You can view system and user-defined alerts and check whether their notifications are activated. You can activate or deactivate multiple system and user-defined alerts, and set up email and webhook notifications for multiple user-defined alerts. You can also view the history of user-defined alerts.

Prerequisites

  • Verify that you are logged in to the vRealize Log Insight web user interface, for which the URL format is https://log_insight-host. Here, log_insight-host is the IP address or host name of the vRealize Log Insight virtual appliance.
  • Verify that your user account is associated with a role that has the relevant permissions for alerts.

    If your user account is assigned a role with view access to alerts (for example, the User role), you can view and manage all the alerts in your organization.

    If your user account is assigned a role with edit or full access to alerts (for example, the Super Admin role):
    • You can activate or deactivate all the system alerts in your organization.
    • You can create, modify, and remove all the user-defined alerts in your organization.
    For information about roles, see Create and Modify Roles in Administering vRealize Log Insight.

Procedure

  • To view system alerts, navigate to Alerts > System Alerts.
    You see a list of system alerts with information about their status and frequency. You can activate or deactivate individual alerts by using the toggle button against each alert. To activate or deactivate multiple alerts, select the alerts and then select Actions > Enable or Actions > Disable.
    Tip: To select all the alerts, click the check box in the header.
  • To view user-defined alerts, navigate to Alerts > Alerts Definition.
    You see a list of user-defined alerts with information about their status, owner, origin, and target. For content pack alerts, the content pack name is listed in the Origin column. You can perform the following tasks:
    • Search for alerts by using the text search.
    • Filter alerts by origin or alert type and click Apply.

      When you filter alerts by origin, you can select user-defined, general alerts, or alerts for specific content packs.

      When you filter alerts by alert type, you can select real-time alerts, which are alerts based on every match. You can also select count-based alerts, which are alerts based on the total count of events, unique count of a field, or aggregation operation on a field.

    • Sort alerts by alert details, status, owner, and so on.
    • Add or remove columns to control the alert information displayed. Click the Show or hide columns icon in the lower left corner and select or clear columns according to your requirement.
      Tip:
      • The value in the Owner column is the name of the user who defines the alert. For content pack alerts, this value is blank or System.

        For alerts created in vRealize Log Insight 8.4 or earlier, the value in the Owner column is a user assigned to the Super Admin role.

      • The value in the Last Hit column remains never until the first hit occurs.
    • Activate or deactivate individual alerts by using the toggle button against each alert.
    • Activate or deactivate multiple alerts by following these steps.
      • To activate multiple alerts, select the alerts and then select Actions > Enable. In the Enable Alerts dialog box, you can set up email or webhook notifications for the selected alerts and click Enable.
        To send email notifications, in the Emails text box, enter comma-separated recipient email addresses.
        Note: Ensure that SMTP is configured to activate email notifications. For more information, see Configure the SMTP Server for Log Insight.

        To send webhook notifications, from the Webhook drop-down menu, select webhooks.

      • To deactivate multiple alerts, select the alerts and then select Actions > Disable.
      Tip: To select all the alerts, click the check box in the header.
    • View the history of an alert. To view the history of an alert, click the three dots icon against the alert and click History.

      In the Alert History dialog box, you can see the alert instances associated with the alert, along with the date and time for each alert instance. You can expand each alert instance for additional information and click the link icon to view the instance in the Explore Logs page.

    • View the log results for the query associated with an alert. Click the alert and then click Run Query to open the query in Explore Logs.
    • Modify an alert.
    • Remove one or more alerts. To remove an alert, click the three dots icon against the alert and click Delete. To remove multiple alerts, select the alerts and then select Actions > Delete.
  • To view content pack alerts, navigate to the Content Packs page. On the left pane, click a content pack and then click the Alerts tab.
    If your user account is assigned a role with full access for content packs and alerts, you can activate a content pack alert and modify its notifications in the Alerts page. However, you cannot update or remove the content pack alert.

Example: Activate an Alert from the VMware - vSphere Content Pack

The VMware - vSphere content pack contains several predefined alert queries, including the ESXi: Stopped logging alert.

Enabling the ESXi: Stopped logging alert is a good practice, because certain versions of ESXi hosts might stop sending syslog data when you restart vRealize Log Insight. This alert monitors for the vCenter Server event esx.problem.vmsyslogd.remote.failure to detect if there is an ESXi host that has stopped sending syslog feeds.

  1. Navigate to Alerts > Alerts Definition.
  2. Search for the VMware - vSphere content pack alert *** CRITICAL *** ESXi: Stopped logging and click the alert name.
  3. Click the Edit icon in the upper-right corner.
  4. Activate email notifications, webhook notifications, or vRealize Operations notification events.
  5. Click Enable.

To detect only ESXi hosts that stop sending feeds to your instance of vRealize Log Insight, you can add the following filter to the alert query: vc_remote_host (VMware - vSphere) contains <log-insight-hostname>, and save the new query to your alerts.

For details about syslog problems and solutions, see the Knowledge Base article VMware ESXi 5.x host stops sending syslogs to the remote server (2003127) at https://kb.vmware.com/kb/2003127.