Quantcast
Channel: VMware Communities : All Content - vRealize Log Insight
Viewing all 1504 articles
Browse latest View live

Is there a way to include the Host IP (Source IP or Hostname) in the Log Insight User Alerts?

April 24, 2020, 7:46 pm
$
0
0

Hi Chaps,

I setup an alert to notify me via email whenever an RDP event log is created.

This alert is working though what I am figuring out now is how to include the exact Source IP of that RDP session.

What's included in the alert is the "Network Address" of that endpoint.

e.g. I RDP in to 10.1xx.10.40, and it only shows the Network address in the alert; which is 10.1xx.10.1.

Here's the actual email alert:

_________________________________________________________

This alert is about your Log Insight installation on https://x.x.x.x/
Log Insight found the following 1 event matching the criteria for alert "A successful Windows RDP login was detected":
Remote Desktop Services: User authentication succeeded:

User: user1

Domain: domain1
Source Network Address: 10.1xx.10.1

Note: To avoid raising duplicate alerts, this alert will now be snoozed for the next 5 minutes (the search period for this alert).

_________________________________________________________

I have been searching online and going through VRLI gui one section at a time (including the User alert settings), though I can't seem to find where to configure this.

Any assistance will be greatly appreciated!
Thanks mates!

Sincerely,

Eugene

Search

Filter failed tasks

May 6, 2020, 3:06 am
$
0
0

Hello,

I am triyng to filter the tasks that failed in vcenter (powering on a vm for example) but I can't see the status of the tasks in loginsight, for example in Vcenter on a powering on virtual machine task we have the status: "Insufficient resources to satisfy configured failover level for vSphere HA", but i cannot find this status in LogInsight. Can tasks be filtered after status keyword, or filter the failed ones?

Thank you,

Martin

Disk Cache setting is absent

May 15, 2020, 2:56 am
$
0
0

Author :

URL : http:////docs.vmware.com/en/vRealize-Log-Insight/8.1/com.vmware.log-insight.administration.doc/GUID-956EC67B-44B4-44BB-AF24-0DE4377F725C.html

Topic Name : Add a vRealize Log Insight Event Forwarding Destination

Publication Name : Administering vRealize Log Insight

Product/Version : vRealize Log Insight/8.1

Question :

I am using Log Insight 8.1.0-15994158 and there's no "Disk Cache" option under Advanced settings in Event Forwarding -New Destination menu. I see only Port and Worker Count settings, however i can change "disk cache" at  /internal/config but everywhere in documentation mentioned that this setting should be available in Event Forwarding, do i need any special condition to get it? Thank you.

Unable to export the logs from Log insight in raw or csv format

June 4, 2020, 7:42 am
$
0
0

I was unable to extract all the event logs from log insight 4.6.2 due to limitation of log Export to 20,000 results. I wrongly applied the solution mentioned in KB article "VMware Knowledge Base ". After that I am unable to extract any logs in CSV and Raw format and receiving the error message "CSV format export for event trends not yet supported. Please use JSON export instead." Earlier I was able to extract the logs in JSON, CSV and Raw format upto 20000 results.

Can someone please help me to revert the changes to previous state?

Need to reset log insight admin Password

June 4, 2020, 10:27 pm
$
0
0

Hi,

 

I want to reset the admin password in vrealize log insight. Our current version is 4.6.

 

Can body help me on  this to reset the password.

log insight 4.8 - have 90 vSphere agents all using same username. Any way to update password on all of them instead of individually?

June 5, 2020, 11:02 am
$
0
0

log insight 4.8 - have 90 vSphere agents all using same username.  Any way to update password on all of them instead of individually?

vRealize Log Insight 8.0.1 and AD nested groups

June 8, 2020, 9:30 am
$
0
0

Hi all,

 

I have a problem with authentication of users in nested AD groups, because they are not able to login with group-based roles.

Logon is however possible if the same users  are directly configured within Access control.

Would be here a possible solution as explained in KB2079763 for Log Insight 4.5?

 

VMware Knowledge Base

 

Thanks!

Advice needed for correct Log Insight 'VMware - SRM 8.1+' setup for Photon linux appliances

June 10, 2020, 8:14 am
$
0
0

While I have successfully deployed the LIagents to the SRM photon appliances themselves, and can collect syslogs from each side, I am stuck with how to correctly configure directories for 'SRM_logs', etc. for the Agent configuration group, so that SRM events are properly reported by the plug-in.  Is there a resource or document or KB available that goes through how to properly input values for this Agent Group?

 

Thanks in advance.

Search

Log Insights - Agents - Parser RegExp

June 12, 2020, 7:25 am
$
0
0

Hi,

 

I am a newbie to LOG INSIGHTS and did good in figuring out with the help of this community and online documentations. However, I am stuck with Regexp and because of that I am not able to retrieve the data as expected in the tool.

 

I have a very large log file on one of the server with information close to below.

 

Issue:- In the Interactive Analytics it is displaying one row for each line, hence the below log is shown as 12 different lines for each timestamp.

 

[2020-06-10T15:28:10-04:00] [OBIPS] [TRACE:1] [] [saw.rpc.server.processHeartbeat] [ecid: xxxxxxxxxxxxxxxxxxxxxx,0] [tid: 3793676032] [SI-Name: ] [IDD-Name: ] [IDD-GUID: ] [userId: ] Processing heartbeat message.[[

File:socketrpcserver.cpp

Line:399

Location:

saw.rpc.server.processHeartbeat

saw.rpc.server.responder

saw.rpc.server

saw.rpc.server.handleConnection

saw.rpc.server.dispatch

saw.threadpool.socketrpcserver

saw.threads

]]

 

So I have used the following RegExp code which works perfect when I checked in https://regex101.com/ . But it haven't improved my results.

 

(?<DateTime>\[.*?\]) (?<OBIPS>\[.*?\]) (?<TRACE>\[.*?\]) (?<EMP>\[.*?\]) (?<FRISTMSG>\[.*?\]) (?<ECID>\[.*?\]) (?<TID>\[.*?\]) (?<SINAME>\[.*?\]) (?<IDDNAME>\[.*?\]) (?<IDDGUID>\[.*?\]) (?<USRID>\[.*?\[)(?<COMPLETE>\[\s*[\w\W]*?\]\])

 

I have attached some screenshots and the above scenario in the document. Could you please take a look at it and help me out?

 

I greatly appreciate your responses and help.

 

Thank you,

Rama

Log Insight Agent - Collect Windows Events with Specific Text

June 15, 2020, 3:38 pm
$
0
0

I have been using the Agent Configuration to collect specific Windows EventIDs as in the example below which works fine.  In this example, the agent is collecting AppLocker events with ID of 8004.

 

According to Event Fields and Operators , you should be able to use "Text" in an expression, but have not been successful so far.

 

But I am trying to filter further, by collecting events that contain specific text such as "powershell".  I have tried expressions such as the following ones in  Whitelist filter expression but no sucess:

 

Text == \b(\w*powershell\w*)\b             (regex expression)

or

Text="powershell"

 

Any ideas on what the proper syntax should be?

 

Thank you

 

Note: Obviously, I can filter after all events are collected, but wanted to see if I could avoid needlessly ingesting events that are of no value.

AgentConfiguration.jpg

Is there a loginsight dashboard to view IOPS?

June 18, 2020, 9:07 am
$
0
0

I'm trying to find a dashboard that can identify high utilization SCSI IOPS, particularly to bench mark what IOPs are and if there would any benefit using PVSCSI.

 

Thanks,

Tom

Gateway Missing on Log Insight Upgrade

June 18, 2020, 3:05 pm
$
0
0

I performed an upgrade of Log Insight 4.8 to 8.0.  All went well except there was no network connectivity.  I tracked that down to a missing gateway.  Then I ran into another problem.  How do you edit the network config?  You have my permission to color me goofy because I've looked under every rock I can  see with no luck.  Any helpful input is greatly appreciated.

 

Thanks a ton,

Tony

(user) dashboard export

June 29, 2020, 12:09 am
$
0
0

Hi there,

 

I've searched for a while now, but wasn't successful. Is there any way to export the query and chart config for dashboards? Ideally for shared and user-only dashboards?

VRLI integrating with active directory where LdapEnforceChannelBinding = 2

July 2, 2020, 3:13 am
$
0
0

Hi,

 

in an ongoing support request I got the answer that vRealize Loginsight (VRLi) can not be integrated with an Active Directory with the following secure settings (specifically with the last one):

 

Network security: LDAP client signing requirements - Negotiate signing

Domain controller: LDAP server signing requirements - Require signature

LdapEnforceChannelBinding- DWORD value: 2

 

Background on this setting:

"In March Microsoft will be releasing a patch that includes new audit events, additional logging, and some changes to group policy settings. Later in 2020, Microsoft will be changing the behavior of the default values for LDAP channel binding and signing. They’re making these changes because the current default settings allow for a potential man-in-the-middle attack that can lead to privilege escalation"

 

From support : VRLi is not supporting "channel binding tokens (CBT)"

 

So my question is - have anyone found a way to work around this to make it possible to use VRLi with AD logins even though LdapEnforceChannelBinding is set to "2" ?

Hung on Checking for dependencies when trying to remove a content pack

July 16, 2020, 5:54 pm
$
0
0

Has anyone run into this?  I went to uninstall a content pack and it pops up the usual Checking for dependencies, but just hangs on that popup.

I was on 8.0 and tried upgrading to 8.1 then 8.1.1 and it still happens.  Any suggestions are approciated

Search

filezilla phrase logs

August 9, 2020, 6:59 am
$
0
0

HI All ,

looking to add Filezilla log to lognisight

i already installed an agent and made a new template to the server with config of

 

[filelog|FTP_ZILLA]

directory=C:\Program Files (x86)\FileZilla Server\Logs

include=*.log

raw_syslog=no

 

[logging]

debug_level=1

 

pretty strait forwards logging :

106473) 8/8/2020 21:46:19 PM - automationvid (172.18.18.1)> CWD /

(106473) 8/8/2020 21:46:19 PM - automationvid (172.18.18.1)> 250 CWD successful. "/" is current directory.

(106473) 8/8/2020 21:46:19 PM - automationvid (172.18.18.1)> TYPE I

(106473) 8/8/2020 21:46:19 PM - automationvid (172.18.18.1)> 200 Type set to I

(106473) 8/8/2020 21:46:19 PM - automationvid (172.18.18.1)> PORT 172,18,18,1,139,181

(106473) 8/8/2020 21:46:19 PM - automationvid (172.18.18.1)> 200 Port command successful

 

whats is the best why to configure this events on loginisght?

Disconnected Syslog Hosts and Agents in vRLI

August 19, 2020, 11:53 pm
$
0
0

Hi Team,

 

Just wanted to confirm on how we can delete disconnected syslog hosts and agents from vRLI UI.

 

The syslog hosts and agents were reporting properly and if we decommission the source machines then we are left with stale disconnected entries of those machines under syslog hosts and agents tab of vRLI UI. How can we deal with this problem?

 

Is there a specific period that vRLI will keep these stale entries and will delete them automatically once that period is over? or is there anything we can do at the appliance level to deal with it.

After vRLI upgrade from 4.8 to 8.1.1, ESX hosts appearing "as vCenters" in vCenter Server Overview - vCenter Servers integrated

August 24, 2020, 10:59 am
$
0
0

Prior to upgrade, vCenter Servers integrated count reflected correct number of vCenters - 97.  After upgrade, Administration / Integration / vSphere - completed validation for each of the 97 vCenters to load new certificate and DID NOT click check box for "Configure ESXi hosts to send logs to Log Insight" but now seeing vCenter Server Overview - vCenter Servers integrated = 11,549.  Interactive Analytics for the widget filters on appname contains vcenter-server and hostname exists.  Prior to upgrade, hostname appeared to only include "vCenters" with ESX hosts listed in events as Source.  Now, seeing vCenters as the Source and Hostname is the ESX Host names in query for vCenter Server Overview - vCenter Servers integrated.  Anyone see same or have any ideas on how to fix?

Mixing CPU and OSI licenses in one Log insight enviroment

September 7, 2020, 3:14 am
$
0
0

Hi.

 

We have an log insight enviroment installed that has an vrealize suite (Full) licens, that displays OSI Unlimited and CPU Unlimited. The license came with our Enterprise plus vsphere license. This means that all our Virtual servers and ESXi servers ar licensed for log insight. But we still have a few non-esxi physical servers that also need to be licenced for Log insight.

 

Now to my questions.

Is it possible to mix CPU and OSI licenses in Log insight?

Is it even possible to have 2 licenses active at the same time regardless of Type?

 

Hope someone has an answere for me.

Thanks.

Best regards

/Mattias Cederberg

Re-download vRealize Log Insight - Trial Expired

September 12, 2020, 8:03 am
$
0
0

Hi,

 

Looks like a while ago I downloaded it but do not have the OVF so I need to download again but am getting Your evaluation has expired.

 

I do have a license via VMUG for lab purposes so just need to have the file/image downloaded again.

 

Thanks

Viewing all 1504 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>