Hello All,

This is my first post in the community and hope it fits to the community terms of use (I try my best).

I would like to know if it possible to enable the log insight alerts over a specific period of time?

I was able to configure the alerts for a specific filter, and trigger the email notification as soon as the number of matches goes over a certain threshold. The problem is that the threshold varies depending on whether it is business hours or not. Therefore the solution would be:

- Either to define two similar alert filters with different thresholds, and enable one only during the business hours, and enable the second outside of business hour.

- Or to define a moving threshold for the same alert filter (which I suspect to be impossible for the moment)

I am currently running on a Version 2.5.0-2347850 (an old version...I know)!

I would be thankful for any kind of help I can get, and hope for a quick feedback

Best regards,

Tarik L.

Hi all, am looking for some assistance getting Log Insight to monitor a Horizon View 7.1 environment. LI is successfully monitoring all our connection servers but not our Composer and SQL server.

LI is aware of the composer and sql server (ie both show up in the agents view).

The LI agent file for the composer is as follows:

[filelog|ViewComposer]

directory=”C:\ProgramData\VMware\View Composer\Logs”

include=vmware*.log

exclude=vmware-viewcomposer-audit.log;vmware-sviconfig.log

The LI agent file for the SQL is as follows:

[filelog|MSSQL-MYSERVER-MSSQLSERVER]

; IMPORTANT: Change the directory as per the environment

directory=D:\Program Files\Microsoft SQL Server\MSSQL10.MSSQLSERVER\MSSQL\Log

tags={"ms_product":"mssql"}

charset=UTF-16LE

exclude=*.trc;*.xel;*.mdmp;*.txt

At present, no events are being received by either the composer or sql servers...

Are these agent settings correct or do they need to be changed?

Thanks in advance.

If i set it up

charset=iso-8859-1

The corresponding log file will not be collected。

If I do not set this field, it will show garbled.

Hi,

I am planning to use one log insight for 6 vcenters to collect logs from all vcenters, is it possible to use only one log insight to monitor 6 vcenters or I need 6 log insight's?

Thank you,

Vkmr.

I am building a dashboard with different Field Tables. I am able to select only the extracted fields I want to show up in the Table, but I am unable to rename the table columns headers or to reorder them.

For exemple, in Splunk, I can use the pipe sign followed by "rename" and I can rename columns. Is there an equivalent in VRLI ?

After installing the UCS content pack, and putting the VIP in Cisco UCS manager syslog remote server I'm still not getting data. My firewall allows requests TCP/UDP 514 from the UCS manager FQDN. Do the syslog send from a different address other then UCM manager?

I deploy Log Insight of OVF template and after start VM. In console VM I see the below

I can't connect this URL - WEB server in not started.

Why the Log Insight appliance reports as VMware vCenter Server Appliance?

Thank

Ales

Hi

I just wanted to know if there is a way to process the purge (delete) logs after the vRLI agent collect ?

More specific, i would like to delete Windows Logs after vRLI had collect everything to prevent disk consumption

Thanks for your help

Hi,

The action in vROps to "Search for logs in vRealize Log Insight" is the URL customisable? We only allow secure protocols in the environment and it's trying to connect on http rather than https.

Thanks

I am trying to log DHCP data which lives in the C:\Windows\System32\dhcp directory. I keep getting an error:

2014-06-18 12:11:32.064285 0x00000f58 FLogCollector:213 | Invalid path specification was obtained. Channel [filelog|windowsAuditDHCP] will stay dormant until properly configured.

I assume this is a permissions issue because I do not get the error when pointing to a newly created c:\tmp directory.

2014-06-18 12:07:29.607531 0x00000a4c EventCollector:27 | ConfigureAndStart invoked for collector: FLogCollector
2014-06-18 12:07:29.607531 0x00000a4c EventCollector:52 | Configuring FLogCollector
2014-06-18 12:07:29.607531 0x00000a4c EventCollector:54 | FLogCollector configured
2014-06-18 12:07:29.607531 0x00000a4c EventCollector:61 | Starting FLogCollector
2014-06-18 12:07:29.607531 0x00000ef4 WinLogCollector:203| WinLogCollector thread begin

I tried enabling “Allow service to interact with desktop” in the service but did not seem to work. I also attempted logging in as a different user for the service instead of the default of “Local System account” with no luck. Thanks for any feedback / suggestions!

Hello,

if i use CPU based Log Insight licensing - how recognize Log Server wich running VMs are licensed?

(if i have a cluster with Insight licenses and one without...)

best regards,

Mike

Hello,

I just implemented LogInsight 3.6 at a customer (100 OSI License). Done that xxxxx times. This time we noticed something really wierd. The customer has 4 Horizon View 6.2.2 PODs with in total 10 Connection Brokers, 4 vCenters and 52 ESX Servers. So total ISO count is 66 if my math is correct.

LogInsights counts thousands of OSI's

(resulting in the license-violation thingy screaming like it's butt is on fire...)

At first glance, we see that VDI VM's get counted too (which explains the bizarre high count). We see that the "source" is a connection broker, but the hostname in that same entry is often a VDI Desktop vm.

We have not installed any View Content packs etc. by the way.

I thought this kind behaviour was something of the past. I know LogInsight will keep working despite the violation but ehrm, is this normal?

Kind regards,

Steven Rodenburg

Has anyone been able to multihome the log insight appliance as I want to place it in two different vLANs one which would be my DaaS backbone where all my tenants are and the other to my management network.

In LogInsight 3.6 with the NSX content pack at the Distributed Firewall - Traffic Dashboard.

My query is on vmw_nsx_firewall_ruleid = 1010 this rule is a deny rule in NSX. The only widget that populates is "Application ports denied". IP sources or destination IP addresses do not populate.

When looking at the query that drives "Top Firewall Destinations" it is filtering on vmw_nsx_firewall_action  contains pass. How do I get rid of the "Pass" in the widget on the dashboard so I can see all the data on the Dashboard correctly?

I seem to be missing the concept of how the Horizon View content pack is supposed to work since my charts are not populating even though syslog data is arriving from the connection broker at the log insight collector.

I see this information in the tech specs for the View content pack...

Tech Specs

Using the Log Insight Windows Agent, which is available for download from the Log Insight Administration --> Agents page, use this liagent.ini configuration:

[filelog|ViewMain]
directory=C:\ProgramData\VMware\VDM\logs
include=log-*.txt;debug-*.txt;pcoip_agent*.txt;pcoip_server*.txt
exclude=pcoip_perf*.txt;v4v*.log;wsnm_starts.txt

Make sure that agent is installed on the base image so that it runs on each View desktop, plus it should be installed on all the other servers as well including: ALL connection, security, & composer servers.

and looking at the content pack definition I see a number of fields with regex values defined, which are used to derive the graphs from information already in the syslog messages

example: vmw_view_agent_build = AGENTVERSION><AGENTBUILDNUM>-?\d+</AGENTBUILDNUM

...so I can't understand why would an agent be needed on the View servers and View desktops. Isn't the Log Insight agent only for pulling event logs and (I'm assuming) flat files? Given that Log Insight works with and learns from any text that has been shipped to it (in this case from syslog from the connection broker), and the fact that fields such as "appname" containing the value "view" are easy enough to examine, why would anything else be needed to populate the charts in the View content pack?

Like I said, I seem to be missing something.

Regards,

Ray

Hi,

I have installed Log Insight on a number of customer sites, since VMware released it with vCenter (25 OSI Pack). If you did not know this. Go ahead and install Log Insight for free. It is a great addition to you trouble shooting toolbox. Also it gets syslogs away from you vCenter, it that is not already the case.

You can setup LI to do AD authentication very easily, but you do not want that to happened on a self signed SSL certificate, since anyone can catch you login credentials. The obvious solution would be to install a SSL certificate from you own approved PKI infrastructure, but wait that is not possible with the Free version!

This is the message you get on the web interface when going to the SSL tab:

Log Insight is currently operating with a license that does not allow using custom SSl certificates.

In order to enable this functionality, you will need to purchase a full-feature license for Log Insight.

Please contact you VMware Account Manager or purchase directly from VMware.

?? WHAT !! Log Insight is running on a Linux Open Source platformon TOMCAT, and you want us to pay for the ability to change the SSL certificate? I can not I my wildest dream imagine who came up with that idea.

Here it my silent protest against this. VMware this is Ludacris! You want you products to be safe, not to have them make the customer network insecure!

I will properly get in trouble for what I am about to post, but I chose to intrepid VMware's License statement, in the sense that you are paying to use the Web interface to change the SSL certificate. I refuse to believe that they are charging you money to use open source tools, on a open source platform, to tighten security on a product that would otherwise be insecure. I got a statement from VMware when asking about this. They responded that "requiring a cost for SSL certificates is a common practice and not specific to VMware"

So here goes. These are the steps to change the certificate the free and manual way:

This guide is based on the script found on the Log Insight Appliance: /opt/vmware/bin/li-ssl-cert.sh

WARNING: Everything you read here is used on you own risk, and I will take no responsebility if it breakes your enrivonment, or any other misfortune it will bring you. I am pretty sure that VMware Support will not be able to help you and you might be in violation of license policy. I other words, I am covered in Teflon.

All commands a run using putty on the log insight (LI) appliance logged in as user root. And requires you to know how the get around in Linux and change files.

1. Shut down your Log Insight Appliance(s) and take a snapshot for backup.
   1. Change the "default_bits" setting in /etc/ssl/openssl.cnf til from 1024 to 2048 bits
2. Generate certifikat i PEM format.
   1. Generer Request
      Command: Openssl req -new -nodes -out /root/rui.csr -keyout /root/rui-orig.key -config /etc/ssl/openssl.cnf
3. Issue a Web Server certificate using the request /root/rui.csr using your PKI Infrastructure. (You will have to figure this out for yourself. This is beyond this guide)
4. Save you new certificate as a Base64 encoded file, and move it to the LI appliance using scp. It shout be located in /root and called response.cer Do not edit any of the certificate files in Windows!
5. Gather the certificates into a PFX file
   Command: openssl pkcs12 -export -in /root/response.cer -inkey /root/rui-orig.key -name rui -passout pass:vmware -out /root/newCert.pfx
6. Change the certificate into PEM format
   Command: openssl pkcs12 -in /root/newCert.pfx -inkey /root/rui-orig.key -out /root/newCert.pem -nodes
7. Generate Certificate Chain
   Download Root CA Certificate from PKI infrastructure in Base 64 format, and copy them to the appliance if you want. Or you can open it in wordpad and paste the content into the Key Chain File (PEM)
   Download Intermediate CA Certificate from PKI infrastructure in Base 64 format, and copy them to the appliance if you want. Or you can open it in wordpad and paste the content into the Key Chain File (PEM)
8. Create a new file and put in the certificates in the following order. - Ref: VMware vRealize Log Insight
   Log Insight Public Key (newCert.pem Remember to remove the x509 information in the file)
   Log Insight Private Key (newCert.pem Remember to remove the x509 information in the file)
   Intermediate CA Certificate if any is used
   Root CA Certificate
9. Replace the certificates using the flowing commands:

DATE=$(date +%s)

SSL_API_SCRIPT_IN_PROGRESS_FLAG=/tmp/ssl_api_script_in_progress

SSL_KEYSTORE_REPLACED_API_FLAG=/tmp/ssl_keystore_replaced_api

SSL_CUSTOM_KEYSTORE_UPLOADED_API_FLAG=/tmp/ssl_custum_keystore_uploaded_api

DEFAULT_KEYSTORE_STOREPASS=vmware

TOMCAT=$(basename $(ls -td /usr/lib/loginsight/application/3rd_party/apache-tomcat-* | head -n 1))

touch $SSL_API_SCRIPT_IN_PROGRESS_FLAG

cp /root/newCert.pem /usr/lib/loginsight/application/3rd_party/$TOMCAT/conf/custom.pem

/usr/lib/loginsight/application/sbin/custom-ssl-cerf 2>&1

touch $SSL_KEYSTORE_REPLACED_API_FLAG

touch $SSL_CUSTOM_KEYSTORE_UPLOADED_API_FLAG

rm -f $SSL_API_SCRIPT_IN_PROGRESS_FLAG

You are done!

In reality moving the certificate chain to the appliance, and running the last commands is what you are paying 6000$ for.

If it doesn't work. Revert to snapshot, and try again. Give up or pay for a license to use the web interface to do it.

Best Regards

Brian Knutsson

Hello,

I'm using LogInsight 3.6 and i'm not interested in ingesting Windows system event logs at all.

I'm am however interested in ingesting the windows event-log channels of certain non-microsoft applications. No more, no less. That's all I need. The application is so nice to have it's own event-log channel so I don't need to muck about with logfiles etc. Just ingest the channel.

Inspired by a Blog-article about getting Veeam into LI, I got to work. And failed.

In the Blog they create a copy of the default Windows template and give it a name. They then tell the new template to disable all the standard Microsoft channels and create a new, custom channel X and enable it. That is the general idea I had also.

The problem is, I use a newer version of LI (v3.6, blog is at 3.3.1) and in 3.6 i cannot, for the life of me, copy a windows-template and save it.

I go to the dropdow, scroll all the way down, click the "copy icon" to the right of the dropdown-entry for the Windows template and enter the new name of the template. All just like in the LI 3.6 manual and in the blog.

I then give it a filter ("hostname contains applicationX.domain.local") and click "Save new group". But it cannot save it. It says: "Failed to save configuration" immediately.

The view jumps from "build" to "edit" and shows the same error that for each built-in section saying that the name is already defined in com.microsoft.windows.Microsoft etc. etc.  (see attached screenshot)

To summarize:  Copy a Windows template, give it a name, enter the filter, click on "Save new group" and bang, it cannot be saved. I have not even done anything else yet, just wanted to save the newly copied template.

So i'm stuck. Totally stuck.

My goal is to say "disabled" to all the standard channels (winlog | application / winlog | Security  etc. etc.) and only add and enable a section "winlog | Custom" and enter the eventlog-channel that I want to ingest.

We have 7 application-servers and all we want is to ingest (just ingest) a very specific event-log channel and NOTHING else.

Any help would be greatly appreciated.

Steve

I've got a weird auth problem on a log insight cluster.  I have AD integration enabled, it all tests out and if I add an AD user explicitly to the users section they can log in without a problem.  If I add a group members of that group get an Invalid username/password error.  The group name appears to be validated properly because if I change a letter or a space I get an error about trying to add an invalid group.

Originally deployed 3.3, in-place upgraded to 3.6.  Other than that everything seems to be running just fine. Anyone else run into this behavior before?  I've got an SR but the tech initially asked about trusts (which there are trusts but the users/groups in question are members of the directly configured domain) and I do not think that my explanation was properly received.

Is log Insight 3.3.1 able to read and parse mysql Log Files?  I know there isn't a content pack available for mysql.

Received the following error when upgrading from 3.3.2 to 3.6 for Log Insight. Looking to see what I can do to get the upgrade to go through.

Failed to upgrade node: {
"error": "Failed to upgrade: Failed to install or upgrade rpm: vmware-tools-foundation-10.0.6-1.sles11.x86_64.rpm. Caused by: VMware Tools cannot install because it appears that another installation of\nVMware Tools is already present. Please remove the previous installation and\nthen attempt to install this copy of VMware Tools again.\n\nerror: %pre(vmware-tools-foundation-10.0.6-1.sles11.x86_64) scriptlet failed, exit status 1\nerror: install: %pre scriptlet failed (2), skipping vmware-tools-foundation-10.0.6-1.sles11",
"success": false,
"version": "3.6.0-4202923"
}