Log Insight Appliance(s) and take a snapshot for backup.
   1. Change the "default_bits" setting in /etc/ssl/openssl.cnf til from 1024 to 2048 bits
2. Generate certifikat i PEM format.
   1. Generer Request
      Command: Openssl req -new -nodes -out /root/rui.csr -keyout /root/rui-orig.key –config /etc/ssl/openssl.cnf
3. Issue a Web Server certificate using the request /root/rui.csr using your PKI Infrastructure. (You will have to figure this out for yourself. This is beyond this guide)
4. Save you new certificate as a Base64 encoded file, and move it to the LI appliance using scp. It shout be located in /root and called response.cer Do not edit any of the certificate files in Windows!
5. Gather the certificates into a PFX file
   Command: Openssl pkcs12 –export -in /root/response.cer –inkey /root/rui-orig.key –name rui –passout pass:vmware –out /root/newCert.pfx
6. Change the certificate into PEM format
   Command: Openssl pkcs12 –in /root/newCert.pfx -inkey /root/rui-orig.key -out /root/newCert.pem -nodes
7. Generate Certificate Chain
   Download Root CA Certificate from PKI infrastructure in Base 64 format, and copy them to the appliance if you want. Or you can open it in wordpad and paste the content into the Key Chain File (PEM)
   Download Intermediate CA Certificate from PKI infrastructure in Base 64 format, and copy them to the appliance if you want. Or you can open it in wordpad and paste the content into the Key Chain File (PEM)
8. Create a new file and put in the certificates in the following order. - Ref: VMware vRealize Log Insight
   Log Insight Public Key (newCert.pem Remember to remove the x509 information in the file)
   Log Insight Private Key (newCert.pem Remember to remove the x509 information in the file)
   Intermediate CA Certificate if any is used
   Root CA Certificate
9. Replace the certificates using the flowing commands
   COMMAND: TOMCAT=$(basename $(ls –td /usr/lib/loginsight/application/3rd_party/apache-tomcat-* | head –n 1))
   COMMAND: cp newCert.pem /usr/lib/loginsight/applications/3rd_party/$TOMCAT/conf/custom.pem
   COMMAND: /usr/lib/loginsight/application/sbin/custom-ssl-cerf 2>&1

You are done!

In reality moving the certificate chain to the appliance, and running the last 3 commands is what you are paying 6000$ for.

If it doesn't work. Revert to snapshot, and try again. Give up or pay for a license to use the web interface to do it.

Best Regards

Brian Knutsson

When clustering is configured do all Nodes in the cluster do event forwarding or is it just the ILB address?

I need to add an entry for manual DNS resolution  but the /etc/hosts gets over written at each reboot. Is there a work around?

Hi

I would like to see if an issue is occurring at certain time in the day. Therefore I would like to view a 30 day period and have all days stacked, so that I only see 24 hours wide and 30 days high. In that way I could see that for example most incidents are around 10pm.

Is this possible?

Gabrie