vRealize Log Insight Log Files

The files that contain system messages are on the vRealize Log Insight virtual appliance.

The following table lists each file and its purpose.

If you need information on log rotation or log archiving for these files, see Log Rotation Schemes Supported by vRealize Log Insight Agents in Working with vRealize Log Insight Agents and Data Archiving in Administering vRealize Log Insight.

File	Description
/var/log/vmware/loginsight/alert.log	Used to track information about user-defined alerts that have been triggered.
/var/log/vmware/loginsight/apache-tomcat/logs/*.log	Used to track events from the Apache Tomcat server.
/var/log/vmware/loginsight/cassandra.log	Used to track cluster configuration storage and replication in Apache Cassandra.
/var/log/vmware/loginsight/plugins/vsphere/li-vsphere.log	Used to trace events related to integration with vSphere Web Client.
/var/log/vmware/loginsight/loginsight_daemon_stdout.log	Used for the standard output of vRealize Log Insight daemon.
/var/log/vmware/loginsight/phonehome.log	Used to track information about trace data collection sent to VMware (if enabled).
/var/log/vmware/loginsight/pi.log	Used to track database start or stop events.
/var/log/vmware/loginsight/runtime.log	Used to track all run time information related to vRealize Log Insight.
/var/log/firstboot/stratavm.log	Used to track the events that occur at first boot and configuration of the vRealize Log Insight virtual appliance.
/var/log/vmware/loginsight/systemalert.log	Used to track information about system notifications that vRealize Log Insight sends. Each alert is listed as a JSON entry.
/var/log/vmware/loginsight/systemalert_worker.log	Used to track information about system notifications that a vRealize Log Insight worker node sends. Each alert is listed as a JSON entry.
/var/log/vmware/loginsight/ui.log	Used to track events related to the vRealize Log Insight user interface.
/var/log/vmware/loginsight/ui_runtime.log	Used to track runtime events related to the vRealize Log Insight user interface.
/var/log/vmware/loginsight/upgrade.log	Used to track events that occur during a vRealize Log Insight upgrade.
/var/log/vmware/loginsight/usage.log	Used to track all queries.
/var/log/vmware/loginsight/vrops_integration.log	Used to track events related to the vRealize Operations integration.
/var/log/vmware/loginsight/watchdog_log*	Used to track the run time events of the watch dog process, which is responsible for restarting vRealize Log Insight if it is shut down for some reason.
/var/log/vmware/loginsight/api_audit.log	Used to track the API calls to Log Insight.
/var/log/vmware/loginsight/pattern_matcher.log	Used to track the pattern matching times and timeouts for field extraction.
/var/log/vmware/loginsight/audit.log	Used to track how vRealize Log Insight is used. For more information, see Audit Logs in vRealize Log Insight.

Log Messages Related to Security

The ui_runtime.log file contains user audit log messages in the following format.

[2019-05-10 11:28:29.709+0000] ["https-jsse-nio-443-exec-9"/10.153.234.136 DEBUG] [com.vmware.loginsight.web.actions.misc.LoginActionBean] [User login success: vIDM: SAM=myusername, Domain=vmware.com, [email protected]]
[2019-05-10 11:28:45.812+0000] ["https-jsse-nio-443-exec-3"/10.153.234.136 INFO] [com.vmware.loginsight.web.actions.misc.LoginActionBean] [User logged out: vIDM: SAM=myusername, Domain=vmware.com, [email protected]]
[2019-05-10 11:28:29.709+0000] ["https-jsse-nio-443-exec-9"/10.153.234.136 DEBUG] [com.vmware.loginsight.web.actions.misc.LoginActionBean] [User login success: Active Directory User: SAM=myusername, Domain=vmware.com,[email protected]]
[2019-05-10 11:28:45.812+0000] ["https-jsse-nio-443-exec-3"/10.153.234.136 INFO] [com.vmware.loginsight.web.actions.misc.LoginActionBean] [User logged out: Active Directory User: SAM=myusername, Domain=vmware.com,[email protected]]
[2019-05-10 11:29:28.330+0000] ["https-jsse-nio-443-exec-6"/10.153.234.136 DEBUG] [com.vmware.loginsight.web.actions.misc.LoginActionBean] [User login success: Local User: Name=myusername]
[2019-05-10 11:29:47.078+0000] ["https-jsse-nio-443-exec-10"/10.153.234.136 INFO] [com.vmware.loginsight.web.actions.misc.LoginActionBean] [User logged out: Local User: Name=myusername]
[2019-05-10 11:29:23.559+0000] ["https-jsse-nio-443-exec-7"/10.153.234.136 WARN] [com.vmware.loginsight.web.actions.misc.LoginActionBean] [User login failure: Bad username/password attempt (username: incorrectUser)]
[2019-05-10 11:45:37.795+0000] ["https-jsse-nio-443-exec-7"/10.153.234.136 INFO] [com.vmware.loginsight.web.actions.settings.UsersActionBean] [Created new user: Local User: Name=myusername]
[2019-05-10 11:09:50.493+0000] ["https-jsse-nio-443-exec-6"/10.153.234.136 INFO] [com.vmware.loginsight.web.actions.settings.UsersActionBean] [Created new user: vIDM: SAM=myusername, Domain=vmware.com, [email protected]]
[2019-05-10 11:47:05.202+0000] ["https-jsse-nio-443-exec-10"/10.153.234.136 INFO] [com.vmware.loginsight.web.actions.settings.UsersActionBean] [Created new group: (directoryType= VIDM, domain=vmware.com, group=vidm_admin)]
[2019-05-10 11:58:11.902+0000] ["https-jsse-nio-443-exec-4"/10.153.234.136 INFO] [com.vmware.loginsight.web.actions.settings.UsersActionBean] [Removed groups: [class com.vmware.loginsight.database.dao.RBACADGroupDO<vidm/vmware.com/vidm_admin>]]

Some logs are available in debug level. For information about enabling the debug level for each node, see Enable Debug Level for User Audit Log Messages.

Tip: If you are an administrator, you can modify the logging level without restarting the vRealize Log Insight service. Go to http:// <your_Log_Insight_host>/internal/config, update the value of the logging level for the relevant logs, and click Save. For example:

<self-logging>
    <logger name="root" level="INFO" />
</self-logging>

You can change the logging level to OFF, FATAL, ERROR, WARN, INFO, DEBUG, TRACE, or ALL.

Note: Each node in a vRealize Log Insight cluster has its own ui_runtime.log file. You can examine the log files of the nodes to monitor the cluster.