Hi All,

I am working on configuring the Arista monitoring in Log Insight and Arista Log Insight extension needs to be installed on switches to fully leverage the content pack for Arista as per the content pack instructions. Does anyone know where can I get the extension. I tried to check with the Arista TAM as well but according to them Log Insight Extension is no longer being actively developed.

Hello,

I want to look up, when Storage I/O Control started to throttle IOps on hosts in an ESXi Cluster.

For that I analyse the storageRM logfile and I think I found the correct events, here is an example:

2020-01-08T12:14:24Z hostfqdn.local storageRM[2100418]: Throttling anomaly VOB for naa.id: 59, 0.203814

Can someone please tell me, for what the red marked values that are named right after the naa id are representing. At first I thought the first value ist the set maximum queue depth, however it sometimes it reaches value that are much lower (example: 3, 0.00112019) than what is shown in the performance metrix in the vsphere client, sometimes the value is much higher than the possible queue depth of 64 on the adapter (example: 168, 0.203217).

Does SIOC set a larger Queue Depth per LUN or Host, than the defautl maximum of 64? How are those value calculated?

Hi everyone. I need to configure an alert when specific users reboot / shutdown / power off a VM or make any virtual hardware changes to virtual machines.

Do you have any idea of how to do it?

Notes: Log insight 4.5.1

Hi,

I just took a look on the Content Pack Marketplace of our Log Insight environment. It mentioned 4 updates available, so I upgraded the VMware NSX vsphere, VMware -vSAN and VMware vRops 6.7+ content packs successfully, the upgrade of the VMware -vSpere 8.0 content pack was not succesful. The GUI throw this error:

I uninstalled the previous Content Pack v4.6 we used and made a second attempt. Unfortunately the same result. Has anyone a solution for this problem?

Hello,

I'm sending logs to logInsight and want the event time to use the provided timestamp.

Example :

timestamp=22-01-2020 15:12:53;template=;dataid=StoreHeader:storeId:11708

timestamp=22-01-2020 15:12:53;template=;dataid=StoreHeader:storeId:11101

The parsing is correct but the event time does not use the provided timestamp but the time when the log data is processed by the agent..

What's the correct way to have LogInsigh using the provided timestamp ?

Used parser:

[parser|CacheivlParser]

base_parser=kvp

fields=*

delimiter=";"

debug=yes

field_decoder={"timestamp": "TableSize_tsp_parser"}

[parser|TableSize_tsp_parser]

base_parser=timestamp

debug=no

format=%d-%m-%Y %H:%M:%S

Hello,

we use vRealize Automation with business group as a multi-tenancy environment, we want bg's users to only access their logs on the LogInsight appliance. Can anyone point me to the correct documentation?

Is it the best way to have a centralized log insight for all tenants / business groups or to have a dedicated log insight for each of them?

Hi,

From mars 2020 MS will change their default settings in AD when it comes to AD authentication with simple binding and ldap signing.

As of today our log insight system uses either simple binding or ldap without signing i guess since i get this message if i check the logs

The following client performed a SASL (Negotiate/Kerberos/NTLM/Digest) LDAP bind without requesting signing (integrity verification), or performed a simple bind over a clear text (non-SSL/TLS-encrypted) LDAP connection.

Client IP address:

x.x.x.48:52488

Identity the client attempted to authenticate as:

domain\serviceaccount

Binding Type:0

I have checked around and I cannot see that Log Insight supports ldap with signing so to me it seems like I have to configure LDAPS (LDAP over SSL / LDAP over TLS).

I don`t have much knowledge when it comes to certificates / PKI, but to my understanding I have to install a PKI solution.

This is a .local domain, so we cannot get a certificate from a 3 part, and its also a "closed" environment.

So my question is, do i need to implement a complete PKI solution (root ca+issuing ca) or is there some other manual way ?

The same thing goes for vCenter it seems.

Any comments ? How is your configuration ?

/regards

Andreas

We are trying to configure SSO authentication with VMWare Identity Mgr. We are getting incorrect username and password error but we are sure that username and password is correct as we tried it directly on VIDM. We even tried VIDM admin username and password too.

The only issue we can think off is the configuration is pre-populating a private IP as "Redirect URL Host"/

Hi,

I need to create a multi tenancy vRA environment and I am requested to set up RBAC in Log Insight to give access to tenant admins to relevant logs.

I installed and configured vRA 7.5+ Content Pack to ingest vRA logs.

I am able to create a data set using the "tenant" filter, but it seems that events related to user login to vRA do not contain this attribute. They can be filtered with an extracted field "tenant_name" instead, but it seems it is not possible to use an extracted field to create a data set.

If I use a data set filtered by tenant, some events like this are present:

[UTC:2020-02-11 11:21:16,595 Local:2020-02-11 11:21:16,595] vcac: [component="cafe:identity" priority="INFO" thread="tomcat-http--83" tenant="MYTENANT" context="CuIX9nPB" parent="" token="CuIX9nPB"] com.vmware.vcac.core.identity.service.impl.LocalCafeMembershipProvider.findMembershipForPrincipals:282 - Loading user info for current user '{Name: MYUSER, Domain: vsphere.local}'...

These seem related to user logon activities, but they cannot catch logon failures.

Is there a way to create data sets containing logon activity grouped by tenant?

Thank you,

Mirko

This is my first post so .. Hi All,

In my home lab I grabbed an evaluation copy of VMware ESXi, I had to use 6.0.0 as 6.7 wasn't compatible with my older CPU.

It's a HP PROLIANT Micro-server G7 - AMD Turion II Neo N54l Processor.

I enabled the UI and imported the latest Loginsight OVA but I don't get the option to reduce the size to extra small for my home lab.

left it as default for everything to my address from from DHCP.

I do not get get the expect display with the URL etc on the console once booted. I can use WindowsKey+alt+f1 to geta login prompt, and with rpoot + vmware as a password I can get into the vm  and set a new root password.

Netstat tell me that nothing is listening on 80 or 443, so my setup wizard isn't running.

Any ideas please folks ?

Cheers

Hi!

I have a vmware vcenter essentials plus license, I want to deploy vmware Insight. I've read that I dont need to purchase a license for the Insight if I need below 25-OSI, but I've tried to add the vmware vcenter plus license number to the Log Insight and does not work. Any idea?

Thanks!

Author :

URL : http:////docs.vmware.com/en/vRealize-Log-Insight/4.8/com.vmware.log-insight.developer.doc/GUID-E09A86E6-813C-48D3-B322-8F3B00609AD3.html

Topic Name : The vRealize Log Insight REST API

Publication Name : vRealize Log Insight Developer Resources

Product/Version : vRealize Log Insight/4.8

Question :

the url /rest-api is a 404 error on my Log Insight 4.8 instances. Where can I find the Log Insight 4.8 API reference?

We have a six node Log Insight 8 cluster. with 6 nodes. All the nodes are configured as large and the ingestion rate is below 15,000 which is what is ok for these nodes

I have also ran some checks on the nodes for corrupt buckets

I have switched off the 1 alert we have just to see what the issue is

The problem is that simple queries grind to a halt to the point that it becomes unusable

I have checked the cluster nodes in vRops and cannot see evidence of hardware issues

Does anyone know of ways to improve query performance in log Insight

I have logged a call with GSS as well

Interestingly enough we did not seem to have the issues with 4.8

Any help would be greatly appreciated

Following guidance and using example log data from VMWare, the test data is being parsed into separate events seemingly based on line breaks in the data. Only when I wipe the line breaks does it parse the data as one event.

Is this by-design?

Referenced guidance:

JSON Parser

Parser IS working when the event is contiguous.

HI;

iv install lunix content pack on CEntos 6.1 .

i know its not fully supported but i read a lot of threads that people have installed and succeeded.

so i ran the bin package

1058  chmod +x VMware-Log-Insight-Agent-8.0.0-14743436_172.16.10.66.bin

1059  sudo SEVERHOST=loginisght.*.* ./VMware-Log-Insight-Agent-8.0.0-14743436_172.16.10.66.bin

and the agent r running and visible to LI server.

i added the Centos to the cloned profile "linux" and still logs dont come to the LI server

this is my liagent.ini config:

[server]

hostname=172.16.10.66

; Hostname or IP address of your Log Insight server / cluster load balancer. Default:

hostname=LOGINSIGHT

; Protocol can be cfapi (Log Insight REST API), syslog, syslog_udp. Default:

proto=cfapi

;proto=syslog

; Log Insight server port to connect to. Default ports for protocols:

; syslog and syslog_udp: 514; syslog with ssl: 6514; cfapi: 9000; cfapi with ssl: 9543. Default:

port=9000

; SSL usage. Default:

;ssl=yes

; Example of configuration with trusted CA:

ssl=no

;ssl_ca_path=/etc/pki/tls/certs/ca.pem

; Time in minutes to force reconnection to the server.

; This option mitigates imbalances caused by long-lived TCP connections. Default:

reconnect=30

; Allow the agent to receive central configuration from the server.

; If disabled, only agent-side configuration will be applied. Default:

central_config=yes

[logging]

; Logging verbosity: 0 (no debug messages), 1 (essentials), 2 (verbose with more impact on performance).

; This option should always be 0 under normal operating conditions. Default:

debug_level=0

; Frequency to print agent dynamic information in minutes. Default:

;stats_period=15

; Allow the agent to automatically decrease dynamic information print period to 1 minute

; in case if agent abnormal performance is detected.

; If disabled, agent performance won't be monitored at all. Default:

;smart_stats=no

[storage]

; Max local storage usage limit (data + logs) in MBs. Valid range: 100-2000 MB.

max_disk_buffer=200

liagent centos log file:

2020-04-07 12:20:23.024779 0x00007f203c1fb720 <trace> AgentDaemon:113    | AgentDaemon start requested.

2020-04-07 12:20:23.024897 0x00007f203c1fb720 <trace>

    Agent Build     : 8.0.0.14743436

    Start Time      : 2020-04-07 12:20:23.024891

    Running as user : root

    Our Process ID  : 23221

    Executable Path : /usr/lib/loginsight-agent/bin64/liagent

    Operating System: CentOS release 6.10 (Final)  x86_64

2020-04-07 12:20:23.025126 0x00007f203c1fb720 <trace> LibVersionsInfo:138| Boost version: 1.60.0

2020-04-07 12:20:23.025138 0x00007f203c1fb720 <trace> LibVersionsInfo:138| Curl version: 7.65.3 Supported features: IPv6, TLS, Unix domain sockets

2020-04-07 12:20:23.025147 0x00007f203c1fb720 <trace> LibVersionsInfo:138| libgcc version: 4.9.4 20160222 (prerelease)

2020-04-07 12:20:23.025155 0x00007f203c1fb720 <trace> LibVersionsInfo:138| libstdc++ version: 4.9.4 20160222 (prerelease)

2020-04-07 12:20:23.025162 0x00007f203c1fb720 <trace> LibVersionsInfo:138| OpenSSL version: OpenSSL 1.0.2s-fips  28 May 2019

2020-04-07 12:20:23.025170 0x00007f203c1fb720 <trace> LibVersionsInfo:138| RapidJSON version: 1.0.2

2020-04-07 12:20:23.025178 0x00007f203c1fb720 <trace> LibVersionsInfo:138| SQLite version: 3.28.0

2020-04-07 12:20:23.025185 0x00007f203c1fb720 <trace> LibVersionsInfo:138| zlib version: 1.2.11

2020-04-07 12:20:23.027979 0x00007f203c1fb720 <trace> AgentDaemon:680    | OpenSSL FIPS mode is ON

2020-04-07 12:20:23.027999 0x00007f203c1fb720 <trace> AgentDaemon:131    | Data directory: "/var/lib/loginsight-agent"

2020-04-07 12:20:23.028031 0x00007f203c1fb720 <trace> DbConnection:34    | Opening database file /var/lib/loginsight-agent/storage/liagent.db

2020-04-07 12:20:23.028196 0x00007f203c1fb720 <trace> DbConnection:104   | Locking db for exclusive usage.

2020-04-07 12:20:23.028528 0x00007f203c1fb720 <trace> DbConnection:51    | Database "/var/lib/loginsight-agent/storage/liagent.db" opened successfully

2020-04-07 12:20:23.028725 0x00007f203c1fb720 <trace> AgentDaemon:147    | Starting AgentDaemon configuration thread

2020-04-07 12:20:23.028860 0x00007f203a063700 <trace> Logger:209         | Thread "AgentDaemon Main" has id 0x7f203a063700

2020-04-07 12:20:23.028902 0x00007f203a063700 <trace> AgentDaemon:279    | AgentDaemon main thread started

2020-04-07 12:20:23.028993 0x00007f203a063700 <trace> DbStorage:301      | Checking database integrity...

2020-04-07 12:20:23.029129 0x00007f203a063700 <trace> DbStorage:339      | Database integrity check done.

2020-04-07 12:20:23.029281 0x00007f203a063700 <trace> DbStorage:142      | DbStorage stored event id's: min = 0, max = 0

2020-04-07 12:20:23.029373 0x00007f2039662700 <trace> Logger:209         | Thread "DbStorage Maintenance" has id 0x7f2039662700

2020-04-07 12:20:23.029399 0x00007f2039662700 <trace> DbStorage:442      | DbStorage maintenance thread started.

2020-04-07 12:20:23.029456 0x00007f203a063700 <trace> AgentDaemon:286    | Agent UID:420143af-2839-13bf-2da5-e081e6a829ad

2020-04-07 12:20:23.029495 0x00007f203a063700 <trace> AgentDaemon:329    | Reading configuration received from server. Hash = 8eade4c2290919ab17d5854bf63bc7c9

2020-04-07 12:20:23.029534 0x00007f203a063700 <trace> Config:138         | Reading configuration from: /var/lib/loginsight-agent/liagent.ini

2020-04-07 12:20:23.029615 0x00007f203a063700 <warng> IniFileParser:163  | INI parser Error: duplicate key 'hostname' on line 10, ignoring line.

2020-04-07 12:20:23.029860 0x00007f203a063700 <trace> Config:331         | Read config param [server].central_config = yes

2020-04-07 12:20:23.029992 0x00007f203a063700 <trace> Config:109         | The current effective configuration is dumped into file /var/lib/loginsight-agent/liagent-effective.ini

2020-04-07 12:20:23.030054 0x00007f203a063700 <trace> Config:224         | Read config param [logging].debug_level = 0

2020-04-07 12:20:23.030069 0x00007f203a063700 <trace> AgentDaemon:393    | AgentDaemon Configuring...

2020-04-07 12:20:23.030080 0x00007f203a063700 <trace> Config:351         | Configuration key [update].auto_update is not specified. Using default: yes

2020-04-07 12:20:23.030104 0x00007f203a063700 <trace> AgentDaemon:399    | Auto update enabled...

2020-04-07 12:20:23.030119 0x00007f203a063700 <trace> UpdateHelper:324   | Starting Update helper

2020-04-07 12:20:23.030137 0x00007f203a063700 <trace> MessageListener:114| Starting update channel listener...

2020-04-07 12:20:23.030193 0x00007f203a063700 <trace> MessageListener:122| Update channel listener started successfully

2020-04-07 12:20:23.030214 0x00007f203a063700 <trace> Config:292         | Read config param [update].package_type = bin

2020-04-07 12:20:23.030232 0x00007f203a063700 <trace> Config:351         | Configuration key [update].auto_update is not specified. Using default: yes

2020-04-07 12:20:23.216494 0x00007f203a063700 <trace> UpdateHelper:339   | Update helper started successfully

2020-04-07 12:20:23.216560 0x00007f203a063700 <trace> AgentDaemon:421    | Reconfiguring update helper...

2020-04-07 12:20:23.216576 0x00007f203a063700 <trace> Config:292         | Read config param [update].package_type = bin

2020-04-07 12:20:23.216587 0x00007f203a063700 <trace> Config:351         | Configuration key [update].auto_update is not specified. Using default: yes

2020-04-07 12:20:23.216933 0x00007f203a063700 <trace> AgentDaemon:427    | Configuring Data Controllers...

2020-04-07 12:20:23.216971 0x00007f203a063700 <trace> Config:224         | Read config param [storage].max_disk_buffer = 200

2020-04-07 12:20:23.217013 0x00007f203a063700 <trace> DbConnection:150   | Setting SQLite cache_size = 8388608 bytes

2020-04-07 12:20:23.217034 0x00007f203a063700 <trace> AgentDaemon:560    | Events disk storage size limit set to 147571200 for <DEFAULT> server.

2020-04-07 12:20:23.217120 0x00007f203a063700 <trace> Config:302         | Configuration key [server].filter is not specified. Using default: {;.*;}

2020-04-07 12:20:23.217237 0x00007f203a063700 <trace> DataController:89  | Configuring collectors...

2020-04-07 12:20:23.217249 0x00007f203a063700 <trace> EventCollector:22  | ConfigureAndStart invoked for collector: filelog

2020-04-07 12:20:23.217329 0x00007f203a063700 <trace> EventCollector:47  | Configuring filelog

2020-04-07 12:20:23.217577 0x00007f203a063700 <trace> Config:331         | Read config param [filelog|com.linux.messages].enabled = yes

2020-04-07 12:20:23.217900 0x00007f203a063700 <trace> EventCollector:49  | Configuration of filelog is done

2020-04-07 12:20:23.217919 0x00007f203a063700 <trace> EventCollector:56  | Starting filelog

2020-04-07 12:20:23.218239 0x00007f202bfff700 <trace> Logger:209         | Thread "ThreadPool" has id 0x7f202bfff700

2020-04-07 12:20:23.218678 0x00007f203a063700 <warng> FLogCollectorEx:894| Currently there are no log files passing through the 'include'/'exclude' file name filter for channel <com.linux.auth>.

2020-04-07 12:20:23.218727 0x00007f203a063700 <trace> FLogCollectorEx:478| Subscribed to channel <com.linux.auth>.

2020-04-07 12:20:23.218798 0x00007f202b5fe700 <trace> Logger:209         | Thread "ThreadPool" has id 0x7f202b5fe700

2020-04-07 12:20:23.219234 0x00007f203a063700 <trace> FLogCollectorEx:478| Subscribed to channel <com.linux.messages>.

2020-04-07 12:20:23.219296 0x00007f202abfd700 <trace> Logger:209         | Thread "ThreadPool" has id 0x7f202abfd700

2020-04-07 12:20:23.219523 0x00007f203a063700 <warng> FLogCollectorEx:894| Currently there are no log files passing through the 'include'/'exclude' file name filter for channel <com.linux.syslog>.

2020-04-07 12:20:23.219550 0x00007f203a063700 <trace> FLogCollectorEx:478| Subscribed to channel <com.linux.syslog>.

2020-04-07 12:20:23.219609 0x00007f202a1fc700 <trace> Logger:209         | Thread "ThreadPool" has id 0x7f202a1fc700

2020-04-07 12:20:23.219964 0x00007f203a063700 <trace> FLogCollectorEx:478| Subscribed to channel <com.linux.maillog>.

2020-04-07 12:20:23.220355 0x00007f2028dfa700 <trace> Logger:209         | Thread "FLogThreadPool" has id 0x7f2028dfa700

2020-04-07 12:20:23.220417 0x00007f200ffff700 <trace> Logger:209         | Thread "FLogThreadPool" has id 0x7f200ffff700

2020-04-07 12:20:23.220490 0x00007f203a063700 <trace> EventCollector:59  | Started filelog

2020-04-07 12:20:23.220512 0x00007f200ebfd700 <trace> Logger:209         | Thread "FLogThreadPool" has id 0x7f200ebfd700

2020-04-07 12:20:23.220524 0x00007f203a063700 <trace> EventCollector:22  | ConfigureAndStart invoked for collector: journaldlog

2020-04-07 12:20:23.220484 0x00007f200f5fe700 <trace> Logger:209         | Thread "FLogThreadPool" has id 0x7f200f5fe700

2020-04-07 12:20:23.220534 0x00007f203a063700 <trace> EventCollector:47  | Configuring journaldlog

2020-04-07 12:20:23.220563 0x00007f203a063700 <warng> JournaldCollecto:60| Cannot find any section <journaldlog> in the configuration. The journaldlog collector will stay dormant.

2020-04-07 12:20:23.220572 0x00007f203a063700 <trace> EventCollector:49  | Configuration of journaldlog is done

2020-04-07 12:20:23.220578 0x00007f203a063700 <trace> EventCollector:56  | Starting journaldlog

2020-04-07 12:20:23.220586 0x00007f203a063700 <trace> EventCollector:59  | Started journaldlog

2020-04-07 12:20:23.220592 0x00007f203a063700 <trace> DataController:101 | Configuring transport...

2020-04-07 12:20:23.220601 0x00007f203a063700 <trace> Config:292         | Read config param [server].proto = cfapi

2020-04-07 12:20:23.220609 0x00007f203a063700 <trace> DataController:167 | Creating cfapi transport

2020-04-07 12:20:23.220622 0x00007f203a063700 <trace> Config:292         | Read config param [server].hostname = 172.16.10.66

2020-04-07 12:20:23.220633 0x00007f203a063700 <trace> Config:339         | Read config param [server].ssl = no

2020-04-07 12:20:23.220655 0x00007f203a063700 <trace> Config:224         | Read config param [server].port = 9000

2020-04-07 12:20:23.220667 0x00007f203a063700 <trace> Config:224         | Read config param [server].reconnect = 30

2020-04-07 12:20:23.220675 0x00007f203a063700 <trace> Config:351         | Configuration key [server].compress is not specified. Using default: yes

2020-04-07 12:20:23.220684 0x00007f203a063700 <trace> Config:331         | Read config param [server].central_config = yes

2020-04-07 12:20:23.227064 0x00007f203a063700 <trace> DataController:105 | Starting transport...

2020-04-07 12:20:23.227229 0x00007f203a063700 <trace> AgentDaemon:431    | AgentDaemon configured successfully

2020-04-07 12:20:23.227245 0x00007f203a063700 <trace> AgentDaemon:380    | AgentDaemon started successfully

2020-04-07 12:20:23.227215 0x00007f200e1fc700 <trace> Logger:209         | Thread "CFApiTransport" has id 0x7f200e1fc700

2020-04-07 12:20:23.227325 0x00007f200e1fc700 <trace> CFApiTransport:130 | Connecting to server 172.16.10.66:9000

2020-04-07 12:20:23.228001 0x00007f200e1fc700 <trace> CFApiTransport:152 | Connection to 172.16.10.66:9000 successfully established

2020-04-07 12:20:23.313472 0x00007f2038c61700 <trace> MessageListener:75 | Started listening to the update channel: /var/lib/loginsight-agent/update.dat

please advice.

Regards;

Elad

Hi all!!

In one of my vm with SO: Red Hat Enterprise Linux 7 (64-bit), I have installed correctly the vrli agent, and checked in the log, the comunication is right, but if I go to me vrli Panel, this agent doesn´t exists.

Could you help me?

Thks

Hi,

I Was wondering if it's possible to send alerts the other way around instead of doing from vrli to vrops but have some alerts from vrops sent to vrli,

I'm looking for some way to configure an outbound plugin to send alerts to VRLI,

thanks

Starting from some days ago I'm not able to access the Content Pack Marketplace from vRealize Log Insight.

I just get a circle spinning in the middle of the screen just like it was trying to download something but not working.

It was working in the past.

I've the same problem on 3 different installation 2 of which are 8.0 and 1 is 8.1 just upgraded.

From my browser I'm able to reach the marketplace without any problem.

Anything I can check?

Hi All,

I've inherited Log Insight from someone else and am looking at the configuration of it, we are using version 8.0

I've a question around the list of hosts .... Administration -> Management -> Hosts

Where is this list pulled from and what determines the hosts are hosts.  

The reason I'm asking is that I've multiple hosts in there that are not actually hosts, servers that are hosted in our vCenter (vCSA 6.7) but are not hosts.  There are even servers that are not hosted in the vCenter that is configured and I don't want to see them at all, they are in our domain but not managed by the vCenter we have configured.

If anyone can shed some light on it would be much appreciated.

Since updating to vRealize Log Insight v8.1 from v8.0 I'm seeing a daily "vCenter collection failed" alert. The vCenter Server in question is running v7.0 GA (VCSA), and despite the error, data is clearly being collected as I can see it in the user interface.

If I browse to the Administration -> Integration -> vSphere pane, all the details for the connection appear correct and the Collection Status is Collecting (with a green tick). ESXi hosts are also configured and log data being received. I've tried removing the connection and re-adding it, which works fine, but the daily collection failure alert is still received.

I took a look at the appliance logs and see the following output in /var/log/loginsight/runtime.log at the time the alert is raised:

[2020-04-23 22:14:14.377+0000] ["Streaming RPC Cancellation Manager Timer"/10.10.15.51 WARN] [com.vmware.loginsight.commons.rpc.cancellation.StreamingRPCCancellationPolicy] [Q-Token expired: 18d03a097850e150]
[2020-04-23 22:14:14.377+0000] ["Streaming RPC Cancellation Manager Timer"/10.10.15.51 WARN] [com.vmware.loginsight.commons.rpc.cancellation.StreamingRPCCancellationPolicy] [Q-Token expired: 629e527ebf3d756e]
[2020-04-23 22:14:14.377+0000] ["Streaming RPC Cancellation Manager Timer"/10.10.15.51 WARN] [com.vmware.loginsight.commons.rpc.cancellation.StreamingRPCCancellationPolicy] [Q-Token expired: 255553674c96a33f]
[2020-04-23 22:14:24.465+0000] ["pool-10-thread-1"/10.10.15.51 INFO] [com.vmware.loginsight.commons.security.UrlConnectionManager] [Sending 'GET' request to URL : https://<vcsa-fqdn>/rest/appliance/system/version]
[2020-04-23 22:14:24.472+0000] ["DaemonCommands-thread-5651"/10.10.15.51 INFO] [com.sun.xml.internal.ws.monitoring] [Global client monitoring disabled. https://localhost/sdk/vimService will not be monitored]
[2020-04-23 22:14:24.474+0000] ["DaemonCommands-thread-5651"/10.10.15.51 INFO] [com.sun.metro.assembler] [MASM0002: Default [ jaxws-tubes-default.xml ] configuration file located at [ jar:file:/usr/java/jre-vmware/lib/resources.jar!/com/sun/xml/internal/ws/assembler/jaxws-tubes-default.xml ]]
[2020-04-23 22:14:24.480+0000] ["DaemonCommands-thread-5651"/10.10.15.51 INFO] [com.sun.metro.assembler] [MASM0007: No application metro.xml configuration file found.]
[2020-04-23 22:14:24.571+0000] ["pool-10-thread-1"/10.10.15.51 INFO] [com.vmware.loginsight.commons.security.UrlConnectionManager] [Response Code : 403]
[2020-04-23 22:14:24.571+0000] ["pool-10-thread-1"/10.10.15.51 INFO] [com.vmware.loginsight.commons.security.UrlConnectionManager] [Processed GET request to https://<vcsa-fqdn>/rest/appliance/system/version in 106msec]
[2020-04-23 22:14:24.571+0000] ["pool-10-thread-1"/10.10.15.51 INFO] [com.vmware.loginsight.commons.security.UrlConnectionManager] [Sending 'POST' request to URL : https://<vcsa-fqdn>/rest/com/vmware/cis/session]
[2020-04-23 22:14:24.662+0000] ["pool-9-thread-6486"/10.10.15.51 INFO] [com.vmware.vapi.provider.local.LocalProvider] [call to invokeMethod for com.vmware.loginsight.api.strata.index_messages]
[2020-04-23 22:14:24.662+0000] ["pool-9-thread-6486"/10.10.15.51 INFO] [com.vmware.loginsight.commons.rpc.clientconnpool.ClientConnectionPool] [1 pooled connections to hostname: 0.0.0.0, port: 16573, service: com.vmware.loginsight.ingestion.importer.LogImporterService$Client [10 suppressed]]
[2020-04-23 22:14:24.675+0000] ["DaemonCommands-thread-5651"/10.10.15.51 INFO] [com.sun.xml.internal.ws.monitoring] [Global client monitoring disabled. https://localhost/sdk/vimService will not be monitored]
[2020-04-23 22:14:24.677+0000] ["DaemonCommands-thread-5651"/10.10.15.51 INFO] [com.sun.metro.assembler] [MASM0002: Default [ jaxws-tubes-default.xml ] configuration file located at [ jar:file:/usr/java/jre-vmware/lib/resources.jar!/com/sun/xml/internal/ws/assembler/jaxws-tubes-default.xml ]]
[2020-04-23 22:14:24.684+0000] ["DaemonCommands-thread-5651"/10.10.15.51 INFO] [com.sun.metro.assembler] [MASM0007: No application metro.xml configuration file found.]
[2020-04-23 22:14:24.710+0000] ["pool-9-thread-6486"/10.10.15.51 INFO] [com.vmware.vapi.provider.local.LocalProvider] [call to invokeMethod for com.vmware.loginsight.api.strata.flush_index]
[2020-04-23 22:14:24.796+0000] ["DaemonCommands-thread-5651"/10.10.15.51 INFO] [com.sun.xml.internal.ws.monitoring] [Global client monitoring disabled. https://localhost/sdk/vimService will not be monitored]
[2020-04-23 22:14:24.798+0000] ["DaemonCommands-thread-5651"/10.10.15.51 INFO] [com.sun.metro.assembler] [MASM0002: Default [ jaxws-tubes-default.xml ] configuration file located at [ jar:file:/usr/java/jre-vmware/lib/resources.jar!/com/sun/xml/internal/ws/assembler/jaxws-tubes-default.xml ]]
[2020-04-23 22:14:24.805+0000] ["DaemonCommands-thread-5651"/10.10.15.51 INFO] [com.sun.metro.assembler] [MASM0007: No application metro.xml configuration file found.]
[2020-04-23 22:14:24.900+0000] ["DaemonCommands-thread-5651"/10.10.15.51 INFO] [com.vmware.loginsight.daemon.CommandManager] [configureHosts took 0.43497276 seconds]
[2020-04-23 22:14:24.934+0000] ["pool-10-thread-1"/10.10.15.51 INFO] [com.vmware.loginsight.commons.security.UrlConnectionManager] [Response Code : 200]
[2020-04-23 22:14:24.934+0000] ["pool-10-thread-1"/10.10.15.51 INFO] [com.vmware.loginsight.commons.security.UrlConnectionManager] [Processed POST request to https://<vcsa-fqdn>/rest/com/vmware/cis/session in 363msec]
[2020-04-23 22:14:24.934+0000] ["pool-10-thread-1"/10.10.15.51 INFO] [com.vmware.loginsight.commons.security.UrlConnectionManager] [Sending 'GET' request to URL : https://<vcsa-fqdn>/rest/appliance/system/version]
[2020-04-23 22:14:24.999+0000] ["pool-10-thread-1"/10.10.15.51 INFO] [com.vmware.loginsight.commons.security.UrlConnectionManager] [Response Code : 403]
[2020-04-23 22:14:24.999+0000] ["pool-10-thread-1"/10.10.15.51 INFO] [com.vmware.loginsight.commons.security.UrlConnectionManager] [Processed GET request to https://<vcsa-fqdn>/rest/appliance/system/version in 65msec]
[2020-04-23 22:14:25.519+0000] ["PersistentNotification-thread-20"/10.10.15.51 INFO] [com.vmware.loginsight.daemon.notifications.PersistentNotificationQueue] [Sending notification 'vCenter collection failed triggered at 2020-04-23T22:14:25.001Z
[2020-04-23 22:14:25.519+0000] ["PersistentNotification-thread-20"/10.10.15.51 INFO] [com.vmware.loginsight.notifications.EmailNotificationProvider] [Sending email notification]
[2020-04-23 22:14:25.521+0000] ["PersistentNotification-thread-20"/10.10.15.51 INFO] [com.vmware.loginsight.commons.email.Mailer] [Attempt to send html e-mail (given token=WH2aoI) from: 'loginsight@<domain>' to: '<alerting-email>' with subject: 'Log Insight Admin Alert: vCenter collection failed']

The HTTP 403 response from the /rest/appliance/system/version endpoint seems particularly relevant? If I make the same request manually using the same credentials as the vRLI server is using to connect to VCSA though, I get the expected response, so I'm not sure what's going on here.

Is this a known issue with vRLI 8.1? I updated it around the same time as VCSA to 7.0 (from 6.7), so possibly it's specific to VCSA 7.0 support? Any advice/ideas appreciated!