Check for additions and updates to these release notes.

VMware Aria Operations for Logs delivers the best real-time and archived log management, especially for VMware environments. Machine learning-based intelligent grouping and high performance search enables faster troubleshooting across physical, virtual, and cloud environments. VMware Aria Operations for Logs can analyze terabytes of logs, discover structure in unstructured data, and deliver enterprise-wide visibility using a modern web interface.

For more information, see the VMware Aria Operations for Logs product documentation.

Here are some of the key highlights of the VMware Aria Operations for Logs 8.14 release:

Security Enhancements

• Inter-node communication authentication is bolstered for enhanced data protection and secure communication.

• The node joining process is security-hardened to reduce potential vulnerabilities. The existing API to add the node has been enhanced. To learn more, see KB 95121.

Content Pack Enhancements

New content packs are added to VMware Aria Operations for Logs in the 8.14 release and a few existing content packs are enhanced with bug fixes.

• New content packs:

  • OpenShift

  • Tanzu Kubernetes Grid

• Enhanced content packs:

  • VMware vSAN

  • VMware Workspace One

  • VMware Aria Suite Lifecycle

Support for Uploading Trusted Certificates via User Interface

You can now upload trusted certificates directly through the user interface. This simplifies the certificate management process. To learn more, see View and Remove SSL Certificates.

VMware NSX Advanced Load Balancer Support

VMware Aria Operations for Logs now supports the external VMware NSX Advanced Load Balancer, enabling more robust and flexible load-balancing configurations. To learn more, see the Working With VMware NSX Advanced Load Balancer documentation.

Stability Improvements

• Queries using the = (equality) operator are optimized both for predefined (static) and extracted (regex-based) numeric fields.

• Stability improvements are applied to log imports to ensure a seamless experience for managing and analyzing log data.

Platform Modernization

• The platform is updated to Photon 4 to provide enhanced performance and a more efficient operational experience.

• The platform is upgraded to Java Run-time Environment 11 to provide better compatibility and security features.

Security Fixes

This release resolves CVE-2023-34051, CVE-2023-34052. For more information on these vulnerabilities and their impact on VMware products, please see VMSA-2023-0021.

VMware Aria Operations for Logs 8.14 can be integrated with the following VMware products and versions:

• VMware vCenter Server 7.0 or later (FIPS mode supported).

• VMware Aria Operations 8.6 or later.

You can install and upgrade VMware Aria Operations for Logs using VMware Aria Suite Lifecycle. For more information, see the VMware Aria Suite Lifecycle Installation, Upgrade, and Management Guide.

VMware Aria Operations for Logs 8.14 supports the following browser versions. More recent browser versions also work with VMware Aria Operations for Logs, but have not been validated.

• Mozilla Firefox 80.0 and above

• Google Chrome 91.0 and above

• Safari 13.1.2 and above

• Microsoft Edge 91.0 and above

The minimum supported browser resolution is 1280 by 800 pixels.

Important: Cookies must be enabled in your browser.

VMware Aria Operations for Logs Windows Agent Support

The VMware Aria Operations for Logs 8.14 Windows agent supports the following versions:

• Windows 10, Windows 11 (supported, but not tested)

• Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, and Windows Server 2019.

VMware Aria Operations for Logs Linux Agent Support

The VMware Aria Operations for Logs 8.14 Linux agent supports the following distributions and versions:

• RHEL 7, RHEL 8, and RHEL 9

• SLES 12 SP5 (supported, but not tested), and SLES 15 SP3 (supported, but not tested)

• Ubuntu 18.04, Ubuntu 20.04, and Ubuntu 22.04

• Debian 10, and Debian 11

• VMware Photon version 3, and Photon version 4  (supported, but not tested)

Keep in mind the following considerations when upgrading to VMware Aria Operations for Logs 8.14. 

Upgrade Path

You can upgrade to VMware Aria Operations for Logs 8.14 from version 8.12. Starting from VMware Aria Operations for Logs version 8.14, the upgrade process enables secure authenticated mode for inter-node communication. However, this mode is enabled only if the rolling upgrade is successful. It is not updated in case of a manual upgrade.

Important Upgrade Notes

• To upgrade to VMware Aria Operations for Logs 8.14, you must be running VMware Aria Operations for Logs 8.12.

• When performing a manual upgrade from the command line, you must upgrade workers one at a time. Upgrading more than one worker at the same time causes an upgrade failure.

• When you upgrade the primary node to VMware Aria Operations for Logs 8.14 from the user interface, a rolling upgrade occurs unless specifically disabled. ​

• Upgrading must be done from the primary node's FQDN. Upgrading with the Integrated Load Balancer IP address is not supported.

• VMware Aria Operations for Logs does not support two-node clusters. Add a third VMware Aria Operations for Logs node of the same version as the existing two nodes before performing an upgrade.

• Photon OS has strict rules for the number of simultaneous SSH connections. Because the MaxAuthTries value is set to 2 by default in the /etc/ssh/sshd_config file, the SSH connection to your VMware Aria Operations for Logs virtual appliance might fail in the presence of multiple connections, with the following message: "Received disconnect from xx.xx.xx.xxx port 22:2: Too many authentication failures". You can use any of the following workarounds for this issue:

  • Use the IdentitiesOnly=yes option while connecting via SSH: #ssh -o IdentitiesOnly=yes user@ip

  • Update the ~/.ssh/config file to add: Host* IdentitiesOnly yes

  • Change the MaxAuthtries value by modifying the /etc/ssh/sshd_config file and restarting the sshd service.

• The VM's SSH fingerprint is not preserved and changes after every upgrade, which might impact the appearance and user interface for users who connect using SSH. You must accept a new SSH fingerprint after the upgrade.

• Any API traffic sent to a VMware Aria Operations for Logs instance on port 443 will be rejected. Although port 443 has never been declared for API traffic, it used to work before and will not work starting from version 8.10. Instead, use the recommended port 9543.

VMware Aria Operations for Logs 8.14 includes the following localization features:

• The VMware Aria Operations for Logs web user interface is localized to Japanese, French, Spanish, German, Simplified Chinese, Traditional Chinese, and Korean.

• The VMware Aria Operations for Logs web user interface supports Unicode data, including machine learning features.

• VMware Aria Operations for Logs agents work on non-English native Windows.

VMware Aria Operations for Logs 8.14 has the following limitations:

General

• VMware Aria Operations for Logs does not handle non-printable ASCII characters correctly.

• VMware Aria Operations for Logs does not support printing. However, you can use the Print options of your browser. The printed results might vary depending on the browser that you use. We recommend Internet Explorer or Firefox for printing portions of the VMware Aria Operations for Logs user interface.

• The hosts table might display devices more than once with each in a different format, including some combination of IP address, hostname, and FQDN. For example, a device named foo.bar.com might appear as both foo and foo.bar.com.

  The hosts table uses the hostname field that is defined in the syslog RFC. If an event sent by a device over the syslog protocol does not have a hostname, VMware Aria Operations for Logs uses the source as the hostname. This might result in the device being listed more than once because VMware Aria Operations for Logs cannot determine if the two formats point to the same device.

• Adding a new index partition or deleting an existing one requires a cluster restart (restarting cluster nodes one by one) for the new configuration to become effective. However, changes in the routing filter, enabled status, and retention period for existing index partitions apply immediately (restarting the cluster is not required).

• Once activated, FIPS mode cannot be disabled.

VMware Aria Operations for Logs Windows and Linux Agents

• Non-ASCII characters in hostname and source fields are not delivered correctly when VMware Aria Operations for Logs Windows and Linux agents are running in syslog mode.

VMware Aria Operations for Logs Windows Agent

• The VMware Aria Operations for Logs Windows agent is a 32-bit application and all its requests for opening files from C:\Windows\System32 sub-directories are redirected by WOW64 to C:\Windows\SysWOW64. However, you can configure the VMware Aria Operations for Logs Windows agent to collect from C:\Windows\System32 by using the special alias C:\Windows\Sysnative. For example, to collect logs from their default location for the MS DHCP Server, add the following line to the corresponding section of the VMware Aria Operations for Logs Windows agent configuration file: =C:\Windows\Sysnative\dhcp.

VMware Aria Operations for Logs Linux Agent

• Due to an operating system limitation, the VMware Aria Operations for Logs Linux agent does not detect network outages when configured to send events over syslog.

• The VMware Aria Operations for Logs Linux agent does not support non-English (UTF-8) symbols in field or tag names.

• The VMware Aria Operations for Logs Linux agent collects hidden files and directories by default. To prevent this, you must add an exclude=.* option to every configuration section. The option exclude uses the glob pattern .* which represents hidden file format.

• When standard output redirection to a file is used to produce logs, the VMware Aria Operations for Logs agent might not correctly recognize event boundaries in such log files.

VMware Aria Operations for Logs Integrations

Launch in context, both from VMware Aria Operations for Logs and VMware Aria Operations, does not work for a virtual machine when the IP address of the virtual machine is not visible to the VMware Aria Operations instance and is not shown by the vCenter on the virtual machine's VM Summary tab. The IP address might be unavailable because of the absence of the vmware-tools utility. Older, unsupported versions or malfunctioning vmware-tools can also cause the IP address to become unavailable.

Ensure that a proper version of VMware Tools is installed on the virtual machine and that the VM Summary tab of the vCenter displays the IP address of the virtual machine.

Resolutions for the following issues are included in this release.

• VMware Aria Operations for Logs cannot connect to a webhook server with a self-signed certificate.

• You cannot integrate VMware Aria Operations for Logs with a webhook server that uses a self-signed certificate as the self-signed certificate is not trusted.

• The triggered alert is listed in the history but not delivered to VMware Aria Operations and email.

• After integrating the VMware Aria Operations for Logs 8.10.2 version with VMware Aria Operations, when you configure an alert, add extracted fields to the alert query, and trigger an alert, the alert is not delivered to the email recipients and to the VMware Aria Operations user interface.

• The first token in the vCenter Server logs is truncated when forwarded from VMware Aria Operations for Logs using the Syslog format.

• If the VMware Aria Operations for Logs forwarder is configured to use Syslog forwarding, the first token in the vCenter Server logs may be truncated at the forwarding destination.

• The test alert sent to a webhook URL fails because of basic authentication issues.

• When you create a webhook of Custom endpoint type, add basic authentication to the webhook, and then test the alert, the alert fails. This happens when the credentials are rejected because of basic authentication issues.

• While attempting to import archived logs, the import process became stuck and never reached completion.

• When you are importing a large number of archived events back into VMware Aria Operations for Logs, the standard log importer tool fails, and displays a message such as
• failed to import parsed messages from 0 to 1000 in the /var/log/loginsight/importer.log file.
• Additionally, the importer does not take into account disk blocks or ingestion speed.

The following known issues are present in this release.

• Failure to save a configuration when there is a long list of filters in agent groups

• VMware Aria Operations for Logs fails to process a long list of filters in agent groups and does not save any configuration because of this issue.

• Workaround: Modify the internal configuration manually to remove or reduce the number of filters in the agent group or divide the filters into multiple agent groups.

• VMware Aria Operations for Logs does not send more than 10 logs in webhook notifications.

• Regardless of the Log Payload option, VMware Aria Operations for Logs sends only up to 10 individual notifications or 10 logs in the payload to the webhook endpoint.

• Workaround: None.

• Users are not notified about the cloud channel integration failure

• You do not receive any notifications regarding failures related to cloud channel integration and cloud forwarding.

• Workaround: Check the VMware Aria Operations for Logs runtime.log file for related issues, or check if the corresponding cloud organization is receiving the logs.

• Inactive host notifications are sent when logs are relayed to VMware Aria Operations for Logs (SaaS)

• In VMware Aria Operations for Logs, when you select the Inactive hosts notification check box on the Management > Hosts page, and select the Relay Only option while configuring log forwarding to VMware Aria Operations for Logs (SaaS), you receive inactive host notifications.

• The value in the Last Received Event column in the Hosts page increases with time, which indicates that a previously active host does not ingest logs anymore.

• This behavior is because log events are not considered received until the events are ingested. When you select the Relay Only option for cloud forwarding, a certain category of log events are never ingested (depending on your filter definition), which results in some hosts mistakenly reporting as non-ingesting and inactive.

• Workaround: None.

• The first run for real-time alerts is delayed

• The first run for a real-time alert is scheduled five minutes after creating or enabling the alert.

• Workaround: Wait for five minutes after creating or enabling a real-time alert for the scheduler to work as expected. After the first five minutes, the alert query is run every minute.

• Collection from some of directories will not take place if they were created before agent start or re-configuration event

• The logs are not collected from the newly created directories if you create the directories after re-configuring the agent.

• Workaround: To start directory monitoring, restart the service or update the agent configuration. You can update the agent configuration using the liagent.ini file or from the Server Admin Agents page.

• No automatic upgrade for VMware Aria Operations for Logs Agent on Photon OS

• You cannot automatically upgrade VMware Aria Operations for Logs Agent on Photon OS because Photon OS does
• not support the gpg command.

• Workaround: Perform a manual upgrade.

• SMTP configurations might not work for public mail servers through IPv6

• SMTP configurations might not work with public email services such as Google and Yahoo, because these services leverage tighter restriction policies for IPv6.

• Workaround: Use an alternative mail server such as your corporate mail server, or create a dedicated server.

• Integrating VMware Workspace ONE Access with VMware Aria Operations for Logs through IPv4 changes the redirect URL host to IPv6 address

• When deploying a VMware Aria Operations for Logs virtual appliance, If you had selected the option to prefer IPv6 addresses, the redirect URL host list is always populated with IPv6 node addresses. This redirect URL does not work when integrating VMware Aria Operations for Logs with VMware Workspace ONE Access as VMware Workspace ONE Access does not support IPv6 addresses.

• Workaround: Create a different IPv4 virtual IP for the integration of VMware Aria Operations for Logs with VMware Workspace ONE Access.

• Test connection fails for VMware Aria Operations for Logs Agent running on the Windows OS.

• Test connection fails for VMware Aria Operations for Logs Agent running on the Windows OS, however the agent is able to successfully communicate and send logs to the VMware Aria Operations for Logs server.
• Workaround: None