Quantcast
Channel: VMware Communities : All Content - vRealize Log Insight
Viewing all 1504 articles
Browse latest View live

Active Directory authentication individual users work, groups do not

August 31, 2016, 1:01 pm
$
0
0

I've got a weird auth problem on a log insight cluster.  I have AD integration enabled, it all tests out and if I add an AD user explicitly to the users section they can log in without a problem.  If I add a group members of that group get an Invalid username/password error.  The group name appears to be validated properly because if I change a letter or a space I get an error about trying to add an invalid group.

Originally deployed 3.3, in-place upgraded to 3.6.  Other than that everything seems to be running just fine. Anyone else run into this behavior before?  I've got an SR but the tech initially asked about trusts (which there are trusts but the users/groups in question are members of the directly configured domain) and I do not think that my explanation was properly received.

Search

vRealize Log Insight function

September 3, 2016, 1:00 am
$
0
0

dear all

Hi

 

i have question about vRealize Log Insight

i have read document about that but realy could not understand exactly how can this help me ?

can it collect log and analyze them ?

Creating Content Packs in vRealize Log Insight 3.6

September 7, 2016, 11:14 am

Forward all critical alerts from Log Insight to vROPs

September 13, 2016, 2:24 pm
$
0
0

Hi,

 

I want to forward all critical alerts from Log Insight to vROPs. To do so, in Log Insight I go to Interactive Analysis --> Alerts --> Manage Alerts --> Select ALL Alerts --> Enable --> Check the option to "Send to vRealize Operations Manager".

 

Here I have to specify "Fallback Object". What is a fallback object? Does that refer to the vROPs node to forward the alerts?

 

The objective here is to forward all critical alerts from ESXi hosts, vCenter servers and all other objects( forwarding logs to Log Insight) to vROPs.

 

Please suggest.

 

Thanks,

Ankit Mehrotra

Insane high OSI count, despite actual # OSI's being well below 100

September 21, 2016, 6:49 am
$
0
0

Hello,

 

I just implemented LogInsight 3.6 at a customer (100 OSI License). Done that xxxxx times. This time we noticed something really wierd. The customer has 4 Horizon View 6.2.2 PODs with in total 10 Connection Brokers, 4 vCenters and 52 ESX Servers. So total ISO count is 66 if my math is correct.

 

LogInsights counts thousands of OSI's

(resulting in the license-violation thingy screaming like it's butt is on fire...)

 

At first glance, we see that VDI VM's get counted too (which explains the bizarre high count). We see that the "source" is a connection broker, but the hostname in that same entry is often a VDI Desktop vm.

 

We have not installed any View Content packs etc. by the way.

 

I thought this kind behaviour was something of the past. I know LogInsight will keep working despite the violation but ehrm, is this normal?

 

 

Kind regards,

Steven Rodenburg

Filtering forwarded events

October 8, 2016, 10:41 am
$
0
0

Hi,

 

Trying to help the SIEM team out by limiting the amount of logs being sent from the ESXi servers. We only really require security events to be sent to SIEM but I think there are two options here which may work:-

 

  • Only send security events
    • There isn't a great deal on info on the net about this, has anyone done this before and have a filter which I could copy?
  • filter out the high volume messages.
    • I have started adding opID's to filter out but whilst the quantity of messages will reduce it doesn't really help out the SIEM team as they will still need the above security event information.

 

Any help would get greatly appreciated.

vROps Integration

October 8, 2016, 7:33 am
$
0
0

Hi,

 

The action in vROps to "Search for logs in vRealize Log Insight" is the URL customisable? We only allow secure protocols in the environment and it's trying to connect on http rather than https.

 

Thanks

Syncing config between clusters

October 9, 2016, 2:31 pm
$
0
0

Hi,

 

To the best of my knowledge, the architecture for multi-site high availability is isolated worker clusters on each site. We have several clusters of forwarders on each site sending forwarding logs to these worker clusters. Global load balancers will check the health of each cluster and only forward to the local site, unless of course that site would fail and then forward to the opposite site.

 

When using the LI agents this becomes complicated, we will have 5 different clusters of forwarders on each site (two sites). In most scenarios the agent config will be the same across all agents and environments. Is there anyway to sync from a "master" agent config across all forwarders, and indeed, the worker clusters.

 

Any help or experience would be appreciated.

Search

Windows Security Logs- How to query

October 10, 2016, 1:06 pm
$
0
0
How do I configure Log Insight to pull several events (e.g., eventid 4618,4649,4719) from the security logs of multiple Windows servers (e.g., DC1, DC2, etc.)?  I have tried several options but have not to strike any hits (despite seeing the eventids in the security logs in the specified time frame when I logon directly on the server and launch eventvwr).

Windows Agent filelog question

June 18, 2014, 10:40 am
$
0
0

I am trying to log DHCP data which lives in the C:\Windows\System32\dhcp directory. I keep getting an error:

2014-06-18 12:11:32.064285 0x00000f58 FLogCollector:213 | Invalid path specification was obtained. Channel [filelog|windowsAuditDHCP] will stay dormant until properly configured.

I assume this is a permissions issue because I do not get the error when pointing to a newly created c:\tmp directory.

2014-06-18 12:07:29.607531 0x00000a4c EventCollector:27 | ConfigureAndStart invoked for collector: FLogCollector
2014-06-18 12:07:29.607531 0x00000a4c EventCollector:52 | Configuring FLogCollector
2014-06-18 12:07:29.607531 0x00000a4c EventCollector:54 | FLogCollector configured
2014-06-18 12:07:29.607531 0x00000a4c EventCollector:61 | Starting FLogCollector
2014-06-18 12:07:29.607531 0x00000ef4 WinLogCollector:203| WinLogCollector thread begin

I tried enabling “Allow service to interact with desktop” in the service but did not seem to work. I also attempted logging in as a different user for the service instead of the default of “Local System account” with no luck. Thanks for any feedback / suggestions!

LI 3.6 - Windows Agent - Cannot exclude default Channels

October 15, 2016, 3:53 am
$
0
0

Hello,

 

I'm using LogInsight 3.6 and i'm not interested in ingesting Windows system event logs at all.

I'm am however interested in ingesting the windows event-log channels of certain non-microsoft applications. No more, no less. That's all I need. The application is so nice to have it's own event-log channel so I don't need to muck about with logfiles etc. Just ingest the channel.

 

Inspired by a Blog-article about getting Veeam into LI, I got to work. And failed.

In the Blog they create a copy of the default Windows template and give it a name. They then tell the new template to disable all the standard Microsoft channels and create a new, custom channel X and enable it. That is the general idea I had also.

 

The problem is, I use a newer version of LI (v3.6, blog is at 3.3.1) and in 3.6 i cannot, for the life of me, copy a windows-template and save it.

I go to the dropdow, scroll all the way down, click the "copy icon" to the right of the dropdown-entry for the Windows template and enter the new name of the template. All just like in the LI 3.6 manual and in the blog.

 

I then give it a filter ("hostname contains applicationX.domain.local") and click "Save new group". But it cannot save it. It says: "Failed to save configuration" immediately.

The view jumps from "build" to "edit" and shows the same error that for each built-in section saying that the name is already defined in com.microsoft.windows.Microsoft etc. etc.  (see attached screenshot)

 

To summarize:  Copy a Windows template, give it a name, enter the filter, click on "Save new group" and bang, it cannot be saved. I have not even done anything else yet, just wanted to save the newly copied template.

So i'm stuck. Totally stuck.

 

My goal is to say "disabled" to all the standard channels (winlog | application / winlog | Security  etc. etc.) and only add and enable a section "winlog | Custom" and enter the eventlog-channel that I want to ingest.

We have 7 application-servers and all we want is to ingest (just ingest) a very specific event-log channel and NOTHING else.

 

Any help would be greatly appreciated.

Steve

NSX DFW - Traffic Dashboard

October 14, 2016, 2:30 pm
$
0
0

In LogInsight 3.6 with the NSX content pack at the Distributed Firewall - Traffic Dashboard.

 

My query is on vmw_nsx_firewall_ruleid = 1010 this rule is a deny rule in NSX. The only widget that populates is "Application ports denied". IP sources or destination IP addresses do not populate.

 

When looking at the query that drives "Top Firewall Destinations" it is filtering on vmw_nsx_firewall_action  contains pass. How do I get rid of the "Pass" in the widget on the dashboard so I can see all the data on the Dashboard correctly?

CPU based license ...

October 24, 2016, 8:01 am
$
0
0

Hello,

 

if i use CPU based Log Insight licensing - how recognize Log Server wich running VMs are licensed?

(if i have a cluster with Insight licenses and one without...)

 

best regards,

Mike

Purge source Logs event after vRLI collect process

October 26, 2016, 2:18 am
$
0
0

Hi

 

I just wanted to know if there is a way to process the purge (delete) logs after the vRLI agent collect ?

 

More specific, i would like to delete Windows Logs after vRLI had collect everything to prevent disk consumption

 

Thanks for your help

Multihomed Log Insight

October 27, 2016, 8:29 am
$
0
0

Has anyone been able to multihome the log insight appliance as I want to place it in two different vLANs one which would be my DaaS backbone where all my tenants are and the other to my management network.

Search

Forwarding to QRadar SIEM?

October 27, 2016, 10:18 am
$
0
0

I am looking for some help with forwarding Log Insight security events to IBM QRadar.

The Log Insight documentation indicates that within the SysLog data being forwarded there's a “_li_source_path” that contains the event's original source.  Instead of all events showing as Log Insight as the source, QRadar would need to use the “_li_source_path” value as the source.  Unfortunately IBM does not have a native Log Insight parser module (DSM) to grab the “_li_source_path”, but a QRadar Log Source Extension (LSX) could be configured to do this.  Does anybody have a LSX XML file that they can share?

Thanks,

Tim.

Log Insight 3.3.1 Parse XML file?

November 1, 2016, 3:48 pm
$
0
0

Is log Insight 3.3.1 able to read and parse mysql Log Files?  I know there isn't a content pack available for mysql.

log insight install

November 2, 2016, 1:39 am
$
0
0

i installed log insight  but i have some error when it creat . What isproblem ?

 

Error starting new deployment: java.net.UnknownHostException: VMware vRealize Log Insight: VMware vRealize Log Insight: unknown error

Log Insight Upgrade from 3.3.2 to 3.6

November 8, 2016, 6:12 am
$
0
0

Received the following error when upgrading from 3.3.2 to 3.6 for Log Insight. Looking to see what I can do to get the upgrade to go through.

 

Failed to upgrade node: {
"error": "Failed to upgrade: Failed to install or upgrade rpm: vmware-tools-foundation-10.0.6-1.sles11.x86_64.rpm. Caused by: VMware Tools cannot install because it appears that another installation of\nVMware Tools is already present. Please remove the previous installation and\nthen attempt to install this copy of VMware Tools again.\n\nerror: %pre(vmware-tools-foundation-10.0.6-1.sles11.x86_64) scriptlet failed, exit status 1\nerror: install: %pre scriptlet failed (2), skipping vmware-tools-foundation-10.0.6-1.sles11",
"success": false,
"version": "3.6.0-4202923"
}

Deploying a Log Insight 3.3.2 Appliance

November 8, 2016, 6:18 am
$
0
0

Deployed a new Log Insight appliance 3.3.2 and when I open the console to it I see the following. Also when I deployed the appliance I gave it a host name of LoginsightDMZ01 but it did not carry over when it was creating the VM.

 

LogInsight.PNG

Viewing all 1504 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>