After you configure the Log Insight agent on the analytics cluster of vRealize Operations Manager to send audit logs and system events to vRealize Log Insight, configure the remote collectors to send audit logs and system events to vRealize Log Insight.

You must manually configure the remote collectors of vRealize Operations Manager with the new vRealize Log Insight settings to capture the latest audit logs and system events. You remove all obsolete [filelog|*] sections that are related to vRealize Operations Manager, and insert new [filelog|*] items. See VMware Knowledge Base article 55061.

Procedure

  1. Open an SSH connection to the remote collector of vRealize Operations Manager using the following settings.

    Setting

    Value

    Host name

    • sfo01vropsc01a.sfo01.rainpole.local

    • sfo01vropsc01b.sfo01.rainpole.local

    Host name

    • lax01vropsc01a.lax01.rainpole.local

    • lax01vropsc01b.lax01.rainpole.local

    User name

    root

    Password

    vrops_root_password

  2. Configure the Log Insight agent in the remote collector nodes of vRealize Operations Manager.
    1. Edit the liagent.ini file on each vRealize Operations Manager node using a text editor such as vi.
      vi /var/lib/loginsight-agent/liagent.ini
    2. Locate the [logging] section, and delete all lines after [filelog|syslog] using the command dG.

      The dG command deletes all lines after the line selected. After the command is complete, the liagent.ini file has the following contents:

      [server]
      ; Log Insight server hostname or ip address
      ; If omitted the default value is LOGINSIGHT
      hostname=sfo01vrli01.rainpole.local
      
      ; Set protocol to use:
      ; cfapi - Log Insight REST API
      ; syslog - Syslog protocol
      ; If omitted the default value is cfapi
      proto=cfapi
      
      ; Log Insight server port to connect to. If omitted the default value is:
      ; for syslog: 512
      ; for cfapi without ssl: 9000
      ; for cfapi with ssl: 9543
      port=9000
      
      ;ssl - enable/disable SSL. Applies to cfapi protocol only.
      ; Possible values are yes or no. If omitted the default value is no.
      ssl=no
      
      ; Time in minutes to force reconnection to the server
      ; If omitted the default value is 30
      ;reconnect=30
      
      [storage]
      ;max_disk_buffer - max disk usage limit (data + logs) in MB:
      ; 100 - 2000 MB, default 200
      ;max_disk_buffer=200
      
      [logging]
      ;debug_level - the level of debug messages to enable:
      ; 0 - no debug messages
      ; 1 - trace essential debug messages
      ; 2 - verbose debug messages (will have negative impact on performace)
      ;debug_level=0
      
      [filelog|messages]
      directory=/var/log
      include=messages;messages.?
      
      [filelog|syslog]
      directory=/var/log
      include=syslog;syslog.?
      
      <Deleted from here down>
    3. After the [filelog|syslog] section, add the following block on each remote collector node.
      [common|global]
      tags={"vmw_vr_ops_appname":"vROps", "vmw_vr_ops_clustername":"vrops01svr01arainpolelocal", "vmw_vr_ops_clusterrole":"Remote Collector", "vmw_vr_ops_nodename":"<Your vROPS Node Name Here>", "vmw_vr_ops_hostname":"<Your vROPS Hostname Here>"}
      
      [update]
      ; Do not change this parameter
      package_type=rpm
      
    4. Modify the following parameters specifically for each node.

      Parameter

      Description

      Location in liagent.ini

      vmw_vr_ops_nodename

      IP address or FQDN of the vRealize Operations Manager node

      Replace each <Your VROPS Node Name Here> with the following names:

      • sfo01vropsc01a

      • sfo01vropsc01b

      vmw_vr_ops_hostname

      Name of the vRealize Operations Manager node that is set during node initial configuration

      Replace each <Your VROPS Hostname Here> with the following names:

      • sfo01vropsc01a.sfo01.rainpole.local

      • sfo01vropsc01b.sfo01.rainpole.local

      For example, on the first remote collector, you change the [common|global] section to add a context to the logs that are sent to the vRealize Log Insight cluster:

      [common|filelog]
      tags={"vmw_vr_ops_appname":"vROps", "vmw_vr_ops_clustername":"vrops01svr01arainpolelocal", "vmw_vr_ops_clusterrole":"Remote Collector", "vmw_vr_ops_nodename":"sfo01vropsc01a", "vmw_vr_ops_hostname":"sfo01vropsc01a.sfo01.rainpole.local"}
      
      [update]
      ; Do not change this parameter
      package_type=rpm
    5. After the [common|global] section, add the following block on the remote collector.
      [filelog|COLLECTOR]
      event_marker = ^\d{4}-\d{2}-\d{2}[\s]\d{2}:\d{2}:\d{2}\,\d{3}
      directory = /usr/lib/vmware-vcops/user/log
      include = collector*.log*
      tags = {"vmw_vr_ops_logtype":"COLLECTOR"}
      exclude = collector-wrapper.log*;collector-gc*.log*
      
      [filelog|COLLECTOR-GC]
      include = collector-gc-*.log*
      directory = /usr/lib/vmware-vcops/user/log
      event_marker = ^\d{4}-\d{2}-\d{2}
      tags = {"vmw_vr_ops_logtype":"COLLECTOR"}
      
      [filelog|COLLECTOR_wrapper]
      tags = {"vmw_vr_ops_logtype":"COLLECTOR"}
      directory = /usr/lib/vmware-vcops/user/log
      include = collector-wrapper.log*
      event_marker = ^[DEBUG|ERROR|FATAL|INFO|TRACE|WARN|STATUS ]
      
      [filelog|ADAPTERS]
      include = *.log*
      event_marker = ^\d{4}-\d{2}-\d{2}[\s]\d{2}:\d{2}:\d{2}\,\d{3}
      tags = {"vmw_vr_ops_logtype":"ADAPTER"}
      directory = /data/vcops/log/adapters/*
      
      [filelog|SUITEAPI]
      include = api.log*;http_api.log*;profiling_api.log*;api-gc.log*
      event_marker = ^\d{4}-\d{2}-\d{2}
      tags = {"vmw_vr_ops_logtype":"SUITEAPI"}
      directory = /usr/lib/vmware-vcops/user/log
      
      [filelog|SUITEAPI-api]
      directory = /usr/lib/vmware-vcops/user/log/suite-api
      tags = {"vmw_vr_ops_logtype":"SUITEAPI"}
      event_marker = ^\d{2}-\w{3}-\d{4}[\s]\d{2}:\d{2}:\d{2}\.\d{3}
      include = catalina*.log*;localhost*.log*
      
      [filelog|ADMIN_UI-casa-catalina]
      event_marker = ^\w{3}[\s]\d{1,}
      directory = /usr/lib/vmware-vcops/user/log/casa
      tags = {"vmw_vr_ops_logtype":"ADMIN_UI"}
      include = catalina.out
      
      [filelog|ADMIN_UI-casa]
      directory = /usr/lib/vmware-vcops/user/log/casa
      tags = {"vmw_vr_ops_logtype":"ADMIN_UI"}
      include = *.log*
      event_marker = ^\d{4}-\d{2}-\d{2}
      exclude = catalina*;localhost*
      
      [filelog|ADMIN_UI-casa-catalina-log-localhost-log]
      include = catalina.*.log;localhost.*.log
      exclude = localhost_access_log.*
      tags = {"vmw_vr_ops_logtype":"ADMIN_UI"}
      event_marker = ^\d{2}-\w{3}-\d{4}[\s]
      directory = /usr/lib/vmware-vcops/user/log/casa
      
      [filelog|ADMIN_UI-localhost_access]
      directory = /usr/lib/vmware-vcops/user/log/casa
      include = localhost_access_log.*
      tags = {"vmw_vr_ops_logtype":"ADMIN_UI"}
      
      [filelog|TOMCAT_WEBAPP]
      tags = {"vmw_vr_ops_logtype":"TOMCAT_WEBAPP"}
      include = localhost_access_log.*.txt
      directory = /data/vcops/log/product-ui
      
      [filelog|CALL_STACK]
      event_marker = ^[^\s]
      tags = {"vmw_vr_ops_logtype":"CALL_STACK"}
      include = collector*.txt
      directory = /usr/lib/vmware-vcops/user/log/callstack
      
      [filelog|GEMFIRE]
      event_marker = ^\d{4}-\d{2}-\d{2}
      include = gemfire*.log*
      tags = {"vmw_vr_ops_logtype":"GEMFIRE"}
      directory = /usr/lib/vmware-vcops/user/log
      
      [filelog|GEMFIRE-2]
      tags = {"vmw_vr_ops_logtype":"GEMFIRE"}
      directory = /usr/lib/vmware-vcops/user/log
      include = gemfire-locator*.log;gemfire_vRealize*.log
      event_marker = ^\[
      exclude = *.marker;*.gfs;*wrapper.log*;gemfire-wrapper.log*
      
      [filelog|OTHER-watchdog-log]
      directory = /usr/lib/vmware-vcops/user/log/vcops-watchdog
      tags = {"vmw_vr_ops_logtype":"OTHER"}
      event_marker = ^\d{4}-\d{2}-\d{2}[\s]\d{2}:\d{2}:\d{2}\,\d{3}
      include = vcops-watchdog*.log
      
      [filelog|OTHER-misc]
      directory = /usr/lib/vmware-vcops/user/log
      event_marker = ^\d{4}-\d{2}-\d{2}[\s]\d{2}:\d{2}:\d{2}\,\d{3}
      include = system-exit-*.log;zeroTimestampLogger-*.log;vcopsConfigureRoles.log*;cassandradbupgrade.log;centralsqldbupgrade.log;dbupgrade.log;restartHttpd.log;activate_web_certificate.log;oom-handler-cassandra.log;ip_version_configurator_*.log;upgradeVsutilitiesConfigs.py.log;hisdbupgrade.log;installer-tools.log;his-lock-trace-*.log;actions-data-*.log;LRUCacheProfiler-*.log*;datapurging-*.log.*;setVSUtilitiesPermissions.py.log;hafailover-*.log;deletedMetricKeys-*.log;placement-*.log;bm-controller.log;cassandraquery-*.log;cassandradriver-*.log;shardingManager-*.log;fsdb-accessor-*.log;actionScheduler-*.log;casa.audit*.log*;function-invocation-counter-*.log;onlineCapacity-*.log;functioncalls-*.log;opsapi.audit*.log*;distributed*.log*
      tags = {"vmw_vr_ops_logtype":"OTHER"}
      
      [filelog|OTHER-misc-singlelines]
      include = evn-checker.log*;delete_tomcat_logs.log;tomcat-enterprise-wrapper.log;meta-gemfire*.log*;ui-gc.log.*
      tags = {"vmw_vr_ops_logtype":"OTHER"}
      directory = /usr/lib/vmware-vcops/user/log
      
      [filelog|OTHER-TELEMETRY]
      include = telemetry.log*
      directory = /usr/lib/vmware-vcops/user/log
      event_marker = ^\d{4}-\d{2}-\d{2}[\s]\d{2}:\d{2}:\d{2}
      tags = {"vmw_vr_ops_logtype":"TELEMETRY"}
      Note:

      Ensure that there are no extra carriage returns after a long line. Each [] section must be in a value = value format, for example, tags = {"something"}. Make sure the [filelog|OTHER-misc] section is included.

    6. Press Escape and enter :wq! to save the file.
    7. Restart the Log Insight agent on the node by running the following console command.
      /etc/init.d/liagentd restart
    8. Verify that the Log Insight agent is running.
      /etc/init.d/liagentd status
    9. Repeat the steps for the second remote collector node.
  3. Repeat the steps for the remote collectors in Region B.

Results

All VMware - vRops dashboards become available on the home page of vRealize Log Insight. You see the Total number of vRops Clusters showing 1 and Total number of vRops nodes over time showing the host names of the analytics and remote collector nodes of vRealize Operations Manager.