Check for additions and updates to these release notes.

VMware Aria Operations for Logs delivers the best real-time and archived log management, especially for VMware environments. Machine learning-based intelligent grouping and high performance search enables faster troubleshooting across physical, virtual, and cloud environments. VMware Aria Operations for Logs can analyze terabytes of logs, discover structure in unstructured data, and deliver enterprise-wide visibility using a modern web interface.

For more information, see the VMware Aria Operations for Logs product documentation.

Here are some of the key highlights of the VMware Aria Operations for Logs 8.12 release:

Rebranding of vRealize Log Insight to VMware Aria Operations for Logs

In this release, we are excited to announce that vRealize Log Insight has been rebranded to VMware Aria Operations for Logs. The rebranding will not impact your existing deployment of vRealize Log Insight. You will continue to receive the same level of support and service you have come to expect from VMware.

Federated Log Query

You can now integrate your VMware Aria Operations for Logs (On-Premises) instances with the VMware Aria Operations for Logs (SaaS) platform to streamline your troubleshooting process. The integration enables you to gain a consolidated view of your On-Premises clusters and ensures compatibility with the upcoming SaaS releases that will allow you to query across multiple On-Premises clusters from the SaaS platform.

Support for RHEL 9

The VMware Aria Operations for Logs Linux agent now supports Red Hat Enterprise Linux 9 (RHEL 9).

Support for 10 Index Partitions

You can now create up to 10 index partitions in VMware Aria Operations for Logs. The support for 10 index partitions allows you to achieve greater flexibility in retaining log data.

Content Pack Updates

VMware Aria Operations for Logs now provides updated content packs with rebranded names. The support for the old content packs will be phased out in future releases.

Content packs include:

Webhooks Enhancements

The Webhooks page is now enhanced to provide a consistent workflow across other VMware Aria Operations for Logs pages such as Alert Definitions and Reports.

The user experience of the Webhooks page is also enhanced to provide a more streamlined and intuitive experience. To access the page, log in to VMware Aria Operations for Logs and navigate to Configuration > Webhooks from the main menu.

Enhancements to the Operations for Logs (SaaS) Page

The LI Cloud page is now integrated with the Operations for Logs (SaaS) page, providing a streamlined user experience. To access the Operations for Logs (SaaS) page, expand the main menu and click Integrations.

VMware Aria Operations for Logs 8.12 can be integrated with the following VMware products and versions:

• VMware vCenter Server 7.0 or later (FIPS mode supported).

• VMware Aria Operations 8.6 or later.

You can install and upgrade VMware Aria Operations for Logs using VMware Aria Suite Lifecycle. For more information, see the VMware Aria Suite Lifecycle Installation, Upgrade, and Management Guide.

VMware Aria Operations for Logs 8.12 supports the following browser versions. More recent browser versions also work with VMware Aria Operations for Logs, but have not been validated.

• Mozilla Firefox 80.0 and above

• Google Chrome 91.0 and above

• Safari 13.1.2 and above

• Microsoft Edge 91.0 and above

The minimum supported browser resolution is 1280 by 800 pixels.

Important: Cookies must be enabled in your browser.

VMware Aria Operations for Logs Windows Agent Support

The VMware Aria Operations for Logs 8.12 Windows agent supports the following versions:

• Windows 10, Windows 11 (supported, but not tested)

• Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, and Windows Server 2019.

VMware Aria Operations for Logs Linux Agent Support

The VMware Aria Operations for Logs 8.12 Linux agent supports the following distributions and versions:

• RHEL 7, RHEL 8, and RHEL 9

• SLES 12 SP5 (supported, but not tested), and SLES 15 SP3 (supported, but not tested)

• Ubuntu 18.04, Ubuntu 20.04, and Ubuntu 22.04

• Debian 10, and Debian 11

• VMware Photon version 3, and Photon version 4  (supported, but not tested)

Keep in mind the following considerations when upgrading to VMware Aria Operations for Logs 8.12. 

Upgrade Path

You can upgrade to VMware Aria Operations for Logs 8.12 from 8.10.x.

Starting with VMware Aria Operations for Logs 8.12, the upgrade process also handles updating the internode communication certificate. However, the certificate is updated only if the rolling upgrade is successful. It is not updated in case of a manual upgrade.

Important Upgrade Notes

• To upgrade to VMware Aria Operations for Logs 8.12, you must be running VMware Aria Operations for Logs 8.10.x.

• When performing a manual upgrade from the command line, you must upgrade workers one at a time. Upgrading more than one worker at the same time causes an upgrade failure.

• When you upgrade the primary node to VMware Aria Operations for Logs 8.12 from the user interface, a rolling upgrade occurs unless specifically disabled. ​

• Upgrading must be done from the primary node's FQDN. Upgrading with the Integrated Load Balancer IP address is not supported.

• VMware Aria Operations for Logs does not support two-node clusters. Add a third VMware Aria Operations for Logs node of the same version as the existing two nodes before performing an upgrade.

• Photon OS has strict rules for the number of simultaneous SSH connections. Because the MaxAuthtries value is set to 2 by default in the /etc/ssh/sshd_config file, the SSH connection to your VMware Aria Operations for Logs virtual appliance might fail in the presence of multiple connections, with the following message: "Received disconnect from xx.xx.xx.xxx port 22:2: Too many authentication failures". You can use any of the following workarounds for this issue:

  • Use the IdentitiesOnly=yes option while connecting via SSH: #ssh -o IdentitiesOnly=yes user@ip

  • Update the ~/.ssh/config file to add: Host* IdentitiesOnly yes

  • Change the MaxAuthtries value by modifying the /etc/ssh/sshd_config file and restarting the sshd service.

• The VM's SSH fingerprint is not preserved and changes after every upgrade, which might impact the appearance and user interface for users who connect using SSH. You must accept a new SSH fingerprint after the upgrade.

• Any API traffic sent to a vRealize Log Insight instance on port 443 will be rejected. Although port 443 has never been declared for API traffic, it used to work before and will not work starting from version 8.10. Instead, use the recommended port 9543.

Important Upgrade Notes on Custom Certificates

While upgrading to version 8.12, VMware Aria Operations for Logs checks the custom certificate for certain considerations. If the custom certificate does not adhere to the considerations, you must perform the recommended action to continue with the upgrade process. You must also make sure that the custom certificate is accepted by agents and log sources.

Important Upgrade Notes on Self-signed Certificates

If you are using the default self-signed SSL certificate on the virtual appliance, after upgrading to 8.12, you may be required to reinstall the certificate on the client, such as VMware Aria Operations for Logs agent or other log sources, to re-establish the trust with the VMware Aria Operations for Logs server.

Consider the following situations where you must reinstall the self-signed certificates:

To learn more about changing the SSL configuration, and checking if an agent accepts a certificate, see Configure the VMware Aria Operations for Logs Agent SSL Parameters.

Invalidated License Keys

The following license key is considered as invalid in the VMware Aria Operations for Logs 8.12 release:

When you upgrade to VMware Aria Operations for Logs 8.12, the license key is not accepted. VMware Aria Operations for Logs displays a message Invalid License key and deletes the key automatically.

VMware Aria Operations for Logs 8.12 includes the following localization features:

• The VMware Aria Operations for Logs web user interface is localized to Japanese, French, Spanish, German, Simplified Chinese, Traditional Chinese, and Korean.

• The VMware Aria Operations for Logs web user interface supports Unicode data, including machine learning features.

• VMware Aria Operations for Logs agents work on non-English native Windows.

VMware Aria Operations for Logs 8.12 has the following limitations:

General

• VMware Aria Operations for Logs does not handle non-printable ASCII characters correctly.

• VMware Aria Operations for Logs does not support printing. However, you can use the Print options of your browser. The printed results might vary depending on the browser that you use. We recommend Internet Explorer or Firefox for printing portions of the VMware Aria Operations for Logs user interface.

• The hosts table might display devices more than once with each in a different format, including some combination of IP address, hostname, and FQDN. For example, a device named foo.bar.com might appear as both foo and foo.bar.com.

  The hosts table uses the hostname field that is defined in the syslog RFC. If an event sent by a device over the syslog protocol does not have a hostname, VMware Aria Operations for Logs uses the source as the hostname. This might result in the device being listed more than once because VMware Aria Operations for Logs cannot determine if the two formats point to the same device.

• Adding a new index partition or deleting an existing one requires a cluster restart (restarting cluster nodes one by one) for the new configuration to become effective. However, changes in the routing filter, enabled status, and retention period for existing index partitions apply immediately (restarting the cluster is not required).

• Once activated, FIPS mode cannot be disabled.

VMware Aria Operations for Logs Windows and Linux Agents

• Non-ASCII characters in hostname and source fields are not delivered correctly when VMware Aria Operations for Logs Windows and Linux agents are running in syslog mode.

VMware Aria Operations for Logs Windows Agent

• The VMware Aria Operations for Logs Windows agent is a 32-bit application and all its requests for opening files from C:\Windows\System32 sub-directories are redirected by WOW64 to C:\Windows\SysWOW64. However, you can configure the VMware Aria Operations for Logs Windows agent to collect from C:\Windows\System32 by using the special alias C:\Windows\Sysnative. For example, to collect logs from their default location for the MS DHCP Server, add the following line to the corresponding section of the VMware Aria Operations for Logs Windows agent configuration file: =C:\Windows\Sysnative\dhcp.

VMware Aria Operations for Logs Linux Agent

• Due to an operating system limitation, the VMware Aria Operations for Logs Linux agent does not detect network outages when configured to send events over syslog.

• The VMware Aria Operations for Logs Linux agent does not support non-English (UTF-8) symbols in field or tag names.

• The VMware Aria Operations for Logs Linux agent collects hidden files and directories by default. To prevent this, you must add an exclude=.* option to every configuration section. The option exclude uses the glob pattern .* which represents hidden file format.

• When standard output redirection to a file is used to produce logs, the VMware Aria Operations for Logs agent might not correctly recognize event boundaries in such log files.

VMware Aria Operations for Logs Integrations

Launch in context, both from VMware Aria Operations for Logs and VMware Aria Operations, does not work for a virtual machine when the IP address of the virtual machine is not visible to the VMware Aria Operations instance and is not shown by the vCenter on the virtual machine's VM Summary tab. The IP address might be unavailable because of the absence of the vmware-tools utility. Older, unsupported versions or malfunctioning vmware-tools can also cause the IP address to become unavailable.

Ensure that a proper version of VMware Tools is installed on the virtual machine and that the VM Summary tab of the vCenter displays the IP address of the virtual machine.

Resolutions for the following issues are included in this release.

• The triggered alert is listed in the history but not delivered to VMware Aria Operations and email.

• After integrating the VMware Aria Operations for Logs 8.10.2 version with VMware Aria Operations, when you configure an alert, add extracted fields to the alert query, and trigger an alert, the alert is not delivered to the email recipients and to the VMware Aria Operations user interface.

• The first token in the vCenter Server logs is truncated when forwarded from VMware Aria Operations for Logs using the Syslog format.

• If the VMware Aria Operations for Logs forwarder is configured to use Syslog forwarding, the first token in the vCenter Server logs may be truncated at the forwarding destination.

• The test alert sent to a webhook URL fails because of basic authentication issues.

• When you create a webhook of Custom endpoint type, add basic authentication to the webhook, and then test the alert, the alert fails. This happens when the credentials are rejected because of basic authentication issues.

The following known issues are present in this release.

• Failure to save a configuration when there is a long list of filters in agent groups

• VMware Aria Operations for Logs fails to process a long list of filters in agent groups and does not save any configuration because of this issue.

• Workaround: Modify the internal configuration manually to remove or reduce the number of filters in the agent group or divide the filters into multiple agent groups.

• VMware Aria Operations for Logs does not send more than 10 logs in webhook notifications.

• Regardless of the Log Payload option, VMware Aria Operations for Logs sends only up to 10 individual notifications or 10 logs in the payload to the webhook endpoint.

• Workaround: None.

• Users are not notified about the cloud channel integration failure

• You do not receive any notifications regarding failures related to cloud channel integration and cloud forwarding.

• Workaround: Check the VMware Aria Operations for Logs runtime.log file for related issues, or check if the corresponding cloud organization is receiving the logs.

• Inactive host notifications are sent when logs are relayed to VMware Aria Operations for Logs (SaaS)

• In VMware Aria Operations for Logs, when you select the Inactive hosts notification check box on the Management > Hosts page, and select the Relay Only option while configuring log forwarding to VMware Aria Operations for Logs (SaaS), you receive inactive host notifications.

• The value in the Last Received Event column in the Hosts page increases with time, which indicates that a previously active host does not ingest logs anymore.

• This behavior is because log events are not considered received until the events are ingested. When you select the Relay Only option for cloud forwarding, a certain category of log events are never ingested (depending on your filter definition), which results in some hosts mistakenly reporting as non-ingesting and inactive.

• Workaround: None.

• The first run for real-time alerts is delayed

• The first run for a real-time alert is scheduled five minutes after creating or enabling the alert.

• Workaround: Wait for five minutes after creating or enabling a real-time alert for the scheduler to work as expected. After the first five minutes, the alert query is run every minute.

• Collection from some of directories will not take place if they were created before agent start or re-configuration event

• The logs are not collected from the newly created directories if you create the directories after re-configuring the agent.

• Workaround: To start directory monitoring, restart the service or update the agent configuration. You can update the agent configuration using the liagent.ini file or from the Server Admin Agents page.

• No automatic upgrade for VMware Aria Operations for Logs Agent on Photon OS

• You cannot automatically upgrade VMware Aria Operations for Logs Agent on Photon OS because Photon OS does
• not support the gpg command.

• Workaround: Perform a manual upgrade.

• SMTP configurations might not work for public mail servers through IPv6

• SMTP configurations might not work with public email services such as Google and Yahoo, because these services leverage tighter restriction policies for IPv6.

• Workaround: Use an alternative mail server such as your corporate mail server, or create a dedicated server.

• Integrating VMware Workspace ONE Access with VMware Aria Operations for Logs through IPv4 changes the redirect URL host to IPv6 address

• When deploying a VMware Aria Operations for Logs virtual appliance, If you had selected the option to prefer IPv6 addresses, the redirect URL host list is always populated with IPv6 node addresses. This redirect URL does not work when integrating VMware Aria Operations for Logs with VMware Workspace ONE Access as VMware Workspace ONE Access does not support IPv6 addresses.

• Workaround: Create a different IPv4 virtual IP for the integration of VMware Aria Operations for Logs with VMware Workspace ONE Access.

• VMware Aria Operations for Logs cannot connect to a webhook server with a self-signed certificate.

• You cannot integrate VMware Aria Operations for Logs with a webhook server that uses a self-signed certificate as the self-signed certificate is not trusted.

• Workaround: Add a self-signed certificate manually to the VMware Aria Operations for Logs virtual appliance and restart the virtual appliance using the following command:
• $ keytool -import -alias webhook -file <certificate> -keystore /usr/java/jre-vmware/lib/security/cacerts -storepass changeit$ service loginsight restart