check-circle-line exclamation-circle-line close-line

VMware vRealize Log Insight 4.0 | 15 November 2016 | Build 4624504

Update 20 December 2018
Updated 9 July 2018
Updated 2 February 2018

These release notes describe changes to vRealize Log Insight since version 3.6. Check frequently for additions and updates to these release notes.

What's in the Release Notes?

The release notes cover the following topics:


vRealize Log Insight delivers the best real-time and archive log management for VMware environments. Machine learning-based Intelligent Grouping and high-performance search enables faster troubleshooting across physical, virtual, and cloud environments. vRealize Log Insight can analyze terabytes of logs, discover structure in unstructured data, and deliver enterprise-wide visibility using a modern Web interface.

What's New in vRealize Log Insight 4.0?

This release of VMware vRealize Log Insight 4.0 delivers product improvements and updates to the previous release.

  • General
    • vSphere 6.5 compatibility.
    • System notification enhancements.
    • Support for custom SSL certificates in the vCenter Server edition.
    • Support for Spanish locale(ES).
  • UI Features
    • New overall User Interface based on the VMware Clarity standard.
    • New speedometer-like Gauge Chart type for event count visualizations.
    • New Admin Alert Management tool and UI to view and manage all user alerts.
    • New filter called Does Not Exist to find events that do not contain some specified field.
    • Support for Datastore Device ID-to-name aliasing in event queries and results.
    • New "blur" on session timeout.
  • Server Features
    • Support for Syslog octet-framing over TCP.
    • Defined REST APIs for installing Log Insight servers and clusters.
    • Support for time ranges with Event Type alert queries.
  • Agent and Importer Features
    • SLES 11 SP3 and SLES 12 SP1 are supported for Linux agents.
    • The dateext (daily extension) option of logrotate is now supported.
    • SSL for the vRealize Log Insight agent is enabled by default.
  • Content Pack Features
    • Users can now subscribe to content pack alerts that allow automated updates inline with the associated content pack.
  • Changed Behavior
    • New Agent installations have SSL enabled by default. Previously, Agent installs defaulted to SSL off. Upgrading does not affect current SSL settings.
    • New event forwarder destinations now default to verifying SSL certificates. Previously, SSL certificates were not verified by default. Upgrading does not affect current settings.
    • vRealize Log Insight for vCenter now allows you to change SSL settings.
    • For content pack alerts instantiated in 4.0, content pack updates now automatically update alert definitions. If needed, you can preserve customizations by exporting them and then importing them back into the user profile after the update is applied.
    • Options have changed on the Export Event Results menu. The CSV option, which saves query results as comma-separated values, replaces the XML option.

Top of Page


vRealize Log Insight 4.0 supports the following VMware products and versions:

  • vRealize Log Insight can pull events, tasks, and alarms data from VMware vCenter Server 5.5 or later. Support for 5.0 and 5.1 has been removed. See for more information.
  • You can integrate vRealize Log Insight 4.0 with vRealize Operations Manager version 6.0 or later.

Browser Support

vRealize Log Insight 4.0 version supports the following browser versions. More recent browser versions also work with vRealize Log Insight, but have not been validated.

  • Mozilla Firefox 45.0 and above
  • Google Chrome 51.0 and above
  • Safari 9.1 and above
  • Internet Explorer 11.0 and above
    Note: Internet Explorer Document mode must be used in Standards Mode. Other modes are not supported. The Compatibility View browser mode is not supported.

The minimum supported browser resolution is 1280 by 800 pixels.

Important: Cookies must be enabled in your browser.

vRealize Log Insight Windows Agent Support

The vRealize Log Insight 4.0 Windows agent supports the following versions.

  • Windows Vista, Windows 7, Windows 8, Windows 8.1, and Windows 10
  • Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2

vRealize Log Insight Linux Agent Support

The vRealize Log Insight 4.0 Linux agent supports the following distributions and versions.

  • RHEL 5, RHEL 6, RHEL 7
  • SLES 11 SP3, SLES 12 SP1
  • Ubuntu 12.04 LTS, 14.04 LTS, and 16.04 LTS


vRealize Log Insight 4.0 has the following limitations.


  • Due to browser limitations, the blur effect after a session time out is not available for the Internet Explorer 11 browser.
  • vRealize Log Insight does not handle non-printable ASCII characters correctly.
  • vRealize Log Insight does not support printing. However, you can use the Print options of your browser. The printed results might vary depending on the browser that you use. We recommend Internet Explorer or Firefox for printing portions of the vRealize Log Insight user interface.
  • The hosts table might display devices more than once with each in a different format, including some combination of IP address, hostname, and FQDN. For example, a device named might appear as both foo and

    The hosts table uses the hostname field that is defined in the syslog RFC. If an event sent by a device over the syslog protocol does not have a hostname, vRealize Log Insight uses the source as the hostname. This might result in the device being listed more than once because vRealize Log Insight cannot determine if the two formats point to the same device.
  • Load-balanced Active Directory authorization servers are not supported.

vRealize Log Insight Windows and Linux Agents

  • Non-ASCII characters in hostname/source fields are not delivered correctly when vRealize Log Insight Windows and Linux agents are running in syslog mode.

vRealize Log Insight Windows Agent

  • The vRealize Log Insight Windows agent is a 32-bit application and all its requests for opening files from C:\Windows\System32 sub-directories are redirected by WOW64 to C:\Windows\SysWOW64. However, you can configure the vRealize Log Insight Windows agent to collect from C:\Windows\System32 by using the special alias C:\Windows\Sysnative. For example, to collect logs from their default location for the MS DHCP Server, add the following line to the corresponding section of the vRealize Log Insight Windows agent configuration file: =C:\Windows\Sysnative\dhcp.

vRealize Log Insight Linux Agent

  • Due to an operating system limitation, the vRealize Log Insight Linux agent does not detect network outages when configured to send events over syslog.
  • The vRealize Log Insight Linux agent does not support non-English (UTF-8) symbols in field or tag names.
  • The vRealize Log Insight Linux agent collects hidden files and directories by default. To prevent this, you must add an exclude=.* option to every configuration section. The option exclude uses the glob pattern .* which represents hidden file format.
  • When standard output redirection to a file is used to produce logs, the vRealize Log Insight agent might not correctly recognize event boundaries in such log files.

Active Directory

  • vRealize Log Insight does not support multiple domains for Active Directory login when they are not trusted domains.

Top of Page

Upgrading from a Previous Version of vRealize Log Insight

vRealize Log Insight 4.0 supports upgrading from vRealize Log Insight 3.6. For more information about upgrade paths, see the vRealize Log Insight Upgrade Path.


  • When performing a manual upgrade, workers must only be upgraded one at a time. Upgrading multiple workers at the same time causes an upgrade failure. When you upgrade the master node to vRealize Log Insight 4.0, a rolling upgrade occurs unless specifically disabled.
  • Upgrading to vRealize Log Insight 4.0 must be done from the master node's FQDN. Upgrading with the Integrated Load Balancer IP address is not supported.
  • The client browser from which the upgrade is started from must be able to access the master node on ports 80 or 443.
  • vRealize Log Insight does not support two-node clusters. Add a third vRealize Log Insight node of the same version as the existing two nodes before performing an upgrade.

Internationalization Support

vRealize Log Insight 4.0 is available in the following languages.

  • The vRealize Log Insight server web user interface is localized to Japanese, French, Spanish, German, Simplified Chinese, Traditional Chinese, and Korean.
  • The vRealize Log Insight server Web user interface supports Unicode data, including machine learning features.
  • The vRealize Log Insight agent works on non-English native Windows.


  • The agent installer and content pack are not localized. Parts of the vRealize Log Insight server Web user interface might still show strings and have layout issues.
  • vRealize Log Insight is interoperable with localized versions of vCenter Server and vRealize Operations Manager. However, Content Packs depend on matching non-localized log messages. vCenter Server events are retrieved in its default locale, which should be set to en_US. For more information, see
  • Integration with Active Directory, vSphere and vRealize Operations Manager for user names with non-ASCII characters is not supported.
  • The date/time calendar format shown on the vRealize Log Insight server Web user interface is English only and does not display language/locale settings.
  • Localization of event logs is not supported. Event logs only support UTF-8 and UTF-16 character encoding

Resolved Issues

  • Export content pack is no longer failing
  • Active Directory groups are no longer case sensitive
  • Event forwarder can now send more events with fewer threads
  • CLF parser does not respect space and tab characters error is fixed
  • View event in context fixed for the event types view
  • Fixed a caching issue for common options under Agent configuration
  • OSI Count and CPU Count for NSX licenses are no longer empty
  • Event forwarding no longer drop events for high EPS forwarding
  • vRealize Log Insight gracefully recovers when the ingestion queue is overloaded
  • Mixed-case groups and domains no longer cause issues in Active Directory authentication.

Known Issues

For existing issues that have not been described in this document, please see the Known Issues section in the VMware vRealize Log Insight 3.6 Release Notes

  • Event forwarding stops working after upgrading deployments that use SSL.
    JRE is upgraded as part of vRealize Log Insight upgrade. For sites configured with SSL, certificate information remains stored in the old JRE version therefore the certificate cannot be retrieved for the upgraded installation and event forwarding fails.
    Workaround: Reimport the certificate using the procedure "Configuring vRealize Log Insight Event Forwarding with SSL" in the vRealize Log Insight documentation center.
  • Built-in groups have authentication issues
    There have been reports that some customers have found issues in group-based Active Directory authentication against active directory built in groups. The issue has been reproduced and a fix is being researched.
    Workaround: None currently.
  • The login splash screen for vRealize Log Insight does not display correctly in Internet Explorer 11 on Windows 10.
    The login area appears correctly, but the background pattern is not displayed.
    Workaround: None.
  • A failure to export event results might occur intermittently.
    In cases of a large number of query result, some results might not be exported normally or the export file might be empty.
    Workaround: See for more information on workarounds.
  • Group membership queries failing.
    vRealize Log Insight does not properly update environment changes to vRealize Operations inventory.
    Workaround: None.
  • Inventory not updating after changes to environment.
    vRealize Log Insight is not properly updating environment changes to vRealize Operations inventory.
    Workaround: None.
  • Custom extracted field not displaying all log messages.
    When you are creating the extracted field, the display field indicates errors or alerts that are found based on the expressions configured within the field. However, the extracted field is applied anyway.
    Workaround: None.
  • High CPU Usage when agent is collecting large number of files.
    When you are collecting a large number of logs, vRealize Log Insight might have a very high CPU usage.
    Workaround: Filter out unwanted log files from being collected.
  • Upgrade fails when config directory contains files with non-numeric suffixes.
    If /storage/core/loginsight/config/ contains extra files with non-numeric suffix, upgrade fails with UpgradeError: "invalid literal for int() with base 10.
    Workaround: Delete backup config files or move them out of config directory.
  • The dashboard field links are displaying values that differ from what the event is displaying.
    The dashboard field links are displaying values that differ from what the event is displaying. The value is either incorrect or displays an unknown value of 'row14-c.' Examples include vmw_vcenter and vmw_cluster.
    Workaround: None.
  • After upgrading, vRealize Log Insight virtual machines might generate a high number of disk iops.
    Workaround: This is expected as vRealize Log Insight performs background work post-upgrade. This process may take several hours or even days to complete.
  • The Join Log Insight cluster operation appears to fail.
    Increasing vRealize Log Insight cluster size appears to fail with multiple spurious service group entries in the daemon section of config.
    Workaround: Remove spurious service group entries from daemon section of config.
  • When "Autoconfig is in use" is selected the TCP/Syslog protocol is not applied correctly with vCenter Server integration..
    The protocol type for a vCenter integration with vRealize Log Insight is selected and displayed on the #admin/vsphere page. When you select TCP/Syslog protocol and set "Autoconfig" and save the configuration, after a few seconds or just by moving to another page, UDP may be shown as the selected/used protocol, The protocol type is changed on the VC side also.
  • Upgrade fails when the /storage/var partition is full. 
    Cluster nodes can enter a disconnected state when the /storage/var partition is full.

    When the /storage/var partition is full, it may result in failed upgrades and cause cluster nodes to intermittently enter a disconnected state. The loginsight_daemon_stdout.log file in the partition has been known to grow to a very large size and can be safely deleted.

    For upgrade failure, this is indicated by a  no space on device message in the upgrade.log file.

    For nodes, you might see the message Internal Server Error when you open the interface from a VIP address or IP address of an affected node. For unaffected nodes, the user interface remains accessible. The admin/cluster page shows the disconnect status for affected nodes.

    Workaround: Manually clean up the log file, restart services on affected nodes, and retry the operation. 

    1. Run the du command on the Log Insight cluster nodes to verify that one or more nodes show the /storage/var partition is is 100% full.
    2. Log into the appliance as root user.
    3. Run the command rm /storage/var/loginsight/loginsight_daemon_stdout.log to delete the log file. 
    4. Run the command /etc/init.d/loginsight stop && /etc/init.d/loginsight start to  restart the loginsight service.​​
  • Addition to the documentation topic Enable User Authentication Through Active Directory 

    Child domain access is not supported through Active Directory. This type of access is supported through VMware Identity Manager only.

  • Correction to a link in the topic Generate a Certificate Signing Request in Administering vRealize Log Insight

    The link for downloading an OpenSSl installer is out of date. 

    Use this link:

  • Information on VMware business continuity and disaster recovery solutions has moved 

    Information about VMware business continuity and disaster recovery solutions referred to in the topic Backup, Restore, and Disaster Recovery Overview has been moved to a new web page. 

    Information is now available at