When an alert query is disabled, vRealize Log Insight does not send email or webhook notifications and does not trigger vRealize Operations Manager notification events.
Alert queries are user specific. You can manage only your own alerts. You must be assigned a Super Admin role to manage other users alerts.
An alert query is disabled under the following conditions.
If you disable all notification options in the Edit Alert dialog box.
If the alert is part of a content pack.
Content pack alert queries are read-only. To save changes to a content pack alert, you have to save the alert to your custom content.
Verify that you are logged in to the vRealize Log Insight web user interface. The URL format is https://log_insight-host, where log_insight-host is the IP address or host name of the vRealize Log Insight virtual appliance.
Verify that an administrator has configured SMTP to enable email notifications. See Configure the SMTP Server for Log Insight.
Verify that an administrator has configured the connection between vRealize Log Insight and vRealize Operations Manager to enable alert integration. See Configure Log Insight to Send Notification Events to vRealize Operations Manager.
- Navigate to the Interactive Analytics tab.
- From the Create or manage alerts menu on the right of the Search button, click and select Manage Alerts.
- In the Alerts list, click one or more alert queries that you want to enable.
- Select the notification options that you want to enable, and provide the required parameters.
Enter at least one email address in the text box. Use commas to separate multiple addresses.
Enter the URL to which you want vRealize Log Insight to send the notifications.
Send to vRealize Operations Manager
Select a vRealize Operations Manager resource to associate with the notifications events, and select the criticality level of the events.
- Save your changes.
This button appears when you modify your own alerts.
Save to My Alerts
This button appears when you modify a shared alert or a content pack alert. The original alert remains unchanged, but you save a copy of the alert to your custom content.
When the alert query returns results that match the alerting criteria, vRealize Log Insight sends notifications according to your configuration.
Enable an Alert from the VMware - vSphere Content Pack
The VMware - vSphere content pack contains several predefined alert queries, including the vCenter Server: ESX/ESXi stopped logging alert.
Enabling the vCenter Server: ESX/ESXi stopped logging alert is a good practice, because certain versions of ESXi hosts might stop sending syslog data when you restart vRealize Log Insight. This alert monitors for the vCenter Server event esx.problem.vmsyslogd.remote.failure to detect if there is an ESXi host that has stopped sending syslog feeds.
On the Interactive Analytics tab, expand the drop-down menu on the right of the Search button, and select Manage Alerts.
Under VMware - vSphere Content Pack, click vCenter Server: ESX/ESXi stopped logging.
Enable Email notifications, Webhook notifications, or vRealize Operations Manager notification events.
Click Save to My Alerts.
To detect only ESXi hosts that stop sending feeds to your instance of vRealize Log Insight, you can add the following filter to the alert query: vc_remote_host (VMware - vSphere) contains <log-insight-hostname>, and save the new query to your alerts.
For details about syslog problems and solutions, see the Knowledge Base article VMware ESXi 5.x host stops sending syslogs to remote server (2003127) at https://kb.vmware.com/kb/2003127.