Has anyone out there configured Log Insight 3.6.0 to authenticate to VIDM? I found the config file but I must not have populated something right so if anyone has successfully set this up please share how you did it and the values you used.
Thanks
Steve
i installed log insight but i have some error when it creat . What isproblem ?
Error starting new deployment: java.net.UnknownHostException: VMware vRealize Log Insight: VMware vRealize Log Insight: unknown error
I have created a custom query based on the following filters:
file path contains /var/log/desktone
text contains on port 389
Now this brings me multiple entries for different host names now what I want to do is create an alarm based on this query but in the alarm have it tell me which host name is generating the alarm. Is there a way to do this or do you have to create multiple alarms per host name.
We have a number of agents listed in Log Insight that have long since ceased to exist which did not have the agent uninstalled before they went, and some that are listed multiple times with only one entry showing as used recently. Is it possible to remove these old entries from Log Insight?
Thanks
Mark
I am looking for some help with forwarding Log Insight security events to IBM QRadar.
The Log Insight documentation indicates that within the SysLog data being forwarded there's a “_li_source_path” that contains the event's original source. Instead of all events showing as Log Insight as the source, QRadar would need to use the “_li_source_path” value as the source. Unfortunately IBM does not have a native Log Insight parser module (DSM) to grab the “_li_source_path”, but a QRadar Log Source Extension (LSX) could be configured to do this. Does anybody have a LSX XML file that they can share?
Thanks,
Tim.
Hello,
For Log Insight 3.3 was the vCenter 6 License useable for 25 OSI
(vRealize Log Insight for vCenter FAQ - VMware Cloud Management)
Is this valid for LogInsight 4 too?
best regrards,
Mike
I've installed the Microsoft Exchange content pack in Log Insight 2.5. We have Exchange 2012 and I've installed the Log Insight windows agent onto the Exchange servers. Additionally I added the entries described in the content pack instructions to the liagent.ini. I then attempted to setup the jobs in Task Scheduler which should run the powershell scripts that would collect the data for the Log Insight agent to pick up. The problem I'm seeing is that some of these powershell scripts aren't collecting data, specifically the exchange_perfmon_counters.log. It doesn't seem to retrieve any data. The other scripts seem to collect data but I'm questioning if it's collecting all the data that it should. Additionally, when I look at the dashboard several of the sections are completely empty (no results) - Transport, Client Access & Unified Messaging, Performance Counters, and SMTP. Is anybody successfully using this content pack?
I have some questions
1 - i have vsphere with operation manager enterprise plus 6 so if i use Log Insight for vcenter . is there any limitation for esxi or vm etc...
2- I have cisco switchs and emc vnx 5400 storage . can i use Log Insight for it . can i take all logs of switch and storage
3- What is the difference between Arcsight and Log Insight .
I've been delving into log insight recently and have a few questions:
Log insight is a very impressive and hugely useful tool. Just a few things weren't quite straightforward to me.
Appreciate any guidance.
Any content pack that I try to add to Log insight (appliance build latest version) gives me the following error at the top of the screen:
"! Error Installing (Name of content pack) Content Pack"
This happens for any type of content pack I try to install, vmware or otherwise. I've reinstalled the appliance from scratch twice and still have the same issue. I checked another thread here which stated to check the "runtime.log" but I found nothing similar to that users messages or any messages really that can tell me whats going on. Are there any other logs I can investigate or post for help?
I was wondering if anyone can provide instructions on how to add a DNS server IP address for vRealize Log Insight v3.3.1.
I need to know if there is a way to search for certain logs, by the age of that log, and delete it. Reasoning is below.
vRealize Log Insight is a good tool, but the one area where it fails spectacularly is being able to control the retention length for logs. Since vLI uses the available storage as the mechanism to determine what logs to delete or archive (if archive is setup), it is all but impossible to guarantee that a given node will have X days of logs available in the vLI. It also makes vLI very prone to "noisy neighbor" issues, where node X is producing a lot of logs and therefore consuming a lot of disk, and reducing the number/age of logs for node Y. To combat this issue, I was hoping I could run a job where it looks for messages older than X age, and deletes them. This doesn't solve the problem entirely, but it certainly helps. However, there does not appear to be a way to delete a log entry. If there is, I cannot find it.
So to re-ask the question: Is there a way to delete log entries, specifically by searching for log entries older than a certain date?
Thanks for any help.
I was wondering if there was a way to change the OVA configuration (vCPU, RAM and disk) before or after deploying the vRealize Log Insight appliance, and still receive support from VMware? The default for the small configuration is 4 vCPU, and 8 GB of RAM. We have a scenario where we may need to deploy a vRLI for some very small environments (a handful of devices), and even the small configuration would be grossly over-sized for our requirements.
Thanks for any assistance.
I have currently been testing LogInsight in a single node configuration. This server has approximately 1.5TB of event data. If I add 2 additional worker nodes to create an HA cluster:
1) Are all nodes required to have the same amount of storage assigned?
2) When I join the additional nodes, will LogInsight only store events on the 2 new nodes until they catch up to the original node? or will all 3 nodes grow at the same rate keeping the original node 1.5TB ahead on storage?
Thanks!
Hi,
Trying to help the SIEM team out by limiting the amount of logs being sent from the ESXi servers. We only really require security events to be sent to SIEM but I think there are two options here which may work:-
Any help would get greatly appreciated.
do anyone know how to config the Ldap configuration for log insight 4.0?
How many days I can keep logs ? I have vCenter 6 licenses and so not enterprise license. I made a standard log insight installation.What is the difference between HP Arcsight. This product is the best product follow the log?
I am trying to get an idea as to how well vRLI logs will compress on our SAN. I know we can encrypt the logs in transit, but I don't think they are encrypted at rest.
Additionally, I don't know what format the logs are in, so cannot forward this information to our SAN vendor to get them to estimate the compression we will receive. From what I can see, the logs appear to be compressed by vRLI, so I'm guessing that we might not get any further benefit from our SAN-level compression anyhow.
Any additional information on this would be appreciated.
Hi,
Is there a way to create custom filters that can be applied in data sets? Specifically I want to create a filter for database name from SQL Server. I have already made a custom extracted field for the database name, but I'd like to use this in the data set.
The logs are collected with an agent from the Windows Application Log where SQL Server Audit writes them.
I have noticed that the vSphere Content Pack adds filters like appname, vc_username etc, but I want to add a custom filter.
Thanks for any assistance.
Dear All,
I have a really simple question, but I can't find a solution for it.
I would like to generate reports from the vRealize Log Insight dashboards into pdf format.
Is there a way to do this?
Regards,
Krisztian