The files that contain system messages are on the VMware Aria Operations for Logs virtual appliance.

The following table lists each file and its purpose.

If you need information on log rotation or log archiving for these files, see Data Archiving and Log Rotation Schemes Supported by VMware Aria Operations for Logs Agents in the Working with VMware Aria Operations for Logs Agents guide.

File Description
/var/log/vmware/loginsight/alert.log Used to track information about user-defined alerts that have been triggered.
/var/log/vmware/loginsight/apache-tomcat/logs/*.log Used to track events from the Apache Tomcat server.
/var/log/vmware/loginsight/cassandra.log Used to track cluster configuration storage and replication in Apache Cassandra.
/var/log/vmware/loginsight/plugins/vsphere/li-vsphere.log Used to trace events related to integration with VMware vSphere Web Client.
/var/log/vmware/loginsight/loginsight_daemon_stdout.log Used for the standard output of VMware Aria Operations for Logs daemon.
/var/log/vmware/loginsight/phonehome.log Used to track information about trace data collection sent to VMware (if enabled).
/var/log/vmware/loginsight/scheduled_reports.log Used to track logs related to scheduled reports generation.
/var/log/vmware/loginsight/runtime.log Used to track all run time information related to VMware Aria Operations for Logs.
/var/log/firstboot/stratavm.log Used to track the events that occur at first boot and configuration of the VMware Aria Operations for Logs virtual appliance.
/var/log/vmware/loginsight/systemalert.log Used to track information about system notifications that VMware Aria Operations for Logs sends. Each alert is listed as a JSON entry.
/var/log/vmware/loginsight/systemalert_worker.log Used to track information about system notifications that a VMware Aria Operations for Logs worker node sends. Each alert is listed as a JSON entry.
/var/log/vmware/loginsight/ui.log Used to track events related to the VMware Aria Operations for Logs user interface.
/var/log/vmware/loginsight/ui_runtime.log Used to track runtime events related to the VMware Aria Operations for Logs user interface.
/var/log/vmware/loginsight/upgrade.log Used to track events that occur during a VMware Aria Operations for Logs upgrade.
/var/log/vmware/loginsight/usage.log Used to track all queries.
/var/log/vmware/loginsight/vrops_integration.log Used to track events related to the VMware Aria Operations integration.
/var/log/vmware/loginsight/watchdog_log* Used to track the run time events of the watch dog process, which is responsible for restarting VMware Aria Operations for Logs if it is shut down for some reason.
/var/log/vmware/loginsight/api_audit.log Used to track the API calls to VMware Aria Operations for Logs.
/var/log/vmware/loginsight/pattern_matcher.log Used to track the pattern matching times and timeouts for field extraction.
/var/log/vmware/loginsight/audit.log Used to track how VMware Aria Operations for Logs is used. For more information, see Audit Logs in VMware Aria Operations for Logs.

Log Messages Related to Security

The ui_runtime.log file contains user audit log messages in the following format.

  • [2019-05-10 11:28:29.709+0000] ["https-jsse-nio-443-exec-9"/10.153.234.136 DEBUG] [com.vmware.loginsight.web.actions.misc.LoginActionBean] [User login success: vIDM: SAM=myusername, Domain=vmware.com, [email protected]]
  • [2019-05-10 11:28:45.812+0000] ["https-jsse-nio-443-exec-3"/10.153.234.136 INFO] [com.vmware.loginsight.web.actions.misc.LoginActionBean] [User logged out: vIDM: SAM=myusername, Domain=vmware.com, [email protected]]
  • [2019-05-10 11:28:29.709+0000] ["https-jsse-nio-443-exec-9"/10.153.234.136 DEBUG] [com.vmware.loginsight.web.actions.misc.LoginActionBean] [User login success: Active Directory User: SAM=myusername, Domain=vmware.com,[email protected]]
  • [2019-05-10 11:28:45.812+0000] ["https-jsse-nio-443-exec-3"/10.153.234.136 INFO] [com.vmware.loginsight.web.actions.misc.LoginActionBean] [User logged out: Active Directory User: SAM=myusername, Domain=vmware.com,[email protected]]
  • [2019-05-10 11:29:28.330+0000] ["https-jsse-nio-443-exec-6"/10.153.234.136 DEBUG] [com.vmware.loginsight.web.actions.misc.LoginActionBean] [User login success: Local User: Name=myusername]
  • [2019-05-10 11:29:47.078+0000] ["https-jsse-nio-443-exec-10"/10.153.234.136 INFO] [com.vmware.loginsight.web.actions.misc.LoginActionBean] [User logged out: Local User: Name=myusername]
  • [2019-05-10 11:29:23.559+0000] ["https-jsse-nio-443-exec-7"/10.153.234.136 WARN] [com.vmware.loginsight.web.actions.misc.LoginActionBean] [User login failure: Bad username/password attempt (username: incorrectUser)]
  • [2019-05-10 11:45:37.795+0000] ["https-jsse-nio-443-exec-7"/10.153.234.136 INFO] [com.vmware.loginsight.web.actions.settings.UsersActionBean] [Created new user: Local User: Name=myusername]
  • [2019-05-10 11:09:50.493+0000] ["https-jsse-nio-443-exec-6"/10.153.234.136 INFO] [com.vmware.loginsight.web.actions.settings.UsersActionBean] [Created new user: vIDM: SAM=myusername, Domain=vmware.com, [email protected]]
  • [2019-05-10 11:47:05.202+0000] ["https-jsse-nio-443-exec-10"/10.153.234.136 INFO] [com.vmware.loginsight.web.actions.settings.UsersActionBean] [Created new group: (directoryType= VIDM, domain=vmware.com, group=vidm_admin)]
  • [2019-05-10 11:58:11.902+0000] ["https-jsse-nio-443-exec-4"/10.153.234.136 INFO] [com.vmware.loginsight.web.actions.settings.UsersActionBean] [Removed groups: [class com.vmware.loginsight.database.dao.RBACADGroupDO<vidm/vmware.com/vidm_admin>]]

Some logs are available in debug level. For information about enabling the debug level for each node, see Enable Debug Level for User Audit Log Messages.

Tip: If you are an administrator, you can modify the logging level without restarting the VMware Aria Operations for Logs service. Go to http:// <your_Operations_for_Logs_host>/internal/config, update the value of the logging level for the relevant logs, and click Save. For example:
<self-logging>
    <logger name="root" level="INFO" />
</self-logging>

You can change the logging level to OFF, FATAL, ERROR, WARN, INFO, DEBUG, TRACE, or ALL.

Note: Each node in a VMware Aria Operations for Logs cluster has its own ui_runtime.log file. You can examine the log files of the nodes to monitor the cluster.