VMware Aria Operations for Logs 8.14
19 OCT 2023
Check for additions and updates to these release notes.
VMware Aria Operations for Logs 8.14
19 OCT 2023
Check for additions and updates to these release notes.
VMware Aria Operations for Logs delivers the best real-time and archived log management, especially for VMware environments. Machine learning-based intelligent grouping and high performance search enables faster troubleshooting across physical, virtual, and cloud environments. VMware Aria Operations for Logs can analyze terabytes of logs, discover structure in unstructured data, and deliver enterprise-wide visibility using a modern web interface.
For more information, see the VMware Aria Operations for Logs product documentation.
Here are some of the key highlights of the VMware Aria Operations for Logs 8.14 release:
Inter-node communication authentication is bolstered for enhanced data protection and secure communication.
The node joining process is security-hardened to reduce potential vulnerabilities. The existing API to add the node has been enhanced. To learn more, see KB 95121.
Content Pack Enhancements
New content packs are added to VMware Aria Operations for Logs in the 8.14 release and a few existing content packs are enhanced with bug fixes.
New content packs:
Tanzu Kubernetes Grid
Enhanced content packs:
VMware Workspace One
VMware Aria Suite Lifecycle
Support for Uploading Trusted Certificates via User Interface
You can now upload trusted certificates directly through the user interface. This simplifies the certificate management process. To learn more, see View and Remove SSL Certificates.
VMware NSX Advanced Load Balancer Support
VMware Aria Operations for Logs now supports the external VMware NSX Advanced Load Balancer, enabling more robust and flexible load-balancing configurations. To learn more, see the Working With VMware NSX Advanced Load Balancer documentation.
Queries using the = (equality) operator are optimized both for predefined (static) and extracted (regex-based) numeric fields.
Stability improvements are applied to log imports to ensure a seamless experience for managing and analyzing log data.
The platform is updated to Photon 4 to provide enhanced performance and a more efficient operational experience.
The platform is upgraded to Java Run-time Environment 11 to provide better compatibility and security features.
This release resolves CVE-2023-34051, CVE-2023-34052. For more information on these vulnerabilities and their impact on VMware products, please see VMSA-2023-0021.
VMware Aria Operations for Logs 8.14 can be integrated with the following VMware products and versions:
VMware vCenter Server 7.0 or later (FIPS mode supported).
VMware Aria Operations 8.6 or later.
You can install and upgrade VMware Aria Operations for Logs using VMware Aria Suite Lifecycle. For more information, see the VMware Aria Suite Lifecycle Installation, Upgrade, and Management Guide.
VMware Aria Operations for Logs 8.14 supports the following browser versions. More recent browser versions also work with VMware Aria Operations for Logs, but have not been validated.
Mozilla Firefox 80.0 and above
Google Chrome 91.0 and above
Safari 13.1.2 and above
Microsoft Edge 91.0 and above
The minimum supported browser resolution is 1280 by 800 pixels.
Important: Cookies must be enabled in your browser.
VMware Aria Operations for Logs Windows Agent Support
The VMware Aria Operations for Logs 8.14 Windows agent supports the following versions:
Windows 10, Windows 11 (supported, but not tested)
Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, and Windows Server 2019.
VMware Aria Operations for Logs Linux Agent Support
The VMware Aria Operations for Logs 8.14 Linux agent supports the following distributions and versions:
RHEL 7, RHEL 8, and RHEL 9
SLES 12 SP5 (supported, but not tested), and SLES 15 SP3 (supported, but not tested)
Ubuntu 18.04, Ubuntu 20.04, and Ubuntu 22.04
Debian 10, and Debian 11
VMware Photon version 3, and Photon version 4 (supported, but not tested)
Keep in mind the following considerations when upgrading to VMware Aria Operations for Logs 8.14.
You can upgrade to VMware Aria Operations for Logs 8.14 from version 8.12. Starting from VMware Aria Operations for Logs version 8.14, the upgrade process enables secure authenticated mode for inter-node communication. However, this mode is enabled only if the rolling upgrade is successful. It is not updated in case of a manual upgrade.
When you upgrade from the 8.12 version to 8.14, note that:
The upgrade process automatically restarts the clusters to enable secure authenticated inter-node communication in them.
VERSION prefixes are not automatically added to raw logs in your log forwarding destination when you select the RAW Protocol. You must manually select the Adjust PRI/VERSION option to add these prefixes. See Add a Log Forwarding Destination to learn more. This option is a temporary accommodation to support certain configurations and will be phased out in future releases of the product to uphold the principle of raw forwarding.
Important Upgrade Notes
To upgrade to VMware Aria Operations for Logs 8.14, you must be running VMware Aria Operations for Logs 8.12.
When performing a manual upgrade from the command line, you must upgrade workers one at a time. Upgrading more than one worker at the same time causes an upgrade failure.
When you upgrade the primary node to VMware Aria Operations for Logs 8.14 from the user interface, a rolling upgrade occurs unless specifically disabled.
Upgrading must be done from the primary node's FQDN. Upgrading with the Integrated Load Balancer IP address is not supported.
VMware Aria Operations for Logs does not support two-node clusters. Add a third VMware Aria Operations for Logs node of the same version as the existing two nodes before performing an upgrade.
Photon OS has strict rules for the number of simultaneous SSH connections. Because the MaxAuthTries value is set to 2 by default in the
/etc/ssh/sshd_config file, the SSH connection to your VMware Aria Operations for Logs virtual appliance might fail in the presence of multiple connections, with the following message: "Received disconnect from xx.xx.xx.xxx port 22:2: Too many authentication failures". You can use any of the following workarounds for this issue:
IdentitiesOnly=yes option while connecting via SSH:
#ssh -o IdentitiesOnly=yes user@ip
~/.ssh/config file to add:
Host* IdentitiesOnly yes
MaxAuthtries value by modifying the
/etc/ssh/sshd_config file and restarting the sshd service.
The VM's SSH fingerprint is not preserved and changes after every upgrade, which might impact the appearance and user interface for users who connect using SSH. You must accept a new SSH fingerprint after the upgrade.
Any API traffic sent to a VMware Aria Operations for Logs instance on port 443 will be rejected. Although port 443 has never been declared for API traffic, it used to work before and will not work starting from version 8.10. Instead, use the recommended port 9543.
VMware Aria Operations for Logs 8.14 includes the following localization features:
The VMware Aria Operations for Logs web user interface is localized to Japanese, French, Spanish, German, Simplified Chinese, Traditional Chinese, and Korean.
The VMware Aria Operations for Logs web user interface supports Unicode data, including machine learning features.
VMware Aria Operations for Logs agents work on non-English native Windows.
VMware Aria Operations for Logs 8.14 has the following limitations:
VMware Aria Operations for Logs does not handle non-printable ASCII characters correctly.
VMware Aria Operations for Logs does not support printing. However, you can use the Print options of your browser. The printed results might vary depending on the browser that you use. We recommend Internet Explorer or Firefox for printing portions of the VMware Aria Operations for Logs user interface.
The hosts table might display devices more than once with each in a different format, including some combination of IP address, hostname, and FQDN. For example, a device named foo.bar.com might appear as both foo and foo.bar.com.
The hosts table uses the hostname field that is defined in the syslog RFC. If an event sent by a device over the syslog protocol does not have a hostname, VMware Aria Operations for Logs uses the source as the hostname. This might result in the device being listed more than once because VMware Aria Operations for Logs cannot determine if the two formats point to the same device.
Adding a new index partition or deleting an existing one requires a cluster restart (restarting cluster nodes one by one) for the new configuration to become effective. However, changes in the routing filter, enabled status, and retention period for existing index partitions apply immediately (restarting the cluster is not required).
Once activated, FIPS mode cannot be disabled.
VMware Aria Operations for Logs Windows and Linux Agents
Non-ASCII characters in hostname and source fields are not delivered correctly when VMware Aria Operations for Logs Windows and Linux agents are running in syslog mode.
VMware Aria Operations for Logs Windows Agent
The VMware Aria Operations for Logs Windows agent is a 32-bit application and all its requests for opening files from C:\Windows\System32 sub-directories are redirected by WOW64 to C:\Windows\SysWOW64. However, you can configure the VMware Aria Operations for Logs Windows agent to collect from C:\Windows\System32 by using the special alias C:\Windows\Sysnative. For example, to collect logs from their default location for the MS DHCP Server, add the following line to the corresponding section of the VMware Aria Operations for Logs Windows agent configuration file: =C:\Windows\Sysnative\dhcp.
VMware Aria Operations for Logs Linux Agent
Due to an operating system limitation, the VMware Aria Operations for Logs Linux agent does not detect network outages when configured to send events over syslog.
The VMware Aria Operations for Logs Linux agent does not support non-English (UTF-8) symbols in field or tag names.
The VMware Aria Operations for Logs Linux agent collects hidden files and directories by default. To prevent this, you must add an exclude=.* option to every configuration section. The option exclude uses the glob pattern .* which represents hidden file format.
When standard output redirection to a file is used to produce logs, the VMware Aria Operations for Logs agent might not correctly recognize event boundaries in such log files.
VMware Aria Operations for Logs Integrations
Launch in context, both from VMware Aria Operations for Logs and VMware Aria Operations, does not work for a virtual machine when the IP address of the virtual machine is not visible to the VMware Aria Operations instance and is not shown by the vCenter on the virtual machine's VM Summary tab. The IP address might be unavailable because of the absence of the vmware-tools utility. Older, unsupported versions or malfunctioning vmware-tools can also cause the IP address to become unavailable.
Ensure that a proper version of VMware Tools is installed on the virtual machine and that the VM Summary tab of the vCenter displays the IP address of the virtual machine.
Resolutions for the following issues are included in this release.
VMware Aria Operations for Logs cannot connect to a webhook server with a self-signed certificate.
The triggered alert is listed in the history but not delivered to VMware Aria Operations and email.
The first token in the vCenter Server logs is truncated when forwarded from VMware Aria Operations for Logs using the Syslog format.
The test alert sent to a webhook URL fails because of basic authentication issues.
While attempting to import archived logs, the import process became stuck and never reached completion.
failed to import parsed messages from 0 to 1000in the
The following known issues are present in this release.
Failure to save a configuration when there is a long list of filters in agent groups
VMware Aria Operations for Logs does not send more than 10 logs in webhook notifications.
Users are not notified about the cloud channel integration failure
Inactive host notifications are sent when logs are relayed to VMware Aria Operations for Logs (SaaS)
The first run for real-time alerts is delayed
Collection from some of directories will not take place if they were created before agent start or re-configuration event
No automatic upgrade for VMware Aria Operations for Logs Agent on Photon OS
SMTP configurations might not work for public mail servers through IPv6
Integrating VMware Workspace ONE Access with VMware Aria Operations for Logs through IPv4 changes the redirect URL host to IPv6 address
Test connection fails for VMware Aria Operations for Logs Agent running on the Windows OS.