vRealize Log Insight 8.8 | 28 APR 2022
Check for additions and updates to these release notes.
vRealize Log Insight delivers the best real-time and archived log management, especially for VMware environments. Machine learning-based intelligent grouping and high performance search enables faster troubleshooting across physical, virtual, and cloud environments. vRealize Log Insight can analyze terabytes of logs, discover structure in unstructured data, and deliver enterprise-wide visibility using a modern web interface.
For more information, see the vRealize Log Insight product documentation at https://docs.vmware.com/en/vRealize-Log-Insight/index.html.
Here are some of the key highlights of vRealize Log Insight 8.8 that will help you leverage log data more quickly, accurately, and powerfully than ever before:
Note: Ensure that basic authentication is enabled in the vRO side for sending webhook notifications from vRealize Log Insight to vRO.
vRealize Log Insight 8.8 supports the following VMware products and versions:
vRealize Log Insight 8.8 supports the following browser versions. More recent browser versions also work with vRealize Log Insight, but have not been validated.
The minimum supported browser resolution is 1280 by 800 pixels.
Important: Cookies must be enabled in your browser.
vRealize Log Insight Windows Agent Support
The vRealize Log Insight 8.8 Windows agent supports the following versions:
vRealize Log Insight Linux Agent Support
The vRealize Log Insight Linux agent supports the following distributions and versions:
vRealize Log Insight 8.8 has the following limitations:
The hosts table uses the
hostname field that is defined in the syslog RFC. If an event sent by a device over the syslog protocol does not have a hostname, vRealize Log Insight uses the source as the hostname. This might result in the device being listed more than once because vRealize Log Insight cannot determine if the two formats point to the same device.
vRealize Log Insight Windows and Linux Agents
sourcefields are not delivered correctly when vRealize Log Insight Windows and Linux agents are running in syslog mode.
vRealize Log Insight Windows Agent
C:\Windows\System32sub-directories are redirected by WOW64 to
C:\Windows\SysWOW64. However, you can configure the vRealize Log Insight Windows agent to collect from
C:\Windows\System32by using the special alias
C:\Windows\Sysnative. For example, to collect logs from their default location for the MS DHCP Server, add the following line to the corresponding section of the vRealize Log Insight Windows agent configuration file:
vRealize Log Insight Linux Agent
exclude=.*option to every configuration section. The option
excludeuses the glob pattern
.*which represents hidden file format.
vRealize Log Insight Integrations
Launch in context, both from vRealize Log Insight and vRealize Operations, does not work for a virtual machine when the IP address of the virtual machine is not visible to the vRealize Operations instance and is not shown by the vCenter on the virtual machine's VM Summary tab. The IP address might be unavailable because of the absence of the vmware-tools utility. Older, unsupported versions or malfunctioning vmware-tools can also cause the IP address to become unavailable.
Ensure that a proper version of VMware Tools is installed on the virtual machine and that the VM Summary tab of the vCenter displays the IP address of the virtual machine.
Keep in mind the following considerations when upgrading to this version of vRealize Log Insight.
You can upgrade to vRealize Log Insight 8.8 from 8.6.x.
Important Upgrade Notes
vRealize Log Insight 8.8 includes the following localization features.
The following resolved issues are present in this release.
The Log Insight 8.6 Linux Agent occasionally sends stats with empty IP address
The Log Insight 8.6 Agent running on Linux occasionally sends stats with an empty IP address, which results in server errors.
A Log Insight Agent running on Photon OS reports no OS version
A Log Insight Agent running on a Photon OS does not report the OS version.
vRealize Log Insight storage becomes full when archiving is enabled and NFS is full or unavailable
If the NFS archive location becomes full or unavailable when archiving is enabled, vRealize Log Insight leaves the buckets in an ARCHIVING state and does not clean up. Because of this issue, the vRealize Log Insight storage fills up.
The alert query time range does not match the configured search period of the alert
The alert query time range does not match the configured search period if you use the alert condition "count of events greater than 0".
Extracted fields cannot be modified
You cannot modify extracted fields even if you have the required permission, for example, if you are an admin user.
Workaround: Duplicate the extracted field that you want to modify and then remove the original field. You can modify the duplicate field.
SMTP configuration fails on port 25 during configuration text plain communication
In some environments, SMTP configuration tries to open SSL communication when no SSL or STARTTLS flags are enabled.
The following known issues are present in this release.
Loading vRealize Operations objects takes a long time during alert configuration
If vRealize Operations has a large number of VC, Host, and VM objects, loading the list of vRealize Operations fallback objects takes a long time when you create an alert.
Workaround: Use filters to list the vRealize Operations fallback objects.
Inactive host notifications are sent when logs are relayed to vRealize Log Insight Cloud
In vRealize Log Insight, when you select the Inactive hosts notification check box under Management > Hosts and select the Relay Only option while configuring log forwarding to vRealize Log Insight Cloud, you receive inactive host notifications. The value in the Last Received Event column in the Hosts page increases with time, which indicates that a previously active host does not ingest logs anymore.
This behavior is because log events are not considered received until the events are ingested. When you select the Relay Only option for cloud forwarding, a certain category of log events are never ingested (depending on your filter definition), which results in some hosts mistakenly reporting as non-ingesting and inactive.
The first run for real-time alerts is delayed
The first run for a real-time alert is scheduled five minutes after creating or enabling it.
Workaround: Wait for five minutes after creating or enabling a real-time alert. Then, the scheduler works as expected and the alert query is run every minute.
Collection from some of directories will not take place if they were created before agent start or re-configuration event
If a new directory is being created after re-configuration of the Agent collection of newly created directories will not happen.
Workaround: To start directory monitoring, restart the service or update agent configuration with the liagent.ini file or from the Server Admin Agents page.
No automatic upgrade for vRealize Log Insight Agent on Photon OS
You cannot perform an automatic upgrade for vRealize Log Insight Agent on Photon OS because Photon OS does not support the gpg command.
Workaround: Perform a manual upgrade.
SMTP configurations might not work for public mail servers through IPv6
SMTP configurations might not work with public e-mail services such as Google and Yahoo, because these services might leverage tighter restriction policies for IPv6.
Workaround: Use an alternative mail server such as your corporate mail server, or bring up a dedicated server.
Integrating VMware Identity Manager with vRealize Log Insight through IPv4 changes the redirect URL host to IPv6 address
If you select the option to prefer IPv6 addresses when you deploy a vRealize Log Insight virtual appliance, the redirect URL host list is populated by IPv6 node addresses while integrating with VMware Identity Manager, which does not support IPv6.
Workaround: Create a spare IPv4 VIP for the integration of vRealize Log Insight with VMware Identity Manager.
The REST API call 'POST /api/v1/sessions' fails
When you join a newly deployed node in vRealize Log Insight 8.2 or 8.3 with an old cluster upgraded from 4.8 or earlier, the REST API call 'POST /api/v1/sessions' to the new worker node fails and throws the following error:
Error: write EPROTO 1319245176:error:100000f7:SSL routines:OPENSSL_internal:WRONG_VERSION_NUMBER:../../third_party/boringssl/src/ssl/tls_record.cc:242:
You can find the relevant log in the REST client. Because of this error, you cannot get a session for the node.
Workaround: Restart the vRealize Log Insight service by running the 'service loginsight restart' command on the affected node.
vRealize Log Insight displays an "Upgrade unconfirmed" message even when the upgrade is successful
While upgrading to vRealize Log Insight 8.4, a message stating that the upgrade status is unconfirmed might appear. This message does not have an impact on the overall upgrade status, and the upgrade is eventually successful.
vRealize Log Insight cannot connect to a webhook server with a self-signed certificate
You cannot integrate vRealize Log Insight with a webhook server that uses a self-signed certificate, because the Trust On First Use (TOFU) pop-up window does not appear.
Workaround: Add a self-signed certificate manually to the vRealize Log Insight virtual appliance and restart it.
$ keytool -import -alias webhook -file <certificate> -keystore /usr/java/jre-vmware/lib/security/cacerts -storepass changeit$ service loginsight restart
Strings in Alerts and vRealize Log Insight Cloud pages are not localized
The text used in the pages of the Alerts and LI Cloud pages are available in English only, and are not localized.
No alert definitions for a vRealize Operations endpoint without integration permissions
You cannot define an alert that has a vRealize Operations endpoint without integration permissions for vRealize Operations.
Workaround: Assign the appropriate integration permissions to the role associated with the creator of the alert. Navigate to Management > Access Control. On the Roles tab, modify the role and provide the Integrations > vRealize Operations > Edit permission to the role.
The test alert sent to a webhook URL fails because of basic authentication issues
When you create an alert with webhook notifications and send a test alert, the alert fails. This happens when the correct credentials are rejected because of basic authentication issues.
Workaround: Add a custom header with the encoded username:password combination.