Hello. I am doing my first deployment, running v4.30. My target vCenter is v6.5 VCSA. The integration account I am using is an account with a Read-Only role on the vCenter inventory object. I have a couple of ESXi v6 hosts as well in there to test.

I notice a lot of vCenter dashboards just not populating. And I have waited several days.

One is the VMware-vSphere, General-Security. I have been doing failed logins on the vCenter web client, and those attempts just dont show in vCenter Server failed log in attempts by source and user. When I do failed login attempts to an ESXi host against its UI client, the attempts show in ESX/ESXi failed log in attempts by source and user.

Even in the vCenter 6.5 dashboards I just cant see anything. I see some events from vCenter kind of scattered in different places, but I feel I am really missing a lot.

I read again about the integration, and it appears a Read-Only account is just fine. Thank you for any help.

Hello,

We have created several dashboards and I want to group them like this.

How can we do this?

Hello,

after upgrade from 4.0 to 4.3 version were not upgraded Agents automatically ( auto-update was enabled before upgrade ). Is there possibility how to force Agent upgrade manually from Log Insight server?

Thank you for help

Hello,

is possible to set proxy  on Log Insight server for Internet access? I need it for Content Pack Markplace.

I have installed the VSAN Content Pack and I have yet to see a single update to the fields. Everything else is running fine, but the one content pack I have that requires no actual intervention isn't working and I am perplexed.

Hi All,

I am new to LI and I have 3 questions. I have 2 sites. Site A a LI 4.3 3-node cluster and Site B has no LI yet.

1. To collect logs from Site B, do I just install a LI forwarder in Site B and point it back to the LI cluster in Site A?  (assuming connectivity, firewalls permitting)

2. Will I be able to schedule when the logs from Site B's forwarder get sent? i.e. after office hours?

3. Is there a way for LI to monitor logs from SCVMM?

Thank you very much for any assistance rendered.

Regards,

Chee Keong

Hi all,

Just wondering if anyone has tried anything like this before.  I'd like to find all lines that contain the text 'abcdef' (for example), plus the line that immediately follows that line.  Filtering for 'abcdef' is easy enough of course, but so far I've been having to check the timestamps on all those lines, clear the filter, and then manually find them based on timestamp to see the line that comes next. It's pretty tedious.

Would some sort of regex work maybe? I was thinking something like this:

abcdef((.*\n){2})

To me it seems like that should find the 'abcdef' string plus all characters after it, until it finds two new lines (the one at the end of the 'abcdef' line plus the new line at the end of the next line). Unfortunately, I can't seem to get any results back.

Anyone have any thoughts?

Thanks!

Greg

Currently looking at a design whereby the LI agent is being used to forward logs to both LI and a SIEM. The issue the SIEM integrator is having, is the format of the logs compared to some other syslog agents which enable easier parsing.

Example from LI Agent

{"@timestamp":"2016-03-23T13:25:30.959Z",

"message":"<38>1 2016-03-23T13:24:21.095731Z aaa-xxx-ss-test.XXX.XXX Microsoft-Windows-Security-Auditing - 4688 [liagent@6876 eventrecordid=\"50747\" keywords=\"Audit Success\" opcode=\"Info\" tas

k=\"Process Creation\"] A new process has been created.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-18\r\n\tAccount Name:\t\tXXX-XXX-SS-TEST$\r\n\tAccount Domain:\t\tXXXX\r\n\tLogon ID:\t\t0x3E7\r\n\r\nProcess Information:\r\n\tNew Proc

ess ID:\t\t0x11bc\r\n\tNew Process Name:\tC:\\Program Files (x86)\\McAfee\\VirusScan Enterprise\\x64\\Scan64.Exe\r\n\tToken Elevation Type:\tTokenElevationTypeDefault (1)\r\n\tCreator Process ID:\t0xb24\r\n\tProcess Command Line:\t\r\n\r

\nToken Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.\r\n\r\nType 1 is a full token with no privileges removed or groups disabled.  A full token is only us

ed if User Account Control is disabled or if the user is the built-in Administrator account or a service account.\r\n\r\nType 2 is an elevated token with no privileges removed or groups disabled.  An elevated token is used when User Acco

unt Control is enabled and the user chooses to start the program using Run as administrator.  An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privil

ege, and the user is a member of the Administrators group.\r\n\r\nType 3 is a limited token with administrative privileges removed and administrative groups disabled.  The limited token is used when User Account Control is enabled, the a

pplication does not require administrative privilege, and the user does not choose to start the program using Run as administrator.",

"@version":"1",

"tags":["multiline"],

"host":"xx.xx.xx.xx",

"port":13681,

"type":"loginsight",

"logstash_checksum":"aad474d7b793eb5fa3ff0b30e0c72950142d206cffbb4d16bf6972a3dc444767"}

 

 

 

 

 

Example format from NXLog:

 

 

{

  "_index": "XXX,

  "_type": "winevt",

  "_id": "AVPLvPVAhiObdUc_LyEB",

  "_score": null,

  "_source": {

    "EventTime": "2016-03-31 09:14:26",

    "Hostname": "XXXX",

    "Keywords": -9214364837600035000,

    "EventType": "AUDIT_SUCCESS",

    "SeverityValue": 2,

    "Severity": "INFO",

    "EventID": 4688,

    "SourceName": "Microsoft-Windows-Security-Auditing",

    "ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",

    "Version": 1,

    "Task": 13312,

    "OpcodeValue": 0,

    "RecordNumber": 3913469,

    "ProcessID": 4,

    "ThreadID": 24120,

    "Channel": "Security",

    "Message": "A new process has been created.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-21-286448784-2901391547-1905694321-1188\r\n\tAccount Name:\t\ttest\r\n\tAccount Domain:\t\ttest\r\n\tLogon ID:\t\t0x288C8A3\r\n\r\nProcess Information:\r\n\tNew Process ID:\t\t0x4424\r\n\tNew Process Name:\tC:\\Program Files (x86)\\Java\\jre1.8.0_51\\bin\\jp2launcher.exe\r\n\tToken Elevation Type:\tTokenElevationTypeLimited (3)\r\n\tCreator Process ID:\t0x1944\r\n\tProcess Command Line:\t\"C:\\Program Files (x86)\\Java\\jre1.8.0_51\\bin\\jp2launcher.exe\" -secure -javaws -jre \"C:\\Program Files (x86)\\Java\\jre1.8.0_51\" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzICh4ODYpXEphdmFcanJlMS44LjBfNTFcbGliXGRlcGxveS5qYXIALURqYXZhLnNlY3VyaXR5LnBvbGljeT1maWxlOkM6XFByb2dyYW0gRmlsZXMgKHg4NilcSmF2YVxqcmUxLjguMF81MVxsaWJcc2VjdXJpdHlcamF2YXdzLnBvbGljeQAtRHRydXN0UHJveHk9dHJ1ZQAtWHZlcmlmeTpyZW1vdGUALURqbmxweC5ob21lPUM6XFByb2dyYW0gRmlsZXMgKHg4NilcSmF2YVxqcmUxLjguMF81MVxiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURzdW4uYXd0Lndhcm11cD10cnVlAC1YYm9vdGNsYXNzcGF0aC9hOkM6XFByb2dyYW0gRmlsZXMgKHg4NilcSmF2YVxqcmUxLjguMF81MVxsaWJcamF2YXdzLmphcjtDOlxQcm9ncmFtIEZpbGVzICh4ODYpXEphdmFcanJlMS44LjBfNTFcbGliXGRlcGxveS5qYXI7QzpcUHJvZ3JhbSBGaWxlcyAoeDg2KVxKYXZhXGpyZTEuOC4wXzUxXGxpYlxwbHVnaW4uamFyAC1Eam5scHguanZtPUM6XFByb2dyYW0gRmlsZXMgKHg4NilcSmF2YVxqcmUxLjguMF81MVxiaW5camF2YXcuZXhl -ma LVNTVkJhc2VsaW5lVXBkYXRlAC1ub3RXZWJKYXZh\r\n\r\nToken Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.\r\n\r\nType 1 is a full token with no privileges removed or groups disabled.  A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.\r\n\r\nType 2 is an elevated token with no privileges removed or groups disabled.  An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator.  An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.\r\n\r\nType 3 is a limited token with administrative privileges removed and administrative groups disabled.  The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.",

    "Category": "Process Creation",

    "Opcode": "Info",

    "SubjectUserSid": "S-1-5-21-286448784-2901391547-1905694321-1188",

    "SubjectUserName": "test",

    "SubjectDomainName": "test",

    "SubjectLogonId": "0x288c8a3",

    "NewProcessId": "0x4424",

    "NewProcessName": "C:\\Program Files (x86)\\Java\\jre1.8.0_51\\bin\\jp2launcher.exe",

    "TokenElevationType": "%%1938",

    "CommandLine": "\"C:\\Program Files (x86)\\Java\\jre1.8.0_51\\bin\\jp2launcher.exe\" -secure -javaws -jre \"C:\\Program Files (x86)\\Java\\jre1.8.0_51\" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzICh4ODYpXEphdmFcanJlMS44LjBfNTFcbGliXGRlcGxveS5qYXIALURqYXZhLnNlY3VyaXR5LnBvbGljeT1maWxlOkM6XFByb2dyYW0gRmlsZXMgKHg4NilcSmF2YVxqcmUxLjguMF81MVxsaWJcc2VjdXJpdHlcamF2YXdzLnBvbGljeQAtRHRydXN0UHJveHk9dHJ1ZQAtWHZlcmlmeTpyZW1vdGUALURqbmxweC5ob21lPUM6XFByb2dyYW0gRmlsZXMgKHg4NilcSmF2YVxqcmUxLjguMF81MVxiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURzdW4uYXd0Lndhcm11cD10cnVlAC1YYm9vdGNsYXNzcGF0aC9hOkM6XFByb2dyYW0gRmlsZXMgKHg4NilcSmF2YVxqcmUxLjguMF81MVxsaWJcamF2YXdzLmphcjtDOlxQcm9ncmFtIEZpbGVzICh4ODYpXEphdmFcanJlMS44LjBfNTFcbGliXGRlcGxveS5qYXI7QzpcUHJvZ3JhbSBGaWxlcyAoeDg2KVxKYXZhXGpyZTEuOC4wXzUxXGxpYlxwbHVnaW4uamFyAC1Eam5scHguanZtPUM6XFByb2dyYW0gRmlsZXMgKHg4NilcSmF2YVxqcmUxLjguMF81MVxiaW5camF2YXcuZXhl -ma LVNTVkJhc2VsaW5lVXBkYXRlAC1ub3RXZWJKYXZh",

    "EventReceivedTime": "2016-03-31 09:14:26",

    "SourceModuleName": "eventlog",

    "SourceModuleType": "im_msvistalog",

    "@version": "1",

    "@timestamp": "2016-03-31T08:14:31.377Z",

    "host": "10.X.X.X:1063",

    "type": "winevt"

  },

As you can see from the two examples the LI and (in this case) nxlog have very different outputs for windows events.

Can the LI agent pre-parse and add the fields ready for use?

Thanks

Trying to get log insight to grab the C:\ProgramData\VMware\VDM\logs\pcoip_server_2017_04_24_0000111c.txt file so that we can draw a line from a VDI session to a human on the other end of a zero client (we are a school district - kids are abusive on the equipment)

There is a handy line in this file that tells me the IP of the zero client (man DNS resolution would be nice) but I can work with this because I have my DHCP logs being absorbed by insight as well.

MGMT_SSIG :Received session INVITE (172.24.132.97, 00-1F-D8-01-1F-C4, PRI: 0)

So from here I can get the IP, the VM name and then compare with other logging get the user name.

However I have in the agent to grab this with the Horizon Agent template, but not seeing it.

[filelog|PcoipAgentLogs]

directory=C:\ProgramData\VMware\VDM\logs

include=*.txt;*.log

What am I missing?

Hi,

i have a question about how to create a alarm when a user change, for example, the memory size of a vm.

I could create a alarm when a vm is reconfigured, but i didn´t see exactly what the user does. I think i am doing something wrong the way i try to get that information out of loginsight.

Any help is  much appreciated

Frank

Hi

When running a query, I constantly also see entries of the log insight server itself that shows how it is building the query. For example:

[2017-05-02 13:24:44.472+0000] [LogSearchWorker.Processor-thread-2647/xx.xx.xx.xx INFO] [com.vmware.loginsight.analytics.distributed.LogSearchWorkerService] [Received query: SELECT COUNT(item0) FROM timestamp >= 1493645084157 AND timestamp <= 1493731485011 AND (text:"performance has deteriorated" OR text:"lost access to volume") as item0 GROUP BY item0.timestamp/3600000 ORDER BY item0.timestamp DESC; token=664093c5610c8d50]

I have no need for these entries. How can I disable them?

Regards

Gabrie

Dear all

Hi

i want use VMware-vRealize-Log-Insight-4.0.0-4624504 but now i want to know some feature of this appliance

for example:

1 - can it exactly show me why my virtual machine has been restarted ?

2 - can it exactly say me when and why my esxi host has been restarted ? i want exactly know why restarted esxi host for exmple that is reason is for cpu problem or memory or .......

3 - can it exactly say me when one of my physical network has been disconnected?

finally can it exactly collect my logs with different groups ?

can you say me what logs can it show me ??

BR

I'm evaluating vRealize Log Insight 3.0 and want my vROps Cluster log via liagent to vRLI. My vROps is a two-node cluster with a master and a data node.

I've read the pdf doc and also seen the good VMware blog: vRealize Operations Manager Content Pack for Log Insight - VMware Blogs

I've added the master node as an Agent in vRLI according to the blog (and doc) and it works. But when I add a new agent for the data node (since it's two different modes and hostnames etc, ref. blog post) using the same structure with changed tags I get the following errors when I save a new group (a group of one host using hostname-filter non the less):

1: section with 'filelog|ANALYTICS-analytics' name is already defined in 'com.vmware.vrops.vR Ops 6.x - Master' group
7: section with 'filelog|COLLECTOR-collector' name is already defined in 'com.vmware.vrops.vR Ops 6.x - Master' group
14: section with 'filelog|COLLECTOR-collector_wrapper' name is already defined in 'com.vmware.vrops.vR Ops 6.x - Master' group
21: section with 'filelog|COLLECTOR-collector_gc' name is already defined in 'com.vmware.vrops.vR Ops 6.x - Master' group
28: section with 'filelog|WEB-web' name is already defined in 'com.vmware.vrops.vR Ops 6.x - Master' group
35: section with 'filelog|GEMFIRE-gemfire' name is already defined in 'com.vmware.vrops.vR Ops 6.x - Master' group
41: section with 'filelog|VIEW_BRIDGE-view_bridge' name is already defined in 'com.vmware.vrops.vR Ops 6.x - Master' group
48: section with 'filelog|VCOPS_BRIDGE-vcops_bridge' name is already defined in 'com.vmware.vrops.vR Ops 6.x - Master' group
55: section with 'filelog|SUITEAPI-api' name is already defined in 'com.vmware.vrops.vR Ops 6.x - Master' group
62: section with 'filelog|SUITEAPI-suite_api' name is already defined in 'com.vmware.vrops.vR Ops 6.x - Master' group
69: section with 'filelog|ADMIN_UI-admin_ui' name is already defined in 'com.vmware.vrops.vR Ops 6.x - Master' group
75: section with 'filelog|CALL_STACK-call_stack' name is already defined in 'com.vmware.vrops.vR Ops 6.x - Master' group
81: section with 'filelog|TOMCAT_WEBAPP-tomcat_webapp' name is already defined in 'com.vmware.vrops.vR Ops 6.x - Master' group
87: section with 'filelog|OTHER-other1' name is already defined in 'com.vmware.vrops.vR Ops 6.x - Master' group
94: section with 'filelog|OTHER-other2' name is already defined in 'com.vmware.vrops.vR Ops 6.x - Master' group
101: section with 'filelog|OTHER-other3' name is already defined in 'com.vmware.vrops.vR Ops 6.x - Master' group
107: section with 'filelog|OTHER-watchdog' name is already defined in 'com.vmware.vrops.vR Ops 6.x - Master' group
114: section with 'filelog|ADAPTER-vmwareadapter' name is already defined in 'com.vmware.vrops.vR Ops 6.x - Master' group
121: section with 'filelog|ADAPTER-vcopsadapter' name is already defined in 'com.vmware.vrops.vR Ops 6.x - Master' group
128: section with 'filelog|ADAPTER-openapiadapter' name is already defined in 'com.vmware.vrops.vR Ops 6.x - Master' group

"vR Ops 6.x - Master" is what I've called my agent group for my vROps Master node (one host group). I've called my data node agent group for "vR Ops 6.x - Data"

Do I just change the filelog description/name after the pipe ('|')? Like 'filelog|ANALYTICS-analytics' becomes 'filelog|ANALYTICS-analytics-data' for instance? Or is it a special name of filelog that's linked with the content pack?

vRLI version is 3.0

vROps is v6.1

Dear all

Hi

after deploy log insight i inser vcenter login info but now get this error

Syslog configuration failed. See http://kb.vmware.com/kb/2003322 for manual configuration. (Details: Client received SOAP Fault from server: A general system error occurred: Internal error

Please see the server log to find more detail regarding exact cause of the failure.)

what is my problem ??????

BR

I need to migrate a log insight installation to a new datacentre where the machines will receive a new IP address and ideally would inherit the new naming convention. My question is (a) is the rename/re-ip possible and (b) what is the best way to move it? Should I add another cluster node in the new datacenter and then move the primary role?

Thanks

James

dear all

Hi

what does this means in log insight configuration ?

what have to write in that ?

BR

I added a csv parser to liagent.ini with fields and timestamp parser for an nlog-based text logfile.

The log format is ${longdate}\t${event-type:item="category"}\t{$level:uppercase=true}\t${message}\t${exception} as csv format in nlog.config.

I then added fields Date, categoty, level, message and exception to a parser definition in liagent.ini.

Also the date fields is parsed by a timestamp parser.

So how can I access the configured fields in the file log definition on the agent configuration in the appliance and use them in queries for dashboards?

dear all

Hi

i have added a vcenter to my log insight but now want add other vcenter to log insight but there is no option for do this i have attached pic from log insight

now how can add other to log insight ??

BR

dear all

Hi

i have attached a pic from my log insight license decriptions but could not understand what does meand OSI counts = 25 ??????

is that means this can just send syslog for 25 vm ???

BR