VMware vRealize Log Insight | 13 June 2017
Updated September 26, 2018
These release notes describe changes to vRealize Log Insight 4.5. Check frequently for updates to these release notes.
What's in the Release Notes?
The release notes cover the following topics:
- What's New?
- Upgrading from a Previous Version
- Internationalization Support
- Known Issues
vRealize Log Insight delivers the best real-time and archive log management, especially for VMware environments. Machine learning-based Intelligent Grouping and high-performance search enables faster troubleshooting across physical, virtual, and cloud environments. vRealize Log Insight can analyze terabytes of logs, discover structure in unstructured data, and deliver enterprise-wide visibility using a modern Web interface.
This release of VMware vRealize Log Insight delivers product improvements and updates to the previous release, including these features:
- Server Features
- Added API to query alert execution and notification history
- Added ability to specify basic authentication for webhooks
- New product configuration APIs added
- The source field is maintained when forwarding from vRealize Log Insight forwarder to a vRealize Log Insight server
- Hosts on the /admin/hosts page can now be exported
- External load balancer support will be removed in a later version.
- VMware Identity Manager (vIDM) is now supported. You can download a licensed version of vIDM for use with this release from the vRealize Log Insight Download page.
- See https://www.vmware.com/support/pubs/identitymanager-pubs.html for vIDM documentation.
- For information about migrating from Active Directory to vIDM, see the following Knowledge Base article: https://kb.vmware.com/kb/2148976.
- General User Interface Items
- Dashboard legend mouse-over in one widget now highlights corresponding chart items across widgets
- Added ability to show a given time across all dashboard chart widgets simultaneously
- Separate options are available for descriptions and recommendations for user alerts.
- User alert history for aggregation queries now includes count
- Agent Items
- Added ability to send unaltered raw syslog to destination server
- Added ability for agent syslog parser to parse structured data (SD), PRI, PROCID, and MSGID syslog fields
- Added auto-update checkbox option on MSI user interface
- Added support for sending logs to multiple destinations
- Added directory wildcard support
- Added support for Photon OS
- Support for Ubuntu 12.04 LTS has been deprecated
- Content Packs
- Updated General and vSphere content packs
- VSAN and vROps content packs included out of the box
vRealize Log Insight 4.5 supports the following VMware products and versions:
- vRealize Log Insight can pull events, tasks, and alarms data from VMware vCenter Server 5.5 or later.
- You can integrate vRealize Log Insight 4.5 with vRealize Operations Manager version 6.0 or later.
vRealize Log Insight 4.5 supports the following browser versions. More recent browser versions also work with vRealize Log Insight, but have not been validated.
- Mozilla Firefox 45.0 and above
- Google Chrome 51.0 and above
- Safari 9.1 and above
- Internet Explorer 11.0 and above
Note: Internet Explorer Document mode must be used in Standards Mode. Other modes are not supported. The Compatibility View browser mode is not supported.
The minimum supported browser resolution is 1280 by 800 pixels.
Important: Cookies must be enabled in your browser.
The vRealize Log Insight 4.5 Windows agent supports the following versions.
- Windows 7, Windows 8, Windows 8.1, and Windows 10
- Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016
The vRealize Log Insight Linux agent supports the following distributions and versions.
- RHEL 5, RHEL 6, and RHEL 7
- SUSE Enterprise Linux (SLES 11 SP3) and SLES 12 SP1
- Ubuntu 14.04 LTS, and 16.04 LTS
- VMware Photon, version 1 revision 2
vRealize Log Insight 4.5 has the following limitations.
- vRealize Log Insight does not handle non-printable ASCII characters correctly.
- vRealize Log Insight does not support printing. However, you can use the Print options of your browser. The printed results might vary depending on the browser that you use. We recommend Internet Explorer or Firefox for printing portions of the vRealize Log Insight user interface.
- The hosts table might display devices more than once with each in a different format, including some combination of IP address, hostname, and FQDN. For example, a device named foo.bar.com might appear as both foo and foo.bar.com.
The hosts table uses the hostname field that is defined in the syslog RFC. If an event sent by a device over the syslog protocol does not have a hostname, vRealize Log Insight uses the source as the hostname. This might result in the device being listed more than once because vRealize Log Insight cannot determine if the two formats point to the same device.
vRealize Log Insight Windows and Linux Agents
- Non-ASCII characters in hostname and source fields are not delivered correctly when vRealize Log Insight Windows and Linux agents are running in syslog mode.
vRealize Log Insight Windows Agent
- The vRealize Log Insight Windows agent is a 32-bit application and all its requests for opening files from C:\Windows\System32 sub-directories are redirected by WOW64 to C:\Windows\SysWOW64. However, you can configure the vRealize Log Insight Windows agent to collect from C:\Windows\System32 by using the special alias C:\Windows\Sysnative. For example, to collect logs from their default location for the MS DHCP Server, add the following line to the corresponding section of the vRealize Log Insight Windows agent configuration file: C:\Windows\Sysnative\dhcp.
vRealize Log Insight Linux Agent
- Due to an operating system limitation, the vRealize Log Insight Linux agent does not detect network outages when configured to send events over syslog.
- The vRealize Log Insight Linux agent does not support non-English (UTF-8) symbols in field or tag names.
- The vRealize Log Insight Linux agent collects hidden files and directories by default. To prevent this, you must add an exclude=.* option to every configuration section. The option exclude uses the glob pattern .* which represents hidden file format.
- When standard output redirection to a file is used to produce logs, the vRealize Log Insight agent might not correctly recognize event boundaries in such log files.
Upgrading from a Previous Version of vRealize Log Insight
You can upgrade to 4.5 directly from vRealize Log Insight 4.3. If you are running an earlier version of vRealize Log Insight, you must first incrementally upgrade your installation to 4.3.
Important Upgrade Notes
- To upgrade to vRealize Log Insight 4.5, you must be running vRealize Log Insight 4.3.
- When performing a manual upgrade, you must upgrade workers one at a time. Upgrading multiple workers at the same time causes an upgrade failure. When you upgrade the master node to vRealize Log Insight 4.5, a rolling upgrade occurs unless specifically disabled.
- Upgrading must be done from the master node's FQDN. Upgrading with the Integrated Load Balancer IP address is not supported.
- vRealize Log Insight does not support two-node clusters. Add a third vRealize Log Insight node of the same version as the existing two nodes before performing an upgrade.
- If the vRLI upgrade (.pak file) has a new JRE version, then the user-installed certificates in a vRealize Log Insight setup (such as for event forwarding) become invisible after upgrade. See Event forwarding stops working after upgrading deployments that use SSL.
vRealize Log Insight 4.5 includes the following localization features.
- The vRealize Log Insight server web user interface is localized to Japanese, French, Spanish, German, Simplified Chinese, Traditional Chinese, and Korean.
- The vRealize Log Insight server Web user interface supports Unicode data, including machine learning features.
- vRealize Log Insight agents work on non-English native Windows.
- The agent installer and content pack are not localized. Parts of the vRealize Log Insight server Web user interface might still show non-localized strings and have layout issues.
- vRealize Log Insight is interoperable with localized versions of vCenter Server and vRealize Operations Manager. However, Content Packs depend on matching non-localized log messages. vCenter Server events are retrieved in its default locale, which should be set to en_US. For more information, see http://kb.vmware.com/kb/2121646.
- Integration with Active Directory, vSphere, and vRealize Operations Manager for user names with non-ASCII characters is not supported.
- The date/time calendar format shown on the vRealize Log Insight server Web user interface is English only and does not display language/locale settings.
- Localization of event logs is not supported. Event logs only support UTF-8 and UTF-16 character encoding.
When a vRealize Log Insight instance uses the VMware Identity Manager integration and a cluster that is configured without a virtual IP address, links to alerts in automatically generated email messages are incorrect.
This is also true for site configurations that use multiple virtual IPs.
The alert links sent in email alerts are created using a FQDN, but VMware Identity Manager redirects back to the IP address of the vRealize Log Insight master node instead of the FQDN of the virtual IP address.
Workaround: From the drop-down menu icon on the Web interface, select Administration > Cluster. In the Integrated Load Balancer section, open the Add New IP Address window and add the virtual IP address to the vRealize Log Insight cluster by specifying its FQDN.
Reconfigure VMware Identity Manager integration with the newly created VIP.
- In rare cases, data from re-created folders might not be collected.
When a vRealize Log Insight agent is configured to monitor a complex-structured hierarchy of folders, such as 100 or more nested folders, and the directory wildcard feature is used, folders that have been deleted and re-created with the same name might not be indicated for monitoring.
Workaround: Restart the vRealize Log Insight agent service.
- Export events data does not always return the complete list of events in the exported file.
When you export a large number of events, there might be points where all cluster resources are used for ingestion/query processing and some internal query requests might be missed. This can result in an incomplete list of events in the exported file.
Workaround: Try the export again.
- Upgrade fails when the /storage/var partition is full.
Cluster nodes can enter a disconnected state when the /storage/var partition is full.
/storage/varpartition is full, it may result in failed upgrades and cause cluster nodes to intermittently enter a disconnected state. The
loginsight_daemon_stdout.logfile in the partition has been known to grow to a very large size and can be safely deleted.
For upgrade failure, this is indicated by a
no space on devicemessage in the
For nodes, you might see the message
Internal Server Errorwhen you open the interface from a VIP address or IP address of an affected node. For unaffected nodes, the user interface remains accessible. The admin/cluster page shows the disconnect status for affected nodes.
Workaround: Manually clean up the log file, restart services on affected nodes, and retry the operation.
- Run the
ducommand on the Log Insight cluster nodes to verify that one or more nodes show the /storage/var partition is is 100% full.
- Log into the appliance as root user.
- Run the command
rm /storage/var/loginsight/loginsight_daemon_stdout.logto delete the log file.
- Run the command
/etc/init.d/loginsight stop && /etc/init.d/loginsight startto restart the loginsight service.
- Run the
- When you do not provide a license on the License page, a tooltip for evaluation licenses is displayed.
The tooltip is concerned solely with evaluation licenses. You can still use the 25 OSI licenses for vRealize Log Insight that are provided with vCenter.
- "Starts with" and "Does not start with" constraints are not supported for use as text filters in the event forwarder in version 4.5. Forwarding destinations that use these constraints in pre-existing filters might not forward the expected logs.
The Starts with and Does not start with filters are shown as choices when creating a filter for use with event forwarders. However, they are not supported in this release and are interpreted as Matches or Not Matches constraints. Because the filters are not identical, it's possible the expected logs will not be forwarded. Edit any filters that use these constraints.
Interactive Analytics Page
The list of events displayed on the Interactive Analytics page when you click Run in Interactive Analytics can be different from the actually forwarded logs even after you have substituted the Matches or Does not match operators. This is because interactive analytics does not define the Matches constraint and replaces it with Matches regex, which works with regular expression notation.
Workaround: Reconfigure text filters for event forwarders to use Matches or Does not match instead of Starts with or Does not start with. Remove the filters and revise the old configurations to use an equivalent filter based on the Matches or Does not match constraints.
The Matches constraint supports globbing (*) to indicate multiple symbols. So, for example, filter
[text | "starts with" | "sometext"]can be replaced with
[text | "matches" | "sometext*"].
- The default settings for small-sized vRealize Log Insight virtual appliances cause performance to degrade and must be reset by the user.
Serious performance degradation occurs when you use the default settings for small size deployments. Insufficient memory affects the user interface and other processes.
Workaround: Increase memory. For example, for a four-node cluster, increase memory from the default 8 GB to 16 GB.
- Addition to the documentation topic Enable User Authentication Through Active Directory
Child domain access is not supported through Active Directory. This type of access is supported through VMware Identity Manager only.
- For Linux, collection from some directories does not take place until the agent is restarted or a reconfiguration event occurs
On Linux systems if a new directory is created after agent reconfiguration, the newly created directories are ignored during collection.
Workaround: To start directory monitoring, restart the service or update agent configuration with the liagent.ini file or from the Server Admin Agents page.