If i set it up
charset=iso-8859-1
The corresponding log file will not be collected。
If I do not set this field, it will show garbled.
↧
My logfile is encoded as iso-8859-1, how do I set the charset field
↧
Question on using log insight
Hi,
I am planning to use one log insight for 6 vcenters to collect logs from all vcenters, is it possible to use only one log insight to monitor 6 vcenters or I need 6 log insight's?
Thank you,
Vkmr.
↧
↧
Is it possible to enable Log Insight alerts over a specific period?
Hello All,
This is my first post in the community and hope it fits to the community terms of use (I try my best).
I would like to know if it possible to enable the log insight alerts over a specific period of time?
I was able to configure the alerts for a specific filter, and trigger the email notification as soon as the number of matches goes over a certain threshold. The problem is that the threshold varies depending on whether it is business hours or not. Therefore the solution would be:
- Either to define two similar alert filters with different thresholds, and enable one only during the business hours, and enable the second outside of business hour.
- Or to define a moving threshold for the same alert filter (which I suspect to be impossible for the moment)
I am currently running on a Version 2.5.0-2347850 (an old version...I know)!
I would be thankful for any kind of help I can get, and hope for a quick feedback
Best regards,
Tarik L.
↧
Customizing Field Table headings and ordering
I am building a dashboard with different Field Tables. I am able to select only the extracted fields I want to show up in the Table, but I am unable to rename the table columns headers or to reorder them.
For exemple, in Splunk, I can use the pipe sign followed by "rename" and I can rename columns. Is there an equivalent in VRLI ?
↧
Log Insight UCS Content Pack
After installing the UCS content pack, and putting the VIP in Cisco UCS manager syslog remote server I'm still not getting data. My firewall allows requests TCP/UDP 514 from the UCS manager FQDN. Do the syslog send from a different address other then UCM manager?
↧
↧
Forwarder do not preserve source field
Hi All,
I have loginisght 4.3.0-5084751 installed.
I have two loginsight forwarders installed in two diffent location, which forward the logs to central cluster of loginsight servers.
The issue is the source IP will change to the IP address of forwarders when logs received by main cluster. I have configured even forwarding using Ingestion API. Based on documentation it should preserve sourece IP. but it doesn't
I have logged this issue with VMware support for weeks, but they are not being helpful at all!
Thanks
↧
Forwarders and central agent managemnt
Hi,
We have LI agents sending logs to forwarders in different sites. and the forwarders forwarding logs to main LI cluster.
Each time we need to update agents config we have to login to all forwarders one by one and update agents configuration locally.
I wonder if there is a way we can manage all of the configuration centrally through the main cluster. or if there is any command line that i can use to automatically copy the settings from one to another
Thanks
↧
Log Insight agent blueprints now available for vRA
I thought I'd post just a small "FYI" note to those interested in Log Insight. I've created some free blueprints and shared with the community on VMware {code} that automates the installation of the Log Insight agent for Linux and Windows in VMs deployed from vRealize Automation. One nice thing about these blueprints is it downloads the agent directly from your Log Insight environment, so no need to stage the installation binaries out in your estate somewhere. Find the download links below.
Log Insight Agent for Linux
Log Insight Agent for Windows
↧
vSphere Integration and target
I am using vRLI 4.5 and vROps 6.6 and am integrating the two products together. When I add a vCenter server, the target is set to the FQDN of my vRLI cluster for most of the entries, while some contain the IP address. Ideally I want all of them to include the IP address but cannot find a way to modify the target. Does anyone know where that can be changed?
↧
↧
Migrate Log Insight authentication from AD to vIDM
Hi,
I’m trying to migrate the authentication of Log Insight from AD to vIDM and having some difficulties.
After login to Log Insight with SSO I’m redirected to a blank page.
I think it’s because the redirection of the vIDM is to an IP address instead of a hostname. Is there a way to change this?
Any advice?
I'm using vRA integrated vIDM with the latest versions (vRA 7.3, log insight 4.5)
Message was edited by: Gilad Broun
↧
Complex queries possible?
Hello,
i am just playing around fore a few days with LI. I am impress about the speed but i would like to use it for some security stuff and i cannot find any way to setup complex queries via the search window.
In Splunk such a query is possible. Can this achieved with LI?
| inputlookup event_id_4648_runas.csv | convert mktime(_time) timeformat="%Y-%m-%dT%H:%M:%S.%3Q%z" | makemv Account_Name delim="," | bucket _time span=1d | stats count by _time Unprivileged_Account_Name
| eventstats max(_time) as maxtime | stats count as num_data_samples max(eval(if(_time >= relative_time(maxtime, "-1d@d"), 'count',null))) as "count" avg(eval(if(_time<relative_time(maxtime,"-1d@d"),'count',null))) as avg stdev(eval(if(_time<relative_time(maxtime,"-1d@d"),'count',null))) as stdev by "Unprivileged_Account_Name"
| eval lowerBound=(avg-stdev*2), upperBound=(avg+stdev*2)
| eval isOutlier=if(('count' < lowerBound OR 'count' > upperBound) AND num_data_samples >=7, 1, 0)
The input can be any data, in this example its a csv.
thanks for your reply.
kind regards
E.
↧
vSphere assigned tags not available in Log Insight
Hi all,
I have vms with tags assigned in the vSphere Client, e.g. "Prod_tag" tag for production and "Dev_tag" for development vms. Unfortunately these tags do not show up in Log Insight. I would really like to make a query in Log Insight and only hit Prod vms (and thus discarding Dev vms) by filtering or querying on the vSphere tags.
Is there a way to make this possible?
Regards,
John.
↧
Feedback: Log Insight and vIDM Frustration
I need to get this off my chest. When nothing else in my VMWare environments is leveraging this vIDM. All it is currently doing is being a proxy for AD when AD integration was working just fine. Can someone please explain to me what sort of benefit or user experience this is suppose to be enhancing..
All i see is:
1. Addition parts making the installation Convoluted when not having vIDM in place.
The beautiful thing about Log Insight was over the years was the simplicity of the installation and how much better it has gotten since 1.0. Adding additional workers, the integrated LB (My favorite feature), integrated VIPs w/tagging, and centrally controlled agents. vIDM just seems out of place with everything that LI has been.
2. Additional resources in my environment. We can say it is free for LI , but really if it is requiring resources from your environment it is not free.
3. I see zero benefit over the AD integration with using this in lab.
After using it I really don't understand this move and would like to ask for AD integration to continue to be supported.
↧
↧
How to query events with constraints + limit parameter via REST API?
I'm making a fairly simple workflow in vRO that will simply take an input of the 'context' field, connect via the REST API, and query for all events that have that value in the context field, to output the logs associated with provisioning a system in vRA. The idea being I can either email the results on a failure, publish to a dashboard, whatever.
I'm using VLI 4.0.0 currently, and I'm referencing the documentation at Log Insight API documentation
I can easily do the GET query to get events and set the limit parameter to whatever I want, e.g :
GET /api/v1/events?limit=1000&timeout=15000
But, when I go add the constraints that I mentioned above, and attempt to add the limit argument, it's throwing errors.
https://[host]/api/v1/events/context/CONTAINS%20[context value]/product/vra/product/vro/timestamp/%3E0
This works, but only returns 100 entries, and I know there are more. If I try to do either of these whether URL encoded or not, it errors out:
https://[host]/api/v1/events/context/CONTAINS%20[context value]/product/vra/product/vro/timestamp/%3E0?limit=1000
{"errorMessage":"invalid_constraints: timestamp GT [0?limit=1000]"}
https://[host]/api/v1/events/context/CONTAINS%20[context value]/product/vra/product/vro/timestamp/%3E0/?limit=1000
{"errorMessage":"missing_argument: ?limit=1000"}
{"errorMessage":"Handler not found for request GET /api/v1/events%3Flimit%3D1000/context/CONTAINS%20SaU96w79/product/vra/product/vro/timestamp/%3E0"}
Is anyone aware of if it is possible to query with constraints and the limit argument in a single go?
I would hate to have to query a pile of stuff and then parse it by the context field afterward.
↧
vRealize Log Insight for vCenter Server - license for vCenter Essentials ??
Hi all
Am i correct in assuming that the vRealize Log Insight for vCenter Server (25 OSI) pack that you get for free, is only available with vCenter Server Standard license - and thus NOT available if you are running with a vSphere Essentials/Essentials Plus kit that involves vCenter Essentials ??
thanks...
/Rasmus
↧
vRealize Log Insight and Content packs or Splunk?
We have a four node cluster running vSphere 6.0 U3a.
We are setting up a test and dev system for developing a datacenter.
The datacenter will need to log traffic and alerts from different sources (taps, Bro, etc) and produce alerts to an operator if something is found in the logged data that seems to be amiss.
The question came up that Splunk can be used to ingest the logs and data and then use the Splunk dashboards to display anomalies and alerts.
I hear Splunk can be expensive and somewhat difficult to develop dashboards?
vRealize Log Insight is a tool that can be used to alert a user to what is going on in a vSphere environment (ram spikes, disk usage, etc).
But, can vRealize Log Insight be used to ingest in different types of data as in what I describe above?
Anyone doing anything similar, that is, ingesting logs and data from other sources (syslog, taps, pcap,,) and using vRealize Log Insight to display anomalies and alerts, etc.
thanks
↧
VMware log insight
i have an issue where i can see logs on NAS but not i log insight.
another issue is that the logs keep duplicating
is there a way to fix this error
↧
↧
Is there any Log Insight Python API Library?
Stars, Do we have any reference docs,code samples of python API to pull Log Insight events with specific host name with time range.
↧
Translate DFW logged IP to DNS name
Is it possible to run a reverse DNS lookup on the IP fields in a DFW log entry? This way we see the DNS names rather than the IPs.
↧
Firewall Ports for remote collecters
We have deployed a vrops 6.6.1 RC into our PCI environment and opened all the required ports from a vrops POV and all is working well. As part of deploying vrops we also update the vRLI agent on each node to 4.5 and configure the .ini file.
According to VMware Documentation Library and Log Insight: Port Requirements - SFlanders.net i have worked out that i need the below one way for the agent to send the logs to login sight
Realize Log Insight Agents | ||||
The question i have is how does log insight auto update the agents if there is no port requirement to go from vRLI to the agents?
Thanks in advance
↧