Hello,
I've tried searching the forums but could not find this specific issue mentioned.
I've been using LogInsight to email me AD lockouts for the past year or so. It's been working well until recently. The AD lockout emails used to provide me the details of the user account that has been locked out. Now, it only shows "999". I've check the actual event log being generated on the domain controller and it shows all the user information.
Any help would be appreciated.
Thanks in advance!
I added a csv parser to liagent.ini with fields and timestamp parser for an nlog-based text logfile.
The log format is ${longdate}\t${event-type:item="category"}\t{$level:uppercase=true}\t${message}\t${exception} as csv format in nlog.config.
I then added fields Date, categoty, level, message and exception to a parser definition in liagent.ini.
Also the date fields is parsed by a timestamp parser.
So how can I access the configured fields in the file log definition on the agent configuration in the appliance and use them in queries for dashboards?
Have integrated vrops 6.5 with Loginsight 4.3 version.
Integration is successful. From vrops am able to go to the loginsight to check any object logs.
But Am not able view any logs for the vrops itself in log insight.
Have even configured the LI agents successfully. Still not able to view the vrops logs in LI. Please suggest.
In vRealize Log Insight REST Api, while quering the data with the url: https://localhost/api/v1/events/timestamp/>1497530830, i expect only events later than time 1497530830, but the url actually is fetching latest 100 events which include events having timestamp less than 1497530830 also.
Kindly help. Or suggest some other alterenative for this problem.
Hi All,
I am new to LI and I have 3 questions. I have 2 sites. Site A a LI 4.3 3-node cluster and Site B has no LI yet.
1. To collect logs from Site B, do I just install a LI forwarder in Site B and point it back to the LI cluster in Site A? (assuming connectivity, firewalls permitting)
2. Will I be able to schedule when the logs from Site B's forwarder get sent? i.e. after office hours?
3. Is there a way for LI to monitor logs from SCVMM?
Thank you very much for any assistance rendered.
Regards,
Chee Keong
After Migration of vCenter Server (Windows) to VCSA (Appliance), I do see the VCSA twice in Log Insight under hosts.
1. hostname (vcsa)
2. fqdn (vcsa.domain.local)
any idea why is this? both entries can communicate events and so it takes 2 licenses for same vCenter!
Hi All,
As you might know, Active Directory integration has been deprecated in Log Insight 4.5+ - VMware vRealize Log Insight 4.5 Release Notes.
I was wondering if VMware had any plans to add support for vCenter Single Sign-On as an authentication source in the future releases of the product. It makes sense when Log Insight is used only for collecting events from vSphere.
Any thoughts?
Regards,
I have configured an AD Group with appropriate rights and configured AD integration.
For most users, the they can login, logout, login, no issues.... However, for one user, he can only login once. Second time, doesn't work.
Not sure what is wrong with this one particular account, if I go into Access Control and delete the user, he is able to login again but just the first time.
I have been trying to upgrade agents to v4.0 which by default uses cfapi over SSL on port 9543. If I install the agent this way on DMZ agents they do not stay connected to Log Insight. If I start the service and monitor connections using netstat I can see that 9543 connection is established for a fleeting moment and then the connection disappears. If I change the liagent config to SSL=no then the agent works fine and stays connected on port 9000. For LAN based agents it all works fine. I've asked our Firewall team to advise and they can't see any problems with the rules or passing traffic. Any suggestions what to look for would be welcome.
Mark
Hi,
Is it possible to remove text from within an extracted value. Probably best to give an example of what I am trying to do:-
Cisco ACS logs have the commands which are run on devices. e.g.
CmdSet=[ CmdAV=show CmdArgAV=running-config CmdArgAV=<cr> ],
I have pre and post context of:-
CmdSet=\[
\]\,
Can I use a regex in the Extracted value to remove the "CmdAV=" & "CmdArgAV=" values to return the command
"show running-config <cr>"
Thanks
One of the Windows agent is crashing and won't start and continuously retry and created log file (currently over 200k log files created....)
1. What would be causing the following error?
2017-07-12 16:14:49.518928 0x00003438 <error> AgentDaemon:344 | AgentDaemon - EXCEPTION: Can't deserialize Event attributes count, uint64_t type expected
This is on Windows Server 2008 R2 with Log Insight Agent 4.3.0.5052904
2. How can the local log file get rotated or limited? This is a runaway process.
I'm struggling to figure out a way to build this as a query and subsequently as an alert. My previous post is involved in this issue. The problem I'm trying to address here is when a host or hosts stop sending logs to Log Insight for one reason or another. The reasons could be various including failure of the agent or syslog daemon, firewall definitions change and block communication, etc. For certain critical infrastructure pieces where log data is the only stateful data that needs to be preserved, having logs are immensely important. For other systems, having logs are similarly important when it comes to troubleshooting and postmortem analysis. The goal here is to build a query/alert that detects when one or multiple hosts stop sending logs to vRLI and then to pass that alert over to vROps associating it with the object which has stopped logging. This could be an ESXi host, vCenter, switch, or VM that has the vRLI agent installed. Creating a 1:1 mapping between host and alert is a simple thing, however this does not scale well and is a maintenance nightmare. Logically, I'd like to create a user-defined tag with a certain value, apply that key-value pair to an agent definition, and build a query/alert that understands for any system that contains that tag to alert when it does not see any logs for a given time period. So far, I'm not finding a way to make this happen other than to create an alert for each and every system that should be "watched". I welcome any thoughts or ideas on how to accomplish this goal.
I have installed the VSAN Content Pack and I have yet to see a single update to the fields. Everything else is running fine, but the one content pack I have that requires no actual intervention isn't working and I am perplexed.
Versions involved are vRLI 4.5 and vROps 6.6. The vRLI agent is installed on a VM which is being monitored by vROps. Integrations are configured between the two products. One can view the logs of the VM from within vROps successfully. The logs sent by the vRLI agent to vRLI have the correct vROps ID embedded. But when configuring an alert based on a query for this VM that goes to vROps, it never associates the alert inside vROps with the correct object, always with the fallback object. The query was tested with both the "hostname" field or "vmw_vr_ops_id" field, and neither was successful. The alert is configured to fire when less than X events received in Y time. What are some troubleshooting steps to follow in these cases?
Edited to show fields involved in query and alert.
Dear all
Hi
after deploy log insight i inser vcenter login info but now get this error
Syslog configuration failed. See http://kb.vmware.com/kb/2003322 for manual configuration. (Details: Client received SOAP Fault from server: A general system error occurred: Internal error
Please see the server log to find more detail regarding exact cause of the failure.)
what is my problem ??????
BR
I see there is the ability to export alert definitions to a CSV file, but I don't see where there is the ability to import them. I'm looking to copy and keep a consistent set of alerts across all Log Insight instances. Does the ability exist and I'm just missing it?
thanks!
I have created and extracted field as in the attachment, its to extract the username which was locked out. Its working correctly, as in the dark green section is correct and the lighter green covers the correct pre and post rules. In fact I copied the method used for another field from the content pack so it should work!
The issue here is that after saving the rule, the field never shows up with the correct logs.
any idea what may be causing this?
Hello All,
This is my first post in the community and hope it fits to the community terms of use (I try my best).
I would like to know if it possible to enable the log insight alerts over a specific period of time?
I was able to configure the alerts for a specific filter, and trigger the email notification as soon as the number of matches goes over a certain threshold. The problem is that the threshold varies depending on whether it is business hours or not. Therefore the solution would be:
- Either to define two similar alert filters with different thresholds, and enable one only during the business hours, and enable the second outside of business hour.
- Or to define a moving threshold for the same alert filter (which I suspect to be impossible for the moment)
I am currently running on a Version 2.5.0-2347850 (an old version...I know)!
I would be thankful for any kind of help I can get, and hope for a quick feedback
Best regards,
Tarik L.
Hi all, am looking for some assistance getting Log Insight to monitor a Horizon View 7.1 environment. LI is successfully monitoring all our connection servers but not our Composer and SQL server.
LI is aware of the composer and sql server (ie both show up in the agents view).
The LI agent file for the composer is as follows:
[filelog|ViewComposer]
directory=”C:\ProgramData\VMware\View Composer\Logs”
include=vmware*.log
exclude=vmware-viewcomposer-audit.log;vmware-sviconfig.log
The LI agent file for the SQL is as follows:
[filelog|MSSQL-MYSERVER-MSSQLSERVER]
; IMPORTANT: Change the directory as per the environment
directory=D:\Program Files\Microsoft SQL Server\MSSQL10.MSSQLSERVER\MSSQL\Log
tags={"ms_product":"mssql"}
charset=UTF-16LE
exclude=*.trc;*.xel;*.mdmp;*.txt
At present, no events are being received by either the composer or sql servers...
Are these agent settings correct or do they need to be changed?
Thanks in advance.
Hi,
Whenever we use the Juniper content pack dashboards, the web browser hangs completely. Any one else experience this and have a solution? We have tried multiple computers and web browsers. We talked to VMware Support, but they couldn't help. They only suggest that we try to optimize the regex used by this content pack, but we don't have the skills to do this.
Thanks.