vRealize Log Insight provides built-in system alerts for critical issues. You can also configure vRealize Log Insight to run specific queries at scheduled intervals.

System Alerts

System alerts contain information about activities related to vRealize Log Insight's health, such as when the disk space is almost exhausted and old log files are about to be deleted. For information about managing the notifications for these alerts, see Managing System Notifications.

To view the list of system alerts and information about their status and frequency, expand the main menu and navigate to the Alerts > System Alerts. You can activate or deactivate system alerts.

User-Defined Alerts

You can define alerts in vRealize Log Insight and send email or webhook notifications, or trigger notification events in vRealize Operations if the number of events that match the query exceeds the thresholds that you have set.

To view the list of user-defined alerts and information about their status, owner, origin, and so on, navigate to Alerts > Alerts Definition.

Note:
  • If your user account is assigned a role with view access to alerts, you can view all the alerts in your organization . However, you can manage only your own alerts.
  • If your user account is assigned a role with edit or full access to alerts:
    • You can enable or disable all the system alerts in your organization.
    • You can create, modify, and remove all the user-defined alerts in your organization. For example, a user with a Super Admin role can manage the alerts of other users.
For information about roles, see Create and Modify Roles in Administering vRealize Log Insight.

Content Pack Alerts

Content packs can contain alert queries. The vSphere content pack that is included in vRealize Log Insight by default contains several predefined alert queries. They can trigger alerts if an ESXi host stops sending syslog data, if vRealize Log Insight can no longer collect events, tasks, and alarms data from a vCenter Server, or when an alarm status changes to red. You can use these alert queries as templates to create alerts that are specific to your environment.

All content pack alerts are deactivated by default.

Enabling the ESX/ESXi stopped logging alert is a good practice, because certain versions of ESXi hosts might stop sending syslog data when you restart vRealize Log Insight. This alert monitors for the vCenter Server event esx.problem.vmsyslogd.remote.failure to detect whether there is an ESXi host that has stopped sending syslog feeds. For details about syslog problems and solutions, see VMware ESXi 5.x host stops sending syslogs to remote server (2003127).

You can add the following filter to the alert query and save it as a new alert to detect only ESXi hosts that stop sending feeds to your instance of vRealize Log Insight: vc_remote_host (VMware - vSphere) contains log-insight-hostname.

If your user account is assigned a role with full access for content packs and alerts, you can activate a content pack alert and modify its notifications. However, you cannot update or remove the content pack alert.