When an alert query is disabled, vRealize Log Insight does not send email or webhook notifications and does not trigger vRealize Operations Manager notification events.

About this task

Note:

Alert queries are user specific. You can manage only your own alerts.

An alert query is disabled under the following conditions.

  • If you disable all notification options in the Edit Alert dialog box.

  • If the alert is part of a content pack.

Content pack alert queries are read-only. To save changes to a content pack alert, you have to save the alert to your custom content.

Prerequisites

Procedure

  1. Navigate to the Interactive Analytics tab.
  2. From the Create or manage alerts menu on the right of the Search button, click and select Manage Alerts.
  3. In the Alerts list, click one or more alert queries that you want to enable.
  4. Select the notification options that you want to enable, and provide the required parameters.

    Option

    Description

    Email

    Enter at least one email address in the text box. Use commas to separate multiple addresses.

    Webhook

    Enter the URL to which you want vRealize Log Insight to send the notifications.

    Send to vRealize Operations Manager

    Select a vRealize Operations Manager resource to associate with the notifications events, and select the criticality level of the events.

  5. Save your changes.

    Option

    Description

    Save

    This button appears when you modify your own alerts.

    Save to My Alerts

    This button appears when you modify a shared alert or a content pack alert. The original alert remains unchanged, but you save a copy of the alert to your custom content.

Results

When the alert query returns results that match the alerting criteria, vRealize Log Insight sends notifications according to your configuration.

Enable an Alert from the VMware - vSphere Content Pack

The VMware - vSphere content pack contains several predefined alert queries, including the vCenter Server: ESX/ESXi stopped logging alert.

Enabling the vCenter Server: ESX/ESXi stopped logging alert is a good practice, because certain versions of ESXi hosts might stop sending syslog data when you restart vRealize Log Insight. This alert monitors for the vCenter Server event esx.problem.vmsyslogd.remote.failure to detect if there is an ESXi host that has stopped sending syslog feeds.

  1. On the Interactive Analytics tab, expand the drop-down menu on the right of the Search button, and select Manage Alerts.

  2. Under VMware - vSphere Content Pack, click vCenter Server: ESX/ESXi stopped logging.

  3. Enable Email notifications, Webhook notifications, or vRealize Operations Manager notification events.

  4. Click Save to My Alerts.

To detect only ESXi hosts that stop sending feeds to your instance of vRealize Log Insight, you can add the following filter to the alert query: vc_remote_host (VMware - vSphere) contains <log-insight-hostname>, and save the new query to your alerts.

For details about syslog problems and solutions, see the Knowledge Base article VMware ESXi 5.x host stops sending syslogs to remote server (2003127) at https://kb.vmware.com/kb/2003127.