vRealize Log Insight 8.10.2 | 01 MAR 2023
Check for additions and updates to these release notes.
vRealize Log Insight 8.10.2 | 01 MAR 2023
Check for additions and updates to these release notes.
vRealize Log Insight delivers the best real-time and archived log management, especially for VMware environments. Machine learning-based intelligent grouping and high performance search enables faster troubleshooting across physical, virtual, and cloud environments. vRealize Log Insight can analyze terabytes of logs, discover structure in unstructured data, and deliver enterprise-wide visibility using a modern web interface.
For more information, see the vRealize Log Insight product documentation at https://docs.vmware.com/en/vRealize-Log-Insight/index.html.
vRealize Log Insight 8.10.2 is a maintenance release. Here are some of the key highlights of the release:
Security Fixes: This release resolves CVE-2022-31706, CVE-2022-31704, CVE-2022-31710, and CVE-2022-31711. For more information on these vulnerabilities and their impact on VMware products, please see VMSA-2023-0001.
Updates for Apache Tomcat, Photon OS, and OpenJDK
vRealize Log Insight 8.10.2 supports the following VMware products and versions:
vRealize Log Insight can pull events, tasks, and alarms data from VMware vCenter Server 6.5 or later. In FIPS mode, vRealize Log Insight can be integrated with VMware vCenter Server 6.5 or later.
You can integrate vRealize Log Insight 8.10.2 with vRealize Operations 8.2 or later.
You can install and upgrade vRealize Log Insight by using vRealize Suite Lifecycle Manager. For more information, see the vRealize Suite Lifecycle Manager Installation, Upgrade, and Management Guide.
vRealize Log Insight 8.10.2 supports the following browser versions. More recent browser versions also work with vRealize Log Insight, but have not been validated.
Mozilla Firefox 80.0 and above
Google Chrome 91.0 and above
Safari 13.1.2 and above
Microsoft Edge 91.0 and above
The minimum supported browser resolution is 1280 by 800 pixels.
Important: Cookies must be enabled in your browser.
vRealize Log Insight Windows Agent Support
The vRealize Log Insight 8.10.2 Windows agent supports the following versions:
Windows 7, Windows 8, Windows 8.1, and Windows 10
Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, and Windows Server 2019
vRealize Log Insight Linux Agent Support
The vRealize Log Insight 8.10.2 Linux agent supports the following distributions and versions:
RHEL 5, RHEL 6, RHEL 7, and RHEL 8
SUSE Enterprise Linux (SLES 11 SP3) and SLES 12 SP1
Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, and Ubuntu 18.04
VMware Photon, version 1 revision 2, version 2, and version 3
vRealize Log Insight 8.10.2 has the following limitations:
vRealize Log Insight does not handle non-printable ASCII characters correctly.
vRealize Log Insight does not support printing. However, you can use the Print options of your browser. The printed results might vary depending on the browser that you use. We recommend Internet Explorer or Firefox for printing portions of the vRealize Log Insight user interface.
The hosts table might display devices more than once with each in a different format, including some combination of IP address, hostname, and FQDN. For example, a device named foo.bar.com might appear as both foo and foo.bar.com.
The hosts table uses the
hostname field that is defined in the syslog RFC. If an event sent by a device over the syslog protocol does not have a hostname, vRealize Log Insight uses the source as the hostname. This might result in the device being listed more than once because vRealize Log Insight cannot determine if the two formats point to the same device.
Adding a new index partition or deleting an existing one requires a cluster restart (restarting cluster nodes one by one) for the new configuration to become effective. However, changes in the routing filter, enabled status, and retention period for existing index partitions apply immediately (restarting the cluster is not required).
Once activated, FIPS mode cannot be disabled.
vRealize Log Insight Windows and Linux Agents
Non-ASCII characters in
source fields are not delivered correctly when vRealize Log Insight Windows and Linux agents are running in syslog mode.
vRealize Log Insight Windows Agent
The vRealize Log Insight Windows agent is a 32-bit application and all its requests for opening files from
C:\Windows\System32 sub-directories are redirected by WOW64 to
C:\Windows\SysWOW64. However, you can configure the vRealize Log Insight Windows agent to collect from
C:\Windows\System32 by using the special alias
C:\Windows\Sysnative. For example, to collect logs from their default location for the MS DHCP Server, add the following line to the corresponding section of the vRealize Log Insight Windows agent configuration file:
vRealize Log Insight Linux Agent
Due to an operating system limitation, the vRealize Log Insight Linux agent does not detect network outages when configured to send events over syslog.
The vRealize Log Insight Linux agent does not support non-English (UTF-8) symbols in field or tag names.
The vRealize Log Insight Linux agent collects hidden files and directories by default. To prevent this, you must add an
exclude=.* option to every configuration section. The option
exclude uses the glob pattern
.* which represents hidden file format.
When standard output redirection to a file is used to produce logs, the vRealize Log Insight agent might not correctly recognize event boundaries in such log files.
vRealize Log Insight Integrations
Launch in context, both from vRealize Log Insight and vRealize Operations, does not work for a virtual machine when the IP address of the virtual machine is not visible to the vRealize Operations instance and is not shown by the vCenter on the virtual machine's VM Summary tab. The IP address might be unavailable because of the absence of the vmware-tools utility. Older, unsupported versions or malfunctioning vmware-tools can also cause the IP address to become unavailable.
Ensure that a proper version of VMware Tools is installed on the virtual machine and that the VM Summary tab of the vCenter displays the IP address of the virtual machine.
Keep in mind the following considerations when upgrading to this version of vRealize Log Insight.
You can upgrade to vRealize Log Insight 8.10.2 from 8.10 or 8.8.x.
Important Upgrade Notes
To upgrade to vRealize Log Insight 8.10.2, you must be running vRealize Log Insight 8.10 or 8.8.x.
When performing a manual upgrade from the command line, you must upgrade workers one at a time. Upgrading more than one worker at the same time causes an upgrade failure.
When you upgrade the primary node to vRealize Log Insight 8.10.2 from the user interface, a rolling upgrade occurs unless specifically disabled.
Upgrading must be done from the primary node's FQDN. Upgrading with the Integrated Load Balancer IP address is not supported.
vRealize Log Insight does not support two-node clusters. Add a third vRealize Log Insight node of the same version as the existing two nodes before performing an upgrade.
Photon OS has strict rules for the number of simultaneous SSH connections. Because the MaxAuthtries value is set to 2 by default in the /etc/ssh/sshd_config file, the SSH connection to your vRealize Log Insight virtual appliance might fail in the presence of multiple connections, with the following message: "Received disconnect from xx.xx.xx.xxx port 22:2: Too many authentication failures". You can use any of the following workarounds for this issue:
Use the IdentitiesOnly=yes option while connecting via SSH: #ssh -o IdentitiesOnly=yes user@ip
Update the ~/.ssh/config file to add: Host* IdentitiesOnly yes
Change the MaxAuthtries value by modifying the /etc/ssh/sshd_config file and restarting the sshd service.
After the upgrade, you must manually update existing webhook configurations with a Slack endpoint.
The VM's SSH fingerprint is not preserved and changes after every upgrade, which might impact the appearance and user interface for users who connect using SSH. You must accept a new SSH fingerprint after the upgrade.
Any API traffic sent to a vRealize Log Insight instance on port 443 will be rejected. Although port 443 has never been declared for API traffic, it used to work before and will not work starting from version 8.10. Instead, use the recommended port 9543.
vRealize Log Insight 8.10.2 includes the following localization features.
The vRealize Log Insight server web user interface is localized to Japanese, French, Spanish, German, Simplified Chinese, Traditional Chinese, and Korean.
The vRealize Log Insight server web user interface supports Unicode data, including machine learning features.
vRealize Log Insight agents work on non-English native Windows.
The agent installer and content pack are not localized. Parts of the vRealize Log Insight server Web user interface might still show non-localized strings and have layout issues.
vRealize Log Insight is interoperable with localized versions of vCenter Server and vRealize Operations. However, Content Packs depend on matching non-localized log messages. vCenter Server events are retrieved in its default locale, which should be set to en_US. For more information, see http://kb.vmware.com/kb/2121646.
Integration with Active Directory, vSphere, and vRealize Operations for user names with non-ASCII characters is not supported.
Localization of event logs is not supported. Event logs support UTF-8 and UTF-16 character encoding only.
Resolutions for the following issues are included in this release.
"Page not found" error is displayed on the primary node UI after upgrading to 8.10
If there is a VIDM integration configured and vRealize Log Insight is upgraded to 8.10, the "Page not found" error might be displayed on the primary node UI.
Workaround: You can find the detailed workaround in the following KB article: https://kb.vmware.com/s/article/90257
The vCenter Server logs forwarded from vRealize Log Insight have 0 timestamp at the destination
When vCenter Server logs are ingested into vRealize Log Insight and forwarded to another destination through the syslog protocol, the logs' timestamp is lost.
Webhook authorization does not work for webhooks with username:password information in the URL
When the basic authorization information is provided in the webhook URL, the authorization does not work.
Workaround: Use an Authorization header with basic authentication information instead of providing the username and password in the URL.
System alert suppression does not work
System alerts are sent even after being deactivated.
The following known issues are present in this release.
Failure to save a configuration when there is a long list of filters in agent groups
vRealize Log Insight fails to process a long list of filters in agent groups and cannot save any configuration because of this issue.
Workaround: Modify the internal configuration manually to remove or reduce the number of filters in the agent group or break it down into several agent groups.
vRealize Log Insight does not send more than 10 logs in webhook notifications
Regardless of the Log Payload option, vRealize Log Insight sends only up to 10 individual notifications or 10 logs in the payload to the webhook endpoint.
Users are not notified about cloud channel integration failure
Users do not receive notifications about failures related to cloud channel integration and cloud forwarding.
Workaround: Check the vRealize Log Insight runtime.log file for related issues, or check if the corresponding cloud organization is receiving the logs.
After upgrading to vRealize Log Insight 8.10.2, users with log forwarding capabilities do not have access to cloud forwarding
After upgrading to vRealize Log Insight 8.10.2, users with log forwarding capabilities do not have access to the Cloud Forwarding page.
Workaround: Add the Cloud Integration capability to custom roles after upgrading to vRealize Log Insight 8.10.2.
Inactive host notifications are sent when logs are relayed to vRealize Log Insight Cloud
In vRealize Log Insight, when you select the Inactive hosts notification check box under Management > Hosts and select the Relay Only option while configuring log forwarding to vRealize Log Insight Cloud, you receive inactive host notifications. The value in the Last Received Event column in the Hosts page increases with time, which indicates that a previously active host does not ingest logs anymore.
This behavior is because log events are not considered received until the events are ingested. When you select the Relay Only option for cloud forwarding, a certain category of log events are never ingested (depending on your filter definition), which results in some hosts mistakenly reporting as non-ingesting and inactive.
The first run for real-time alerts is delayed
The first run for a real-time alert is scheduled five minutes after creating or enabling it.
Workaround: Wait for five minutes after creating or enabling a real-time alert. Then, the scheduler works as expected and the alert query is run every minute.
Collection from some of directories will not take place if they were created before agent start or re-configuration event
If a new directory is being created after re-configuration of the Agent collection of newly created directories will not happen.
Workaround: To start directory monitoring, restart the service or update agent configuration with the liagent.ini file or from the Server Admin Agents page.
No automatic upgrade for vRealize Log Insight Agent on Photon OS
You cannot perform an automatic upgrade for vRealize Log Insight Agent on Photon OS because Photon OS does not support the gpg command.
Workaround: Perform a manual upgrade.
SMTP configurations might not work for public mail servers through IPv6
SMTP configurations might not work with public e-mail services such as Google and Yahoo, because these services might leverage tighter restriction policies for IPv6.
Workaround: Use an alternative mail server such as your corporate mail server, or bring up a dedicated server.
Integrating VMware Identity Manager with vRealize Log Insight through IPv4 changes the redirect URL host to IPv6 address
If you select the option to prefer IPv6 addresses when you deploy a vRealize Log Insight virtual appliance, the redirect URL host list is populated by IPv6 node addresses while integrating with VMware Identity Manager, which does not support IPv6.
Workaround: Create a spare IPv4 VIP for the integration of vRealize Log Insight with VMware Identity Manager.
The REST API call 'POST /api/v1/sessions' fails
When you join a newly deployed node in vRealize Log Insight 8.2 or 8.3 with an old cluster upgraded from 4.8 or earlier, the REST API call 'POST /api/v1/sessions' to the new worker node fails and throws the following error:
Error: write EPROTO 1319245176:error:100000f7:SSL routines:OPENSSL_internal:WRONG_VERSION_NUMBER:../../third_party/boringssl/src/ssl/tls_record.cc:242:
You can find the relevant log in the REST client. Because of this error, you cannot get a session for the node.
Workaround: Restart the vRealize Log Insight service by running the 'service loginsight restart' command on the affected node.
vRealize Log Insight cannot connect to a webhook server with a self-signed certificate
You cannot integrate vRealize Log Insight with a webhook server that uses a self-signed certificate, because the Trust On First Use (TOFU) pop-up window does not appear.
Workaround: Add a self-signed certificate manually to the vRealize Log Insight virtual appliance and restart it.
$ keytool -import -alias webhook -file <certificate> -keystore /usr/java/jre-vmware/lib/security/cacerts -storepass changeit$ service loginsight restart
No alert definitions for a vRealize Operations endpoint without integration permissions
You cannot define an alert that has a vRealize Operations endpoint without integration permissions for vRealize Operations.
Workaround: Assign the appropriate integration permissions to the role associated with the creator of the alert. Navigate to Management > Access Control. On the Roles tab, modify the role and provide the Integrations > vRealize Operations > Edit permission to the role.
The test alert sent to a webhook URL fails because of basic authentication issues
When you create an alert with webhook notifications and send a test alert, the alert fails. This happens when the correct credentials are rejected because of basic authentication issues.
Workaround: Add a custom header with the encoded username:password combination.