Quantcast
Channel: VMware Communities : All Content - vRealize Log Insight
Viewing all 1504 articles
Browse latest View live

Configuring vIDM via API

January 4, 2018, 10:49 am
$
0
0

I've been working through creating workflows of what I'm going to call "routine configurations" that a person does when standing up a new Log Insight instance/cluster, but when I try and go and create the API call to establish vIDM configuration... the API is returning an error related to the self-signed certificate from vIDM.... which is, to put it mildly, highly annoying. My request looks like this (sanitized):

 

`

curl --request POST \

  --url https://<li-host>:9543/api/v1/vidm \

  --header 'authorization: Bearer SEUrE+BeXqIOGWE7Mzwza+WC8VD0yzojqHg6NTcy42UOB2NqLa2NI9ROHIQulAX1H93HH4K92neE7XLBYm4cNcxGkzJnA2V6Wpwx93bGslkM7FNBXCkZfAV/JpRkUxEvWmx98kxxZczsu5g6xiruID2jzbAwrPnF9ap5xDCIcaxyvX495uH0n7pYFp6wFGuOgi0gqfd2+BbXRtJe2A2/qisazkWsNrp7mJ7SDkw1OVSGruuAokH65QRPAjdN8c//vomgTRGS4WBzCkkT+Sl/jw==' \

  --header 'content-type: application/json' \

  --cookie JSESSIONID=51A9140CD5C6590958C0295E6A8B4263 \

  --data '{

  "acceptCert" : true,

  "enabled": true,

  "hostname": "<vidm-fqdn>",

  "port": "443",

  "tenant": "vsphere.local",

  "redirectURL": "<li-vip>",

  "username": "admin@vsphere.local",

  "password": "<password>"

}'

And the response I'm getting from the API is:

{
"errorMessage": "VMware Identity Manager provided custom CA certificate. Unable to make SSL connection.",     "errorCode": "VIDM_ERROR",     "errorDetails": {          "errorCode": "com.vmware.loginsight.api.providers.vidm.custom_ca_certificate"     }
}

 

Anybody have any ideas why it would work in the UI (where I can review the SSL cert and accept), but not via the API? Is there something possibly missing from the API docs around a query parameter to force acceptance of the cert? I'd think the "acceptCert" parameter would do that in the JSON body, but well.........

Search

Why aren't Alerts recognizing a 'Last Hit'

January 12, 2018, 1:12 pm
$
0
0

I have created an alert in Log Insight that is supposed to detect when a Windows Event ID 4740 (account lockout) is recorded. The query has a filter set to eventid=4740. The alert is set to notify 'On any match'. When an account lockout happens (Event 4740) I can edit the query and confirm it has a log detected within the last 5 minutes. Yet, the Alert never shows a "Last Hit' and thus never generates a notification email. Any idea why?

For testing I have gernated many account lockouts over a 5-10 minute period and yet Log Insight never detects a hit in the "Last Hit" column. Any help would be great.

I am using LI 4.5

Alert for last received event

January 18, 2018, 5:58 am
$
0
0

I want to create an alert to let me know when the last received event from a host exceeds 24 hours. I can see this information under the Administration -> Management -> Hosts view, but I would prefer that an email alert be sent. Any help would be greatly appreciated, thanks.

Filelog evtx to Loginsight Server

January 22, 2018, 5:52 am
$
0
0

Hello Everyone

I have a little problem.
I want to forward evtx logs to my Loginsight Server.

The logs are stored on a networkdrive.

I temporary copied the log to a local path (Which the Loginsight agent is installed). but the logs dont' arrive to the loginsight server (I find no errors in the logs you can find it in the attachment  )

2018-01-22 11:29:56.008096 0x00000eb4 <trace> WinLogCollector:304| WinLogMonitor thread begin
2018-01-22 11:29:56.008096 0x00001bdc <trace> EventCollector:49  | Configuration of filelog is done
2018-01-22 11:29:56.008096 0x00001bdc <trace> EventCollector:56  | Starting filelog
2018-01-22 11:29:56.008096 0x00001ad0 <trace> Logger:147         | Thread "ThreadPool" has id 0x00001ad0
2018-01-22 11:29:56.008096 0x00001bdc <trace> FLogCollectorEx:477| Subscribed to channel <netapp>.
2018-01-22 11:29:56.008096 0x000044d0 <trace> Logger:147         | Thread "DirectoryMonitorEx" has id 0x000044d0
2018-01-22 11:29:56.008096 0x00001bdc <trace> EventCollector:59  | Started filelog
2018-01-22 11:29:56.008096 0x00005714 <trace> Logger:147         | Thread "FLogThreadPool" has id 0x00005714
2018-01-22 11:29:56.008096 0x00001bdc <trace> DataController:100 | Configuring transport...
2018-01-22 11:29:56.008096 0x00001bdc <trace> Config:297         | Configuration key [server].proto is not specified. Using default: cfapi
2018-01-22 11:29:56.008096 0x00001bdc <trace> DataController:163 | Creating cfapi transport
2018-01-22 11:29:56.008096 0x00003f88 <trace> Logger:147         | Thread "DirectoryMonitorEx Polling" has id 0x00003f88
2018-01-22 11:29:56.008096 0x00001bdc <trace> Config:287         | Read config param [server].hostname = loginsight.tdlz2.tankred.ch
2018-01-22 11:29:56.008096 0x00001bdc <trace> Config:346         | Configuration key [server].ssl is not specified. Using default: yes
2018-01-22 11:29:56.008096 0x00001bdc <trace> Config:252         | Configuration key [server].port is not specified. Using default: 9543
2018-01-22 11:29:56.008096 0x00001bdc <trace> Config:252         | Configuration key [server].reconnect is not specified. Using default: 30
2018-01-22 11:29:56.008096 0x00002d10 <trace> Logger:147         | Thread "FLogThreadPool" has id 0x00002d10
2018-01-22 11:29:56.008096 0x00003e58 <trace> Logger:147         | Thread "FLogThreadPool" has id 0x00003e58
2018-01-22 11:29:56.008096 0x00003598 <trace> Logger:147         | Thread "FLogThreadPool" has id 0x00003598
2018-01-22 11:29:56.039342 0x00001bdc <trace> DataController:104 | Starting transport...
2018-01-22 11:29:56.039342 0x00004bc0 <trace> Logger:147         | Thread "CFApiTransport" has id 0x00004bc0
2018-01-22 11:29:56.039342 0x00004bc0 <trace> CFApiTransport:130 | Connecting to server loginsight.tdlz2.tankred.ch:9543
2018-01-22 11:29:56.039342 0x00001bdc <trace> AgentDaemon:422    | AgentDaemon configured successfully
2018-01-22 11:29:56.039342 0x00001bdc <trace> AgentDaemon:367    | AgentDaemon started successfully
2018-01-22 11:29:56.242474 0x00004bc0 <trace> CFApiTransport:150 | Connection successfully established

Can anybody help me?

 

Kind regards

Steve

[4.5] - Log Insight changing HOSTNAME

January 30, 2018, 12:25 pm
$
0
0

YEP Community

 

NewBie question on Log Insight......

 

After the initial config it's possible to change the HOSTNAME of the appliance ?

 

We have try to change that in :

 

/etc/hosts

&

/etc/hostname

 

the cmd "hostname" return aways the OLD hostname.

 

Thx for your help.

content pack alerts are not reflecting in to useralerts

February 11, 2018, 11:09 am
$
0
0

Hello Team,

 

I am using log insight 4.5.1 and i have imported vsphere/nsx/vsan/vrops content packs , But i am not able to see all of the predefined  content pack alerts in user alerts.

I can add individual alerts from content pack to user alert, is there any way to add all of the content pack alerts to user alerts

NetApp ONTAP 9.x to Log Insight?!

February 11, 2018, 12:10 pm
$
0
0

Hi,

 

as there is no more content pack available I was wondering if anyone has successfully setup forwarding syslog messages from NetApp to Log Insight?

Are you happy with the built-in filtering options?

Could you maybe post some screenshots of how it looks.

 

Thank you!

Create an Alert for every event in VRLI

February 13, 2018, 3:16 am
$
0
0

I have created a user alert for every vmotion event. I would like to send an alert every time a VM is vmotioned ( to an auditing system) but it seems the best i can do is every 1 min. is there a way to remove the snooze period for this alert.

Search

Can you tell me how can i check the AD account lockout events in Log Insight

February 15, 2018, 5:36 am
$
0
0

Hello,

Can you tell me how can i check the AD account lockout events in Log Insight.

Thank you

access log not parsing time

February 15, 2018, 12:45 pm
$
0
0

I have tried a few combinations of formats/parsers to get the date and time fields combined and show up in LogInsight as the timestamp field.  All the other fields work and the timestamp field populates with the timestamp of when the agent processed the file. I would have loved the CLF parser to support any white space as a delimiter, but alas no such luck.

 

This is a tab delimited file with time and date in separate fields

 

2018-02-15 13:24:47 - 192.123.241.196 GET /sample/url 200 18286 0.001 - -

 

format=(?<timestamp>[^\t]*)\t(?<timestamp>[^\t]*)\t(?<remote_auth_user>[^\t]*)\t(?<remote_ip>[^\t]*)\t(?<request_method>[^\t]*)\t(?<requested_url>[^\t]*)\t(?<status_code>[^\t]*)\t(?<response_size>[^\t]*)\t(?<request_time_sec>[^\t]*)\t"?(?<User_Agent>[^\t]*)"?\t"?(?<Referer>.*)"?

field_decoder={"timestamp": "timestamp"}

 

LogInsight agent logs:

Parser 'WebLogicAccessParser' return the following fields: timestamp="2018-02-15", timestamp="2018-02-15", remote_auth_user="-", remote_ip="192.123.241.196", request_method="GET", requested_url="/sample/url", status_code="200", response_size="18286", request_time_sec="0.001", user_agent="-", referer="-"

 

LogInsight timestamp: 2018-02-15 13:24:48.212

expected LogInsight timestamp: 2018-02-15 13:24:47.0

 

also tried the following with the date and time fields becoming independent from the timestamp field the the timestamp field being about 1 second out of sync.  When the agent is stopped and then restarted, the timestamp is further away from the actual event

 

format=(?<date>[^\t]*)\t(?<time>[^\t]*)\t(?<remote_auth_user>[^\t]*)\t(?<remote_ip>[^\t]*)\t(?<request_method>[^\t]*)\t(?<requested_url>[^\t]*)\t(?<status_code>[^\t]*)\t(?<response_size>[^\t]*)\t(?<request_time_sec>[^\t]*)\t"?(?<User_Agent>[^\t]*)"?\t"?(?<Referer>.*)"?

field_decoder={"date": "timestamp","time": "timestamp"}

vRA Content Pack Field

February 16, 2018, 7:06 am
$
0
0

Can anyone speak to where this field comes from?

 

"vmw_vra_cat_item_name"

 

I've loaded up the vRA 7.3 content pack and some queries require it yet I've found no instance of it in my logs.  Thanks in advance

Wrong vmw_ fields value on linux liagent logs

February 26, 2015, 12:50 am
$
0
0

I've installed my first LI Agent on linux yesterday to get data from our qmail and pound log to be able to query them in a simpler way.

I saw that on imported log I have various vmw_ fields (vmw_cluster,vmw_datacenter,vmw_host,vmw_object_id,vmw_vcenter,vmw_vcenter_id,vmw_vr_ops_id) that is a nice thing (I hope they'll also be used to integrate alarms into vrops so it's really good to get alerts from an application log directly into the host/cluster/etc).

The problem is that those fields have the wrong value.

My infrastructure is composed by 2 vcenter server ( I monitor both with vrops and LI) and I have SRM configured. The 2 datacenter are replicated so I have VM powered on in DC1 and I see them powered off in DC2.

The logs of the 2 linux server where I have installed the LIAgent for linux report the wrong Datacenter/Cluster/Host/vmid... they report the data of the object in the Naple DC (that is the SRM placeholder machine) Probably because "alphabetically" that vCenter is before the productive ones for those VM (production=ITROM, DR=ITNAP).

It seems a bug on how LI "recongnize" the object (probably it should ignore powered off object with the name of the object reporting the data.... should I hope a ticket about it?

There's any workaround on this?

Getting Historical Data from vCenters via vRealize Log Insight

February 21, 2018, 1:46 pm
$
0
0

Good afternoon family:

 

I'm not new to this wonderful forum, but I am with a new organization.  It's wonderful because they actually get it!!  VMware is a must-have tool and its many products help to make our lives so much easier.

 

Currently, I have a Support Request ticket in with VMware.  It's been over a week now and we're still not getting any solutions to the problem of datastores 'dropping off' the system at just around midnight since Valentine's Day.  While waiting on guidance from VMware, I thought it would be a good idea to get Log Insight installed so that we could perhaps diagnose this ourselves.  Log Insight was installed successfully.  All our vCenters are linked to the current instance.  (We will add more nodes later.)  My challenge is that logs for the datastores in question have only been collected from the point at which Log Insight was installed.  My understanding is that Log Insight keeps approx. 90 days of logs; depending upon your storage and retention policies (aka your mileage may vary).  I'm trying to determine how I can go back and pull information from perhaps 80 days before the install.  I'm making a dangerous assumption that these logs can be pulled from various portions of the vCenter.

 

I'm open to any suggestions that you folks may have.  My gut tells me that it's something simple; I'm just overlooking something due to being stressed out.  I thank you in advance for your learned help.

Log insight search result csv export

February 26, 2018, 3:51 am
$
0
0

Hi,

 

I'm using vRealise Log Insight version 4.5.1

 

I need to export the search result of interactive analysis to csv file. The default csv delimiter is a comma ",". I'm wondering if it's possible to define as delimiter a semicolon ";"

 

Thanks

ig

User alert assistance

February 27, 2018, 4:13 pm
$
0
0

Hello team,

 

I am new to loginsight and have configured specific user alerts however I was wondering whether it was possible to exclude the email alerts for particular timeframes. i.e. on a schedule.

 

Thanks

Search

iDRAC Issues

March 6, 2018, 1:01 pm
$
0
0

I've setup a few iDRAC's to log to a new Log Insight instance - the issue I'm having is that although all hosts are setup the exact same way there are some that are not logging to Log insight. Even when I hit the Test option and put in something like FAN1000 it notifies me that the test was a success - but I'm seeing nothing in Log Insight.

 

The other issue is that the hosts that are logging are reporting a hostname of the iDRAC network address - can this be set to the iDRAC DNS name (which I've set under iDRAC Settings --> Common Settings)

 

Thanks!

Guest operation authentication failed for operation List Processes ----- What The ????

March 12, 2018, 7:43 am
$
0
0

Good morning all:

 

I've been a long time fan of vRealize Log Insight.  I finally got a position with a company that recognizes the value and we've been running a test (eval) for pre-implementation.  Last week, we began getting messages regarding the 'ingestion' rate; along with disk space and retention time messages.  In order to alleviate the warnings, I added a 2TB disk.  I specifically did NOT try to increase the size of the existing drives.  (I seem to recall that such a move can damage the entire VM.)

 

Now, the system is not functioning at all.  I keep getting the message "Guest operation authentication failed for operation List Processes [name of vm]"  I've noticed also that although the new drive shows up in the "Edit Settings' screen.  I wasn't seeing any indication that the drive had been included; so I decided to reboot the system.  Now the situation is even worse because now, I can't even bring up the login web page.

 

Has anyone seen this before, and more importantly, does anyone know how to fix this?  Ironically, I was supposed to be giving a team demo of vRLI to my colleagues.  However, the lack of access to the program has obviously curtailed that action.  I'm hoping that my colleagues here in the community will have the solution.  Thanks in advance for any suggestions/help that you can provide.

VMware vRealize Log Insight™ 4.6?

March 15, 2018, 12:39 pm
$
0
0

Any ETA for VMware vRealize Log Insight 4.6 release?

Log Insight Agent directory monitoring

March 21, 2018, 8:16 am
$
0
0

Can the LI Agent for windows be set up to monitor and recurse a directory?

I have a case where the log files are organized in subdirectories. Each subdirectory name is not predictable since the name is created each time a process is launched.

This is for monitoring logs from a Docker Engine on WIndows.

Each time a container is launched, a new directory is created and log file is kept in that directory.

 

Thanks

Log Insight not receiving data from Nexus switches

March 22, 2018, 4:47 pm
$
0
0

I am running into an issue where my Nexus 5672 switches are not logging into the Log Insight server as their syslog. I have other devices going there, esxi hosts, vCenter, NSX Manager, even TACACs - everything works great. There is no firewall in place between it and i can easily reach the LogInsight server from the switch and visa versa.

 

On the switch this is my logging server info:

logging server: enabled

{192.168.10.45}

server severity: information

server facility: local7

server VRF: default

server port: 514

 

Other servers are connecting to this syslog IP and port so this is all correct. There is a default VRF that i have nameservers using and its all the same network so using the default VRF is fine. The server facility I am not too familiar with and I was not sure if for some reason Log Insight is unable to handle local7 properly. Could that be related to the issue?

 

There are some specific logging lines I could add to get specific data sent however, with logging level 6 which is what's enabled, i should be seeing SOME data so something is definitely wrong.

Viewing all 1504 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>