What's in the Release Notes

The notes cover the following topics:

About vRealize Log Insight

vRealize Log Insight delivers the best real-time and archived log management, especially for VMware environments. Machine learning-based intelligent grouping and high performance search enables faster troubleshooting across physical, virtual, and cloud environments. vRealize Log Insight can analyze terabytes of logs, discover structure in unstructured data, and deliver enterprise-wide visibility using a modern web interface.

For more information, see the vRealize Log Insight product documentation at  https://docs.vmware.com/en/vRealize-Log-Insight/index.html.

What's New

Here are some of the key highlights of vRealize Log Insight 8.6 that will help you leverage log data more quickly, accurately, and powerfully than ever before:

  • Alert Definition: The new alert management UI lets you create a granular rule definition of log alerts and events, with the ability to configure triggers in real time or group them across specific time windows. The Alert Definition options let you browse through all the log alert rules at one place. You can sort them by using text filters or by origin and type. You can select multiple alerts definitions and take actions quickly like enable, disable, or delete them. 

  • Extracted Fields in Alert Notifications: The new alert creation flow lets you include extracted fields in the title and description to enhance alert notifications.

  • System Alerts: A system alert is triggered when the system wants to notify you about a problem. This page provides details about all the built-in system alerts available in vRealize Log Insight. You can use a toggle to enable or disable a system alert and configure email notifications to receive emails when an event is triggered.

  • Role-based Access Control: Roles are associated with permissions that allow users to perform different activities within vRealize Log Insight. You can now create granular roles with an ability to configure access at a feature level. The administrator has the flexibility to provide no access, view, or edit access for each feature.

  • NSX Identify Firewall Integration: The integration of NSX IDFW with vRealize Log insight lets NSX provide access control by using third-party providers such as Global Protect, ClearPass, and so on. vRealize Log Insight parses auth logs from the providers, extracts user ID-to-IP mapping information, and sends the data to NSX for further processing.

  • Query Optimization: Query performance has remarkably improved for queries based on extracted fields.

  • vRealize Log Insight Cloud: You can now request for a free trial for vRealize Log Insight Cloud to build a hybrid log management solution. Explore the following capabilities in vRealize Log Insight Cloud with detailed setup instructions available in-product:

    • Simplify Log Archival with Non-Indexed Partitions: Use vRealize Log Insight Cloud to archive logs to meet your long-term retention requirements. vRealize Log Insight Cloud provides a logging solution at a low cost and eliminates any storage management overheads of the past. This enables easy accessibility to archived logs through on-demand queries.

    • Actionable Insights from your Logs with AI/ML Capabilities: Forward desired logs from multiple geographies and gain a unified view of your system. Use the AI/ML capabilities of vRealize Log Insight Cloud to identify critical issues across the environment and gain actionable insights.

  • IPV6 Support: The following scenarios for IPV6 deployment are supported:

    • Pure stack IPv6 deployment
    • Dual stack IPv6 deployment with a fixed stack for inter-node communication
    • Integrations over IPv6 for vRealize Operations Manager, Active Directory, vSphere, and so on.
  • Working with an Integrated Load Balancer: vRealize Log insight now supports a configuration of up to 60 virtual IP addresses.


vRealize Log Insight 8.6 supports the following VMware products and versions:

  • vRealize Log Insight can pull events, tasks, and alarms data from VMware vCenter Server 6.0 or later. In FIPS mode, vRealize Log Insight can be integrated with VMware vCenter Server 6.0 U1 or later.
  • You can integrate vRealize Log Insight 8.6 with vRealize Operations Manager version 8.0.1 or later.
  • vRealize Suite Lifecycle Manager 8.4.1 Product Support Pack 1 supports the installation of vRealize Log Insight 8.6. For more information, see the vRealize Suite Lifecycle Manager 8.4.1 Release Notes. To install and upgrade vRealize Network Insight by using vRealize Suite Lifecycle Manager, see the vRealize Suite Lifecycle Manager Installation, Upgrade, and Management Guide.

Browser Support

vRealize Log Insight 8.6 supports the following browser versions. More recent browser versions also work with vRealize Log Insight, but have not been validated.

  • Mozilla Firefox 72.0 and above
  • Google Chrome 78.0 and above
  • Safari 11.1 and above
  • Internet Explorer 11.0 and above
    Note: Internet Explorer Document mode must be used in Standards Mode. Other modes are not supported. The Compatibility View browser mode is not supported.

The minimum supported browser resolution is 1280 by 800 pixels.

Important: Cookies must be enabled in your browser.

vRealize Log Insight Windows Agent Support

The vRealize Log Insight 8.6 Windows agent supports the following versions:

  • Windows 7, Windows 8, Windows 8.1, and Windows 10
  • Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, and Windows Server 2019

vRealize Log Insight Linux Agent Support

The vRealize Log Insight Linux agent supports the following distributions and versions:

  • RHEL 5, RHEL 6, RHEL 7, and RHEL 8
  • SUSE Enterprise Linux (SLES 11 SP3) and SLES 12 SP1
  • Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, and Ubuntu 18.04
  • VMware Photon, version 1 revision 2, version 2, and version 3


vRealize Log Insight 8.6 has the following limitations:


  • vRealize Log Insight does not handle non-printable ASCII characters correctly.
  • vRealize Log Insight does not support printing. However, you can use the Print options of your browser. The printed results might vary depending on the browser that you use. We recommend Internet Explorer or Firefox for printing portions of the vRealize Log Insight user interface.
  • The hosts table might display devices more than once with each in a different format, including some combination of IP address, hostname, and FQDN. For example, a device named foo.bar.com might appear as both foo and foo.bar.com.

    The hosts table uses the hostname field that is defined in the syslog RFC. If an event sent by a device over the syslog protocol does not have a hostname, vRealize Log Insight uses the source as the hostname. This might result in the device being listed more than once because vRealize Log Insight cannot determine if the two formats point to the same device.

  • Adding a new data partition or deleting an existing one requires a cluster restart (restarting cluster nodes one by one) for the new configuration to become effective. However, changes in the routing filter, enabled status, and retention period for existing data partitions apply immediately (restarting the cluster is not required).

  • Once activated, FIPS mode cannot be disabled.

vRealize Log Insight Windows and Linux Agents

  • Non-ASCII characters in hostname and source fields are not delivered correctly when vRealize Log Insight Windows and Linux agents are running in syslog mode.

vRealize Log Insight Windows Agent

  • The vRealize Log Insight Windows agent is a 32-bit application and all its requests for opening files from C:\Windows\System32 sub-directories are redirected by WOW64 to C:\Windows\SysWOW64. However, you can configure the vRealize Log Insight Windows agent to collect from C:\Windows\System32 by using the special alias C:\Windows\Sysnative. For example, to collect logs from their default location for the MS DHCP Server, add the following line to the corresponding section of the vRealize Log Insight Windows agent configuration file: =C:\Windows\Sysnative\dhcp.

vRealize Log Insight Linux Agent

  • Due to an operating system limitation, the vRealize Log Insight Linux agent does not detect network outages when configured to send events over syslog.
  • The vRealize Log Insight Linux agent does not support non-English (UTF-8) symbols in field or tag names.
  • The vRealize Log Insight Linux agent collects hidden files and directories by default. To prevent this, you must add an exclude=.* option to every configuration section. The option exclude uses the glob pattern .* which represents hidden file format.
  • When standard output redirection to a file is used to produce logs, the vRealize Log Insight agent might not correctly recognize event boundaries in such log files.

vRealize Log Insight Integrations

Launch in context, both from vRealize Log Insight and vRealize Operations, does not work for a virtual machine when the IP address of the virtual machine is not visible to the vRealize Operations instance and is not shown by the vCenter on the virtual machine's VM Summary tab. The IP address might be unavailable because of the absence of the vmware-tools utility. Older, unsupported versions or malfunctioning vmware-tools can also cause the IP address to become unavailable.
Ensure that a proper version of VMware Tools is installed on the virtual machine and that the VM Summary tab of the vCenter displays the IP address of the virtual machine.

Upgrading from a Previous Version of vRealize Log Insight

Keep in mind the following considerations when upgrading to this version of vRealize Log Insight. 

Upgrade Path

You can upgrade to vRealize Log Insight 8.6 from 8.4.

Important Upgrade Notes

  • To upgrade to vRealize Log Insight 8.6, you must be running vRealize Log Insight 8.4.
  • When performing a manual upgrade from the command line, you must upgrade workers one at a time. Upgrading more than one worker at the same time causes an upgrade failure.
  • When you upgrade the primary node to vRealize Log Insight 8.6 from the user interface, a rolling upgrade occurs unless specifically disabled. ​
  • Upgrading must be done from the primary node's FQDN. Upgrading with the Integrated Load Balancer IP address is not supported.
  • vRealize Log Insight does not support two-node clusters. Add a third vRealize Log Insight node of the same version as the existing two nodes before performing an upgrade.
  • Photon OS has strict rules for the number of simultaneous ssh connection. Because the MaxAuthtries value is set to 2 by default in the /etc/ssh/sshd_config file, the ssh connection to your vRealize Log Insight virtual appliance might fail in the presence of multiple connections, with the following message: "Received disconnect from xx.xx.xx.xxx port 22:2: Too many authentication failures". You can use any of the following workarounds for this issue:
    • Use the IdentitiesOnly=yes option while connecting via ssh: #ssh -o IdentitiesOnly=yes user@ip
    • Update the ~/.ssh/config file to add: Host* IdentitiesOnly yes
    • Change the MaxAuthtries value by modifying the /etc/ssh/sshd_config file and restarting the sshd service.

Internationalization Support

vRealize Log Insight 8.6 includes the following localization features.

  • The vRealize Log Insight server web user interface is localized to Japanese, French, Spanish, German, Simplified Chinese, Traditional Chinese, and Korean.
  • The vRealize Log Insight server web user interface supports Unicode data, including machine learning features.
  • vRealize Log Insight agents work on non-English native Windows.


  • The agent installer and content pack are not localized. Parts of the vRealize Log Insight server Web user interface might still show non-localized strings and have layout issues.
  • vRealize Log Insight is interoperable with localized versions of vCenter Server and vRealize Operations Manager. However, Content Packs depend on matching non-localized log messages. vCenter Server events are retrieved in its default locale, which should be set to en_US. For more information, see http://kb.vmware.com/kb/2121646.
  • Integration with Active Directory, vSphere, and vRealize Operations Manager for user names with non-ASCII characters is not supported.
  • Localization of event logs is not supported. Event logs support UTF-8 and UTF-16 character encoding only.

Resolved Issues

The following resolved issues are present in this release.

  • Active Directory configuration with REST API fails if SSL is enabled

    When SSL is enabled, the Active Directory configuration with REST API fails.

    Workaround: Configure the Active Directory integration from the vRealize Log Insight UI.

  • vCenter task and event collection fails

    vRealize Log Insight receives a daily system alert stating that vCenter task and event collection failed for certain hosts.

    Workaround: See https://kb.vmware.com/s/article/70633 for the workaround.

  • The root partition fills up with Apache Tomcat access log files

    The root partition fills up with Apache Tomcat access log files, causing vRealize Log Insight service failures due to insufficient disk space.

    Workaround: None.

  • Slack does not receive webhook notifications if the ${messages} field is used

    Slack does not receive webhook notifications if the ${messages} field is used in the body of the webhook configuration.

    Workaround: Removing the ${messages} field lets Slack receive alert notifications; however, there will be no log samples.

  • Webhook notifications contain logs samples that do not match the alert conditions

    The ${messages} field in a webhook notification contains logs samples that do not match the corresponding alert condition, even when the alert is triggered as expected.

    Workaround: None.

  • Users with Interactive Analytics access cannot unsubscribe from alerts

    Users with Interactive Analytics access are not able to remove their email and webhook endpoints from alerts.

    Workaround: The Super Admin user can unsubscribe users from alerts by removing their email and webhook endpoints from alerts.

  • Emails sent successfully without a truststore certificate

    vRealize Log Insight sends emails even when there are no certificates for the SMTP server in the truststore.

    Workaround: None

  • The text field is not available when defining a data set

    When you define a data set, the text field is not available in the drop-down menu for selecting a field to filter events.

    Workaround: None.

  • Unsupported browser locales cause vRealize Log Insight to become unresponsive

    Opening vRealize Log Insight in unsupported browser locales results in the sizes of the vip-info.log and vip-error.log files increasing significantly, which fills up /storage/var/. This causes vRealize Log Insight to become unresponsive.

    Workaround: None.

  • Log rotation configuration for file auth.log does not work

    The log rotation configuration for the file auth.log does not work or is misconfigured, which lets the file grow in size and occupy a lot of space on the disk.

    Workaround: Monitor the file size and manually remove the file when it becomes too large.

  • Active Directory users cannot access vRealize Log Insight after upgrading to version 8.1.1 

    After upgrading to vRealize Log Insight 8.1.1, Active Directory (AD) users cannot access vRealize Log Insight.

    Workaround: None.

  • Testing a custom SMTP server configured with STARTTLS in FIPS mode throws a certificate error

    While configuring a custom SMTP server with the STARTTLS option in FIPS mode, clicking Send Test Email displays a pop-up window to accept the self-signed certificate. When you accept the certificate, the following error is displayed:

    Unable to find valid certification path to requested target

    Workaround: Restart the vRealize Log Insight service by running the service loginsight restart command.

  • A shared dashboard URL created by vIDM users fails to load data

    If you access vRealize Log Insight as a vIDM user and create a shared dashboard URL, accessing the dashboard URL does not load any data.

    Workaround: Use a local account to create a shared dashboard URL.

  • No Trust On First Use pop-window to accept Active Directory certificate

    When you configure Active Directory (AD) authentication, if you leave the Default Domain empty, the Trust On First Use (TOFU) pop-up window to accept the AD certificate does not appear. Instead, the following message appears:

    Unable to validate Active Directory credentials. Please check your Active Directory DNS name, port, and SSL settings as well as your username and password. 

    Workaround: Enter a value for the Domain Controller when you configure AD authentication.

Known Issues

The following known issues are present in this release. 

  • Virtual Center (VC) events collection is delayed

    After a restart of the vRealize Log Insight service or a cluster upgrade, Virtual Center (VC) events collection might be delayed if a large number of VC's are integrated.

    Workaround: Events are automatically restored as collected after a sufficient amount of time. The length of time depends on your environment. For example, for 80 VCs on a cluster with four nodes, the delay would be an hour.

  • vRealize Log Insight cannot authenticate users and groups from a second trusted Active Directory when a two-way trust is configured

    When an Active Directory is configured with a two-way trust with another Active Directory, vRealize Log Insight cannot authenticate users and groups of the second trusted Active Directory. 

    Workaround: Use vIDM,  which is directly integrated with both Active Directories.

  • Collection from some of directories will not take place if they were created before agent start or re-configuration event.

    If a new directory is being created after re-configuration of the Agent collection of newly created directories will not happen

    Workaround: To start directory monitoring, restart the service or update agent configuration with the liagent.ini file or from the Server Admin Agents page.

  • No automatic upgrade for vRealize Log Insight Agent on Photon OS

    You cannot perform an automatic upgrade for vRealize Log Insight Agent on Photon OS because Photon OS does not support the gpg command.

    Workaround: Perform a manual upgrade.

  • SMTP configurations might not work for public mail servers through IPv6

    SMTP configurations might not work with public e-mail services such as Google and Yahoo, because these services might leverage tighter restriction policies for IPv6. 

    Workaround: Use an alternative mail server such as your corporate mail server, or bring up a dedicated server.

  • Integrating VMware Identity Manager with vRealize Log Insight through IPv4 changes the redirect URL host to IPv6 address

    If you select the option to prefer IPv6 addresses when you deploy a vRealize Log Insight virtual appliance, the redirect URL host list is populated by IPv6 node addresses while integrating with VMware Identity Manager, which does not support IPv6.

    Workaround: Create a spare IPv4 VIP for the integration of vRealize Log Insight with VMware Identity Manager.

  • Layout issues in Internet Explorer 11.0 

    In Internet Explorer 11.0, there are layout issues for the user icon in the header and chart legend list display, on the Dashboards and Interactive Analytics tabs.

    Workaround: See https://kb.vmware.com/s/article/78592 for the workaround.

  • The REST API call 'POST /api/v1/sessions' fails

    When you join a newly deployed node in vRealize Log Insight 8.2 or 8.3 with an old cluster upgraded from 4.8 or earlier, the REST API call 'POST /api/v1/sessions' to the new worker node fails and throws the following error:

    Error: write EPROTO 1319245176:error:100000f7:SSL routines:OPENSSL_internal:WRONG_VERSION_NUMBER:../../third_party/boringssl/src/ssl/tls_record.cc:242:

    You can find the relevant log in the REST client. Because of this error, you cannot get a session for the node.

    Workaround: Restart the vRealize Log Insight service by running the 'service loginsight restart' command on the affected node.

  • vRealize Log Insight displays an "Upgrade unconfirmed" message even when the upgrade is successful

    While upgrading to vRealize Log Insight 8.4, a message stating that the upgrade status is unconfirmed might appear. This message does not have an impact on the overall upgrade status, and the upgrade is eventually successful.

    Workaround: None.

  • Alert title displays source field name instead of value

    When you use the source field name in an alert title in the format ${source}, the resulting alert notification title displays "${source}" instead of the value of the source field.

    Workaround: None.

  • vRealize Log Insight cannot connect to a webhook server with a self-signed certificate

    You cannot integrate vRealize Log Insight with a webhook server that uses a self-signed certificate, because the Trust On First Use (TOFU) pop-up window does not appear.

    Workaround: Add a self-signed certificate manually to the vRealize Log Insight virtual appliance and restart it.

    $ keytool -import -alias webhook -file <certificate> -keystore /usr/java/jre-vmware/lib/security/cacerts -storepass changeit
    $ service loginsight restart

  • Strings in Alerts and vRealize Log Insight Cloud pages are not localized

    The text used in the pages of the Alerts tab and LI Cloud tab are available in English only, and are not localized.

    Workaround: None.

  • No alert definitions for a vRealize Operations Manager endpoint without integration permissions

    You cannot define an alert that has a vRealize Operations Manager endpoint without integration permissions for vRealize Operations Manager.

    Workaround: Assign the appropriate integration permissions to the role associated with the creator of the alert. On the Administration tab, under Management, click Access Control. On the Roles tab, modify the role and provide the Integrations > vRealize Operations > Edit permission to the role.

  • The test alert sent to a webhook URL fails because of basic authentication issues

    When you create an alert with webhook notifications and send a test alert, the alert fails. This happens when the correct credentials are rejected because of basic authentication issues.

    Workaround: Add a custom header with the encoded username:password combination.

check-circle-line exclamation-circle-line close-line
Scroll to top icon