VMware Aria Operations for Logs provides built-in system alerts for critical issues. You can also configure VMware Aria Operations for Logs to run specific queries at scheduled intervals.

System Alerts

System alerts contain information about activities related to VMware Aria Operations for Logs's health, such as when the disk space is almost exhausted and old log files are about to be deleted. For information about managing the notifications for these alerts, see Managing System Notifications.

To view the list of system alerts and information about their status and frequency, expand the main menu and navigate to the Alerts > System Alerts. You can activate or deactivate system alerts.

User-Defined Alerts

You can define alerts in VMware Aria Operations for Logs and send email or webhook notifications, or trigger notification events in VMware Aria Operations if the number of events that match the query exceeds the thresholds that you have set.

To view the list of user-defined alerts and information about their status, owner, origin, and so on, navigate to Alerts > Alerts Definition.

  • If your user account is assigned a role with view access to alerts, you can view all the alerts in your organization . However, you can manage only your own alerts.
  • If your user account is assigned a role with edit or full access to alerts:
    • You can enable or disable all the system alerts in your organization.
    • You can create, modify, and remove all the user-defined alerts in your organization. For example, a user with a Super Admin role can manage the alerts of other users.
For information about roles, see Create and Modify Roles in Administering VMware Aria Operations for Logs.

Content Pack Alerts

Content packs can contain alert queries. The vSphere content pack that is included in VMware Aria Operations for Logs by default contains several predefined alert queries. They can trigger alerts if an ESXi host stops sending syslog data, if VMware Aria Operations for Logs can no longer collect events, tasks, and alarms data from a vCenter Server, or when an alarm status changes to red. You can use these alert queries as templates to create alerts that are specific to your environment.

All content pack alerts are deactivated by default.

Enabling the ESX/ESXi stopped logging alert is a good practice, because certain versions of ESXi hosts might stop sending syslog data when you restart VMware Aria Operations for Logs. This alert monitors for the vCenter Server event esx.problem.vmsyslogd.remote.failure to detect whether there is an ESXi host that has stopped sending syslog feeds. For details about syslog problems and solutions, see VMware ESXi 5.x host stops sending syslogs to remote server (2003127).

You can add the following filter to the alert query and save it as a new alert to detect only ESXi hosts that stop sending feeds to your instance of VMware Aria Operations for Logs: vc_remote_host (VMware - vSphere) contains log-insight-hostname.

If your user account is assigned a role with full access for content packs and alerts, you can activate a content pack alert and modify its notifications. However, you cannot update or remove the content pack alert.