vRealize Log Insight 4.6 | April 12, 2018
Updated September 26, 2018
What's in the Release NotesThe notes cover the following topics:
- About vRealize Log Insight
- What's New
- Upgrading from a Previous Release
- Internationalization Support
- Resolved Issues
- Known Issues
About vRealize Log Insight
vRealize Log Insight delivers the best real-time and archive log management, especially for VMware environments. Machine learning-based Intelligent Grouping and high-performance search enables faster troubleshooting across physical, virtual, and cloud environments. vRealize Log Insight can analyze terabytes of logs, discover structure in unstructured data, and deliver enterprise-wide visibility using a modern Web interface.
For more information, see the vRealize Log Insight documentation at https://docs.vmware.com/en/vRealize-Log-Insight/index.html.
This release includes new features for the vRealize Log Insight server and agent.
vRealize Log Insight Server Features
- Support for up to 15 vCenters per node.
- Added ability to send an alert when a configured log source stops sending log events after a fixed amount of time.
- Added ability to export a full list of agents from the Admin->Agents page.
- Added ability to control the visibility of items on Dashboard widgets. Use Shift-Click to toggle and Option/Alt-Click to show all.
- Added ability to search for users on the admin/users page and to delete multiple users.
- Ability to authenticate VMware Identity Manager (vIDM) local users.
- For SLES installations, product upgrade now updates base operating system libraries from SLES 11 SP3 to SLES 11 SP4. This means that installations that are upgraded to this release, and installations from fresh deployments of this release have the same base OS libraries.
- Additional APIs including those for creating alerts,deleting VIPs, and authenticating with vIDM.
- Improved informational messaging when deleting VIPs with the API.
- Minor Improvements for PLU license representation on the license page.
- Support for receiving RAW event messages without headers.
vRealize Log Insight Agent Features
- Support for sending syslog over UDP.
- Importer support for bzip and bzip2 archiving formats.
- Support for configurable compression for HTTP requests when an agent sends log events with the Ingestion API.
- Agent status now includes information about the server or servers it sends logs to.
- Agents can now read logs from journald system service for log data in Linux distributions running systemd.
- Ability to configure multiple destinations for an agent from the main configuration server.
- You have the option to use vRealize Suite Lifecycle Manager 1.2 or later to install vRealize Log Insight 4.5.1 and later releases. See vRealize Suite documentation for more information.
vRealize Log Insight 4.6 supports the following VMware products and versions:
- vRealize Log Insight can pull events, tasks, and alarms data from VMware vCenter Server 5.5 or later.
- You can integrate vRealize Log Insight 4.6 with vRealize Operations Manager version 6.0 or later.
vRealize Log Insight 4.6 supports the following browser versions. More recent browser versions also work with vRealize Log Insight, but have not been validated.
- Mozilla Firefox 45.0 and above
- Google Chrome 51.0 and above
- Safari 9.1 and above
- Internet Explorer 11.0 and above
Note: Internet Explorer Document mode must be used in Standards Mode. Other modes are not supported. The Compatibility View browser mode is not supported.
The minimum supported browser resolution is 1280 by 800 pixels.
Important: Cookies must be enabled in your browser.
The vRealize Log Insight 4.6 Windows agent supports the following versions.
- Windows 7, Windows 8, Windows 8.1, and Windows 10
- Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016
The vRealize Log Insight Linux agent supports the following distributions and versions.
- RHEL 5, RHEL 6, and RHEL 7
- SUSE Enterprise Linux (SLES 11 SP3) and SLES 12 SP1
- Ubuntu 14.04 LTS, and 16.04 LTS
- VMware Photon, version 1 revision 2 and version 2
vRealize Log Insight 4.6 has the following limitations.
- vRealize Log Insight does not handle non-printable ASCII characters correctly.
- vRealize Log Insight does not support printing. However, you can use the Print options of your browser. The printed results might vary depending on the browser that you use. We recommend Internet Explorer or Firefox for printing portions of the vRealize Log Insight user interface.
- The hosts table might display devices more than once with each in a different format, including some combination of IP address, hostname, and FQDN. For example, a device named foo.bar.com might appear as both foo and foo.bar.com.
The hosts table uses the hostname field that is defined in the syslog RFC. If an event sent by a device over the syslog protocol does not have a hostname, vRealize Log Insight uses the source as the hostname. This might result in the device being listed more than once because vRealize Log Insight cannot determine if the two formats point to the same device.
vRealize Log Insight Windows and Linux Agents
- Non-ASCII characters in hostname and source fields are not delivered correctly when vRealize Log Insight Windows and Linux agents are running in syslog mode.
vRealize Log Insight Windows Agent
- The vRealize Log Insight Windows agent is a 32-bit application and all its requests for opening files from C:\Windows\System32 sub-directories are redirected by WOW64 to C:\Windows\SysWOW64. However, you can configure the vRealize Log Insight Windows agent to collect from C:\Windows\System32 by using the special alias C:\Windows\Sysnative. For example, to collect logs from their default location for the MS DHCP Server, add the following line to the corresponding section of the vRealize Log Insight Windows agent configuration file: =C:\Windows\Sysnative\dhcp.
vRealize Log Insight Linux Agent
- Due to an operating system limitation, the vRealize Log Insight Linux agent does not detect network outages when configured to send events over syslog.
- The vRealize Log Insight Linux agent does not support non-English (UTF-8) symbols in field or tag names.
- The vRealize Log Insight Linux agent collects hidden files and directories by default. To prevent this, you must add an exclude=.* option to every configuration section. The option exclude uses the glob pattern .* which represents hidden file format.
- When standard output redirection to a file is used to produce logs, the vRealize Log Insight agent might not correctly recognize event boundaries in such log files.
vRealize Log Insight Integrations
Launch in context, both from vRealize Log Insight and vRealize Operations, does not work for a virtual machine when the IP address of the virtual machine is not visible to the vRealize Operations instance and is not shown by the vCenter in the virtual machine's VM Summary tab. The IP address might be unavailable because of the absence of the vmware-tools utility. Older, unsupported versions or malfunctioning vmware-tools can also cause the IP address to become unavailable.
Ensure that a proper version of WMware Tools is installed on the virtual machine and that the VM Summary tab of the vCenter shows the virtual machines IP address.
Keep in mind the following considerations when upgrading to this version of vRealize Log Insight.
You can upgrade to 4.6 directly from vRealize Log Insight 4.5 or 4.5.1. If you are running an earlier version of vRealize Log Insight, you must first incrementally upgrade your installation to 4.5 or 4.5.1.
Important Upgrade Notes
- To upgrade to vRealize Log Insight 4.6, you must be running vRealize Log Insight 4.5.
- When performing a manual upgrade, you must upgrade workers one at a time. Upgrading multiple workers at the same time causes an upgrade failure. When you upgrade the master node to vRealize Log Insight 4.6, a rolling upgrade occurs unless specifically disabled.
- Upgrading must be done from the master node's FQDN. Upgrading with the Integrated Load Balancer IP address is not supported.
- vRealize Log Insight does not support two-node clusters. Add a third vRealize Log Insight node of the same version as the existing two nodes before performing an upgrade.
- If the vRLI upgrade (.pak file) has a new JRE version, then the user-installed certificates in a vRealize Log Insight setup (such as for event forwarding) become invisible after upgrade.
vRealize Log Insight 4.6 includes the following localization features.
- The vRealize Log Insight server web user interface is localized to Japanese, French, Spanish, German, Simplified Chinese, Traditional Chinese, and Korean.
- The vRealize Log Insight server web user interface supports Unicode data, including machine learning features.
- vRealize Log Insight agents work on non-English native Windows.
- The agent installer and content pack are not localized. Parts of the vRealize Log Insight server Web user interface might still show non-localized strings and have layout issues.
- vRealize Log Insight is interoperable with localized versions of vCenter Server and vRealize Operations Manager. However, Content Packs depend on matching non-localized log messages. vCenter Server events are retrieved in its default locale, which should be set to en_US. For more information, see http://kb.vmware.com/kb/2121646.
- Integration with Active Directory, vSphere, and vRealize Operations Manager for user names with non-ASCII characters is not supported.
- The date/time calendar format shown on the vRealize Log Insight server Web user interface is English only and does not display language/locale settings.
- Localization of event logs is not supported. Event logs only support UTF-8 and UTF-16 character encoding.
The following defects have been fixed:
- Upgrade fails when the /storage/var partition is full.
- When you do not provide a license on the License page, a tooltip for evaluation licenses is displayed.
- A bug leading to agent crash was fixed.
- Incorrect handling of copytruncate rotation scheme for log files in some circumstances.
Known IssuesThe following known issues are present in this release.
- Limitations on use of non-ASCII characters when used as part of a virtual IP address in an FQDN
Virtual IPs that contain non-ASCII characters in the FQDN cannot be used in the following cases:
- With vIDM integration as a redirect URL
- With vSphere integration to configure ESXi hosts as target to send syslog
- With vRealize Operations integration as a target
- Upgrade for multiple nodes fails because a node is unable to copy a PAK file from the master node
As part of an upgrade, vRealize Log Insight checks that the PAK file has been successfully copied before starting upgrade for the node. If the copy cannot be verified, the upgrade is rolled back. This can take a considerable amount of time for large clusters.
Workaround: Either retry the upgrade or manually upgrade the nodes.
- Node restarts for no obvious reason resulting in uptime reset, VIP unavailability, leader re-election, and related issues
/storage/var fills up due to excessive logging to loginsight_daemon_stdout.log file and the file's rotation.
Workaround: Make sure that loginsight_daemon_stdout.log and its rotated versions on /storage/var mount are the files that are taking up the space. Once confirmed, remove the rotated versions. If removal is not reflected on `df -h` output, then VM restart fixes the issue.
- When a vRealize Log Insight instance uses the VMware Identity Manager integration and a cluster that is configured without a virtual IP address, links to alerts in automatically generated email messages are incorrect.
This is also true for site configurations that use multiple virtual IPs.
The alert links sent in email alerts are created using a FQDN, but VMware Identity Manager redirects back to the IP address of the vRealize Log Insight master node instead of the FQDN of the virtual IP address.
Workaround: From the drop-down menu icon on the Web interface, select Administration > Cluster. In the Integrated Load Balancer section, open the Add New IP Address window and add the virtual IP address to the vRealize Log Insight cluster by specifying its FQDN.
Reconfigure VMware Identity Manager integration with the newly created VIP.
- In rare cases, re-created folders data may not be collected.
When a vRealize Log Insight agent is configured to monitor a complex-structured hierarchy of folders, such as 100 or more nested folders, and the directory wildcard feature is used, folders that have been deleted and re-created with the same name might not be indicated for monitoring.
Workaround: Restart the vRealize Log Insight agent service.
- Export events data does not always return the complete list of events in exported file
When you export a large number of events, there might be points where all cluster resources are used for ingestion/query processing and some internal query requests might be missed. This can result in an incomplete list of events in the exported file.
Workaround: Try the export again
- The default settings for small-sized vRealize Log Insight virtual appliances cause performance to degrade and must be reset by the user.
Serious performance degradation occurs when you use the default settings for small size deployments. Insufficient memory affects the user interface and other processes.
Workaround: Increase memory. For example, for a four-node cluster, increase memory from the default 8 GB to 16 GB.
- For Linux, collection from some directories does not take place until the agent is restarted or a reconfiguration event occurs
On Linux systems if a new directory is created after agent reconfiguration, the newly created directories are ignored during collection.
Workaround: To start directory monitoring, restart the service or update agent configuration with the liagent.ini file or from the Server Admin Agents page.
- Addition to the documentation topic Planning Your vRealize Log Insight Deployment
Although the minimum number of nodes in a vRealize Log Insight cluster is three, if there is failure of the nodes, a cluster with fewer than three healthy nodes will not be fully functional. Also, the number of healthy nodes in cluster must be greater than half of the total number of cluster nodes. For example, if you have a six-node cluster and three of the nodes become unavailable, it will not be fully functional anymore unless you remove the non-functional nodes from the cluster. Removal and reintroduction of a cluster node is not supported.