You can configure vRealize Log Insight to run specific queries at scheduled intervals.
If the number of events that match the query exceeds the thresholds that you have set, vRealize Log Insight can send email or webhook notifications and trigger notification events in vRealize Operations Manager.
To view the list of available alerts, navigate to the Interactive Analytics page and select Manage Alerts... from the Create and manage alerts... drop-down menu next to the Search field. The status of each alert appears under the alert name.
Alert queries are user specific. You can manage only your own alerts.
Types of Alerts that You Can Create in vRealize Log Insight
You can control the intervals at which alert queries run, and the conditions when vRealize Log Insight sends alert notifications by selecting one of the alert types.
Alert for Any Match
The alert query runs automatically every five minutes. A notification is triggered when at least one event within the last 5 minutes matches the query.
Alert Base on Event Type
The alert query runs automatically every five minutes. A notification is triggered when a specified event type is seen.
Alert Based on Number of Events Within a Custom Period of Time
Alert query intervals depend on your settings. A notification is triggered according to your settings, when more or less than X matching events occur in the last Y minutes.
If this type of alert is triggered, it is snoozed for the duration of its time period to prevent duplicate alerts from being raised for the same set of events. If you want to enable an alert while it is snoozing, you can disable and then re-enable it.
Alerts Based on Aggregation Queries
The aggregation query alert triggers a notification if value in a function in a grouping exceeds a value you define. You can see this on a chart, where at least one bar in the chart is above or below the threshold that you have set, within the period that you specified.
This alert type can be set for charts that do not visualize Count of events over time.
Content Pack Alerts
Content packs can contain alert queries. The vSphere content pack that is included in vRealize Log Insight by default contains several predefined alert queries. They can trigger alerts if an ESXi host stops sending syslog data, if vRealize Log Insight can no longer collect events, tasks, and alarms data from a vCenter Server, or when an alarm status changes to red. You can use these alert queries as templates to create alerts that are specific to your environment.
All content pack alerts are disabled by default.
Enabling the vCenter Server: ESX/ESXi stopped logging alert is a good practice, because certain versions of ESXi hosts might stop sending syslog data when you restart vRealize Log Insight. This alert monitors for the vCenter Server event esx.problem.vmsyslogd.remote.failure to detect whether there is an ESXi host that has stopped sending syslog feeds. For details about syslog problems and solutions, see VMware ESXi 5.x host stops sending syslogs to remote server (2003127).
You can add the following filter to the alert query and save it as a new alert to detect only ESXi hosts that stop sending feeds to your instance of vRealize Log Insight: vc_remote_host (VMware - vSphere) contains log-insight-hostname.
Content pack alert queries are read-only. To save changes to a content pack alert, you have to save the alert to your custom content.