VMware vRealize Log Insight 3.3 Release Notes
vRealize Log Insight 3.3 (Build 3571626)
Last Document Update: 20 March 2017
Check frequently for additions and updates to these release notes.
These release notes include the following topics:
Introduction to vRealize Log Insight 3.3
VMware vRealize Log Insight 3.3 delivers the best real-time and archive log management for VMware environments. Machine learning-based Intelligent Grouping and high performance search enables faster troubleshooting across physical, virtual, and cloud environments. vRealize Log Insight can analyze terabytes of logs, discover structure in unstructured data, and deliver enterprise-wide visibility using a modern Web interface.
What's New in vRealize Log Insight 3.3
vRealize Log Insight 3.3 includes new and enhanced features that cover all major areas of the product including installation, configuration, licensing, alerting, dashboards, reports, and policies. This release introduces the following enhancements.
- New and Enhanced Agent Parsers
New Syslog, Labeled Tab-Separated Values (LTSV), and Regex parsers are now available. vRealize Log Insight 3.3 also includes enhancements and improvements to previously released parsers.
- New Interactive Analytics
vRealize Log Insight 3.3 includes a tabular view of chart data to easily spot the top results of an aggregation query. You can also optimize your Interactive Analytics view with a more flexible event display.
- Multiple Virtual IP Addressing
You can configure multiple virtual IP addresses (vIPs) for the Integrated Load Balancer. You can also configure a list of static tags for each vIP so that each log message received from the vIP is annotated with the configured tags.
- Alert Webhooks
The new alert notification transport provides event notification over HTTP POST. This enhancement enables potential integrations with other platforms (for example, Slack, SocialCast, etc.).
- New Product Licensing
vRealize Log Insight 3.3 includes the ability to use 25 OSI available licenses at no additional cost with the use of a VMware vCenter Server (Standard Edition) installation.
- In-Production Cluster Checks
You can query the latest results of in-production cluster checks to verify the status of a cluster or to determine if there are integration issues.
- New Windows Agent Support
The vRealize Log Insight Windows agent now supports Windows 10.
- IPv6 Support for vRealize Log Insight Agents
This release includes support for IPv6. You can now use IPv6 addresses in the same way as IPv4 addresses.
- Query API
You can use the new API to enable remote clients to programmatically query the vRealize Log Insight platform remotely to retrieve events and aggregations over events.
- The VMware vRealize Log Insight Linux Agent now collects log files rotated with copytruncate.
- Preview Features
VMware vRealize Log Insight 3.3 includes several features that you can use on a preview basis.
- Pure IPv6 Support for vRealize Log Insight Server
You can configure a vRealize Log Insight 3.3 cluster in a pure IPv6 mode where all integration end points such as vSphere, vRealize Operations Manager, vRealize Log Insight agents, SMTP, Active Directory, and NFS are IPv6 enabled. Dual stack IPv6 support for server is not supported in this release.
- Agent Configuration UI
This release also includes a preview of a new graphical editor for agent configuration.
Top of Page
Before You Begin
Review this section before you begin installing and configuring vRealize Log Insight.
Ports Used by vRealize Log Insight
- Port 53 TCP and UDP need to be open from all nodes within a cluster for DNS resolution.
- Ports 389 TCP and UDP, 636 TCP, 3268 TCP, 3269 TCP, and 88 TCP and UDP need to be open from all nodes within a cluster for Active Directory integration.
- An upgrade to vRealize Log Insight 3.3 requires a connection to Ports 80 and 443 on the master node.
For a list of all ports required for correct communication, see Ports and External Interfaces that the vRealize Log Insight Virtual Appliance Uses in the vRealize Log Insight Security Guide.
Virtual Appliance Deployment
- Use the instructions in the vRealize Log Insight Getting Started Guide to install and configure the vRealize Log Insight virtual appliance.
- Always configure the master node in a cluster setup of vRealize Log Insight with a fully qualified domain name (FQDN) and a static IP address.
- It is highly recommended that you configure a minimum of three nodes in a vRealize Log Insight cluster to provide ingestion, configuration, and user space high availability. Two node clusters are not supported.
- vRealize Log Insight does not support removing worker nodes that are functioning correctly from a vRealize Log Insight cluster.
Important Security Updates
- Before installing or upgrading software, be sure to review the latest security advisories on the VMware Security Advisories site.
- vRealize Log Insight 3.3 includes a critical fix that address the CVE-2015-7547: glibc getaddrinfo stack-based buffer overflow issue. On February 16, 2016 a critical vulnerability in glibc (CVE-2015-7547) was published that may allow for remote code execution. This issue affects all versions of glibc since 2.9. If you are using software that includes glibc 2.9 and later, it is recommended that you upgrade to a version that contains the fix to eliminate this vulnerability.
- IT decision makers, architects, administrators, and others who must be aware of the security components of vRealize Log Insight must familiarize themselves with the vRealize Log Insight Security Guide.
- For details about how to secure your environment, see the Security guide and the VMware Security Advisories site.
Note: vRealize Log Insight runs its processes as root user of the virtual appliance. This might cause security risks to your environment. Always deploy vRealize Log Insight in trusted secure environments.
Licensing vRealize Log Insight 3.3
Top of Page
vRealize Log Insight 3.3 supports the following VMware products and versions:
- Log Insight can pull events, tasks, and alarms data from VMware vCenter Server 5.0 or later.
- ESXi 5.0 or later hosts can be configured to push syslog data to vRealize Log Insight.
- You can integrate vRealize Log Insight with vRealize Operations Manager as follows.
- The vCenter Operations Manager version must be 5.8.5 or later.
- The vRealize Operations Manager version must be 6.0 or later.
- You can remove the vRealize Log Insight adapter that enables launch in context:
- From Administration > Solutions in vRealize Operations Manager 6.0.x.
- From the Administration user interface in vCenter Operations Manager 5.8.5.
vRealize Log Insight 3.3 version supports the following browser versions. More recent browser versions also work with vRealize Log Insight, but have not been validated.
- Mozilla Firefox 38.0 and above
- Google Chrome 43.0 and above
- Safari 6.0 and above
- Internet Explorer 11.0 and above
Note: Internet Explorer Document mode must be used in Standards Mode. Other modes are not supported. The Compatibility View browser mode is not supported.
The minimum supported browser resolution is 1280 by 800 pixels.
Important: Cookies must be enabled in your browser.
vRealize Log Insight Windows Agent Support
The vRealize Log Insight 3.3 Windows agent supports the following versions.
- Windows Vista, Windows 7, Windows 8, Windows 8.1, and Windows 10
- Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2
vRealize Log Insight Linux Agent Support
The vRealize Log Insight 3.3 Linux agent supports the following distributions and versions.
- RHEL 5 Update 10, RHEL 6 Update 5
- SLES 11 SP3
- Ubuntu 12.04 LTS and 14.04 LTS
Top of Page
vRealize Log Insight 3.3 has the following limitations:
- vRealize Log Insight does not handle non-printable ASCII characters correctly.
- vRealize Log Insight does not support printing. However, you can use the Print options of your browser. The printed results might vary depending on the browser that you use. We recommend Internet Explorer 11 or Firefox for printing vRealize Log Insight user interface.
- The hosts table might display devices more than once.
The hosts table might display devices more than once with each in different formats, including some combination of IP address, hostname, and FQDN. For example, a device named foo.bar.com might appear as both foo and foo.bar.com.
The hosts table uses the hostname field that is defined in the syslog RFC. If an event sent by a device over the syslog protocol does not have a hostname, vRealize Log Insight uses the source as the hostname. This might result in the device being listed more than once because vRealize Log Insight cannot determine if the two formats point to the same device.
vRealize Log Insight Windows and Linux Agents
- Non-ASCII characters in hostname/source fields are not delivered correctly when vRealize Log Insight Windows and Linux agents are running in syslog mode.
vRealize Log Insight Windows Agent
- The vRealize Log Insight Windows agent is a 32-bit application and all its requests for opening files from C:\Windows\System32 sub-directories are redirected by WOW64 to C:\Windows\SysWOW64. However, you can configure the vRealize Log Insight Windows agent to collect from C:\Windows\System32 by using the special alias C:\Windows\Sysnative. For example, to collect logs from their default location for the MS DHCP Server, add the following line to the corresponding section of the vRealize Log Insight Windows agent configuration file: directory=C:\Windows\Sysnative\dhcp.
vRealize Log Insight Linux Agent
- Due to an OS limitation, the vRealize Log Insight Linux agent does not detect network outages when configured to send events over syslog.
- The vRealize Log Insight Linux agent does not support non-English (UTF-8) symbols in field or tag names.
- The vRealize Log Insight Linux agent collects hidden files and directories by default. To prevent this, you must add an exclude=.* option to every configuration section. The option exclude uses the glob pattern .* which represents hidden file format.
- When standard output redirection to a file is used to produce logs, the vRealize Log Insight agent might not correctly recognize event boundaries in such log files.
- vRealize Log Insight does not support multiple domains for Active Directory login when they are not trusted domains.
Top of Page
Upgrading from a Previous Version of vRealize Log Insight
vRealize Log Insight vRealize Log Insight 3.3 supports upgrading from vRealize Log Insight 3.0. For more information, see the vRealize Log Insight Upgrade Path.
- When performing a manual upgrade, workers must only be upgraded one at a time. Upgrading multiple workers at the same time will cause an upgrade failure. When you upgrade the master node to vRealize Log Insight 3.3, a rolling upgrade occurs unless specifically disabled.
- To upgrade to vRealize Log Insight 3.3, you must first upgrade to vRealize Log Insight 3.0 and then upgrade to vRealize Log Insight 3.3.
- vRealize Log Insight does not support two node clusters and vRealize Log Insight 3.0 does not support upgrading a 2-node vRealize Log Insight 2.5 cluster to vRealize Log Insight 3.0. Add another node before upgrading to vRealize Log Insight 3.0.
- Upgrading vRealize Log Insight 3.0 to vRealize Log Insight 3.3 must be done from the master node's FQDN. Upgrading using the Integrated Load Balancer IP address is not supported.
vRealize Log Insight 3.3 is available in the following languages:
- The vRealize Log Insight server web user interface is localized to Japanese, French, German, Simplified Chinese, Traditional Chinese, and Korean.
- The vRealize Log Insight server Web user interface supports Unicode data, including machine learning features.
- The vRealize Log Insight agent works on non-English native Windows.
- The agent installer and content pack are not localized. Parts of the vRealize Log Insight server Web user interface might still show strings and have layout issues.
- vRealize Log Insight is interoperable with localized versions of vCenter Server and vRealize Operations Manager. However, Content Packs depend on matching non-localized log messages. vCenter Server events are retrieved in its default locale, which should be set to en_US. For more information, see http://kb.vmware.com/kb/2121646.
- Integration with Active Directory, vSphere and vRealize Operations Manager for user names with non-ASCII characters is not supported.
- The date/time calendar format shown on the vRealize Log Insight server Web user interface is English only and does not display language/locale settings.
- Localization of event logs is not supported. Event logs only support UTF-8 and UTF-16 character encoding
Top of Page
In addition to these Release Notes, you can access the complete documentation set for vRealize Log Insight 3.3 from the VMware vRealize Log Insight Documentation website.
This section contains issues that have been resolved since the vRealize Log Insight 3.0 release.
Top of Page
This section contains known issues for this release.
Deployment and Configuration
- Event forwarding stops working after upgrading deployments that use SSL when JRE is upgraded as part of the deployment.
JRE is upgraded as part of vRealize Log Insight upgrade. For sites configured with SSL, certificate information remains
stored in the old JRE version therefore the certificate cannot be retrieved for the upgraded installation and event forwarding fails.
Workaround:Reimport the certificate using the procedure "Configuring vRealize Log Insight Event Forwarding
with SSL" in the vRealize Log Insight documentation center.
- Upgrades to vRealize Log Insight 3.3 may fail and rollback to vRealize Log Insight 3.0 resulting in an unusable state. vRealize Log Insight may not start.
Upgrades to vRealize Log Insight 3.3 may fail because of an infrastructure problem and may automatically rollback to the previous version. If this occurs, part of the configuration is not rolled back which leaves vRealize Log Insight 3.0 inoperable.
Workaround: Modify the configuration manually. See Knowlegebase Article 2144648.
- The Active Directory authentication from vRealize Log Insight is not able to add the LDAP source.
In rare cases involving the firewall with the correct ports open, vRealize Log Insight is not able to integrate with Active Directory.
- When upgrading from vRealize Log Insight 2.5, a dialog on the appliance may state the upgrade cannot be confirmed.
It is possible that the master node is taking a long time to start.
Workaround: Click OK and wait for the upgrade to finish.
- New vRealize Log Insight deployment fails to start.
On rare occasions, when you first deploy a vRealize Log Insight virtual appliance you might see the error message Failed to start new deployment.
Workaround: Restart the newly-deployed vRealize Log Insight virtual appliance.
- New vRealize Log Insight deployment fails to bootstrap.
If you deploy a vRealize Log Insight appliance and do not bootstrap it shortly after deployment, you might see the error message Failed to start new deployment when you try to bootstrap it later.
Workaround: Restart the newly-deployed vRealize Log Insight virtual appliance.
- Running parallel configuration tasks might result in incorrect settings.
For example, if two administrator users try to run configuration tasks simultaneously on a target ESXi host, it might result in incorrect syslog settings.
Workaround: Verify that no other administrator user is configuring the settings that you intend to configure.
- A vRealize Log Insight cluster does not handle network or power outages when using DHCP.
If you use DHCP to set up the network configuration of a vRealize Log Insight cluster and a network or power outage occurs, the cluster will stop operating. This happens because of the change in the IP addresses of the master and worker nodes.
Workaround: Always configure the master node with a fully qualified domain name (FQDN) and a static IP address. If the master node experiences an outage while a worker node continues to operate, the worker node sends an alert to the administrator of the cluster.
- During a vRealize Log Insight cluster upgrade you might see HTTP Error 401: Unauthorized
During, or immediately after you upgrade a vRealize Log Insight cluster, you might see HTTP Error 401: Unauthorized when you try to access the Web user interface.
Workaround: The error is transitory and disappear after a minute or so.
- WAN clustering is not supported by vRealize Log Insight
vRealize Log Insight does not support WAN clustering (also called geoclustering, high-availability clustering, or remote clustering). All nodes in the cluster must be deployed in the same layer 2 LAN. In addition, the ports described in the security guide must be opened between nodes for correct communication. For more information, see Ports and External Interfaces that the vRealize Log Insight Virtual Appliance Uses in the vRealize Log Insight Security Guide.
- vRealize Log Insight cannot save Agent configuration files longer than 100 lines
Top of Page
- In some cases, notification events from vRealize Log Insight 3.0 or later fail to trigger in vRealize Operations Manager 6.0 or later.
The alert integration using vRealize Log Insight 3.0 or later may fail with vRealize Operations Manager 6.0 or later when the notification events triggering the alert are not part of the vRealize Operations Manager vSphere inventory and the target vRealize Operations Manager resources such as Adapter Kind, Resource Kind Key have a space in their name, for example, "vSphere World".
Workaround: When creating new alerts in vRealize Log Insight, make sure to filter the query that has the events that are originated from one or more of the targets that are monitored by or registered with vRealize Operations Manager.
- Content packs exported from vRealize Log Insight 3.0 or later without a namespace cannot be imported into vRealize Log Insight 3.3 or later.
vRealize Log Insight 3.3 or later no longer allows hyphens in the namespace of content packs. vRealize Log Insight 3.0 or later defaults to a namespace with hyphens. As a result, a content pack exported from vRealize Log Insight 3.0 or later without a namespace cannot be imported into vRealize Log Insight 3.3 or later.
Workaround: Export the content pack from vRealize Log Insight 3.0 or later with a namespace that does not contain a hyphen.
- Log Insight can become unresponsive.
Rarely, a CPU lockup may occur. The vRealize Log Insight virtual machine can become unresponsive during quiesced snapshot operations. The root issue remains after a restart.
Workaround: To restore operation, restart the virtual machine and perform non-quiesced snapshots or stop VMware Tools.
- Messages get lost when restarting the Event Forwarder
If you restart an Event Forwarder during the forwarding process, messages that reside in the non-persistent cache might get lost.
- vRealize Log Insight is not interoperable with localized versions of vCenter Server and vRealize Operations Manager.
Workaround: Refer to Knowledge Base article 2121646 for a workaround procedure.
- The Administration user interface shows multiple agents with the same IP address
In rare cases, multiple agents with the same IP address can appear in the Administration user interface. Only one of the agents displayed is active and is the valid running agent. The other invalid agents display with the state "disconnected."
Workaround: Restart vRealize Log Insight.
- You cannot name a smart field in the Event Types tab if you do not have the Edit Shared permission.
When you open the Event Types tab and click on one of the automatically detected fields (smart fields), a context menu appears. If you have the Edit Shared permission, you can give the field a friendly name that can then be used for regular queries. If you do not have the Edit Shared permission, you cannot name the field and can only refer to it using the application-generated name, for example smart field host (2) [v2_3cb0181].
Workaround: If you require the ability to name a smart field, verify that you have the Edit Shared permission.
- A vRealize Log Insight agent is forwarding messages to itself.
The agent installed by default has no server clause in its configuration, and it is running. The default server clause is "server=loginsight". In this environment, a DNS lookup of "loginsight" returns this cluster, and the agent successfully connects.
- You cannot check the status of an import operation if your user session ends before the end of the import.
To start the data import process, you connect to a vRealize Log Insight instance through a SSH session or through the virtual appliance console. The data import process might take a long time. In the case of SSH, if the SSH session terminates unexpectedly, or you close the SSH session before the import process completes, you cannot check whether the import completed successfully.
Workaround: Install a "screen" package on the vRealize Log Insight virtual appliance. This package allows you to run Linux processes in the background without interruption, even when you disconnect from an SSH session.
- The import of archived log data might fail if vRealize Log Insight cannot access the NFS server on which data is stored.
If, during the data import process, the NFS server becomes inaccessible due to network failure or errors on the NFS server, the import of archived data might fail.
- The import of archived data might fail if the vRealize Log Insight virtual appliance runs out of disk space.
The vRealize Log Insight repository import utility does not check for available disk space on the vRealize Log Insight virtual appliance. Therefore, the import of archived logs might fail if the virtual appliance runs out of disk space.
- vRealize Log Insight does not display progress information during log imports.
As the import of archived data is in progress, you are unable to infer from the console output how much time is left before the import finishes or how much data is already imported.
- vRealize Log Insight might run out of disk space even though data archiving is enabled.
If the network connection to the NFS storage is slow, and the rate of the incoming data is later than the data archiving rate, vRealize Log Insight might run out of disk space.
Top of Page
Administration - SMTP, vRealize Operations Manager, Active Directory Known Issues
- Field information is missing in syslog events.
After an upgrade to vRealize Log Insight 3.0, the vc_username field information is missing from the forwarded events over syslog.
- DNS caching is not working properly.
DNS lookups are numerous for a vRealize Log Insight cluster integrated with vRealize Operations Manager. The inventory mapping performs a DNS lookup for most or all events that come in to vRealize Log Insight.
- You can see messages related to launch in context even if launch in context is not enabled or not supported in the vRealize Operations Manager version that you use.
The details of vRealize Log Insight notification events that appear in the vRealize Operations Manager User interface contain the following message that suggests using the launch in context feature:
Log Insight found <Number> messages matching the criteria for alert "<Name of the Alert>": Use the context menu item to review the matches in Log Insight.
This message appears even if you have not enabled launch in context, or if you are using vRealize Operations Manager versions earlier than 5.7.1 that do not support launch in context.
Workaround: Ignore the message if launch in context is not enabled in your instance of vRealize Operations Manager. Open a browser and type the IP address of the vRealize Log Insight virtual appliance to search for matching messages related to the notification event.
- Email notifications might be dropped if you use the default SMTP settings of vRealize Log Insight.
If, in the vRealize Log Insight administration interface, you leave the default SMTP settings of localhost:25, the email notifications that vRealize Log Insight sends might be dropped by the receiving email server, such as Yahoo or Gmail.
Workaround: Use the Send Test Email option and verify that you receive an email to validate that email notifications are not being dropped.
- You cannot change the network properties of the vRealize Log Insight virtual appliance at run time.
vRealize Log Insight does not support changing the IP address, network mask, gateway, DNS, or hostname of the virtual appliance at run time.
Workaround: You can only make network configuration changes using the vApp options of the vRealize Log Insight virtual appliance.
- Open a vSphere Client and locate the vRealize Log Insight virtual appliance.
- Shut down the virtual appliance.
- Right-click the virtual appliance, select Edit Settings, and under vApp options apply the changes to the network configuration.
- Power on the virtual appliance.
Note: You must re-enable launch in context each time you change the network properties of the vRealize Log Insight virtual appliance.
- Accessing the HTTPS-based secure web interface at https://<loginsight-host>/ generates an invalid SSL certificate warning.
By default, vRealize Log Insight installs a self-signed SSL certificate. The self-signed certificate generates security warnings when you connect to the vRealize Log Insight Web user interface.
Workaround: You can ignore these security warnings. If you do not want to use a self-signed security certificate, an admin user can install a custom SSL certificate. For the procedure for uploading a custom SSL certificate, see the vRealize Log Insight Administration Guide. The use of a custom SSL certificate is optional and does not affect the features of vRealize Log Insight.
- Active Directory (AD) binding user disallows valid special character '@' .
When integrating with Active Directory, vRealize Log Insight disallows the valid special character '@' that should be allowed in Active Directory.
Workaround: Choose a binding username that does not contain the '@' character.
- vRealize Log Insight cannot send alerts against an object in vRealize Operations Manager when the name of the object has changed.
When you set up notifications in vRealize Log Insight against an object in vRealize Operations Manager, after which the name of the object is changed, vRealize Log Insight can no longer generate alerts against that object.
Workaround: Update the alert to point to the renamed object.
- vRealize Log Insight Active Directory (AD) users cannot log in when the binding credentials for the AD domain have expired.
vRealize Log Insight uses a binding user to control integration with Active Directory in a number of scenarios. For example, when a user specifies a UPN suffix that has not been seen by vRealize Log Insight, it uses the binding credentials to determine if that suffix is an alias for a domain that has users or groups with access. If the binding credentials are invalid, vRealize Log Insight cannot perform the query and authentication fails.
Workaround: Verify that AD credentials of the binding user are current. Navigate to Administration > Authentication, enter the credentials and click Test Connection.
- One or more nodes in a vRealize Log Insight cluster restart when the DNS server is unreachable.
If the master node of your vRealize Log Insight cluster is configured with a fully qualified domain name (FQDN) and the DNS server becomes unreachable, the watchdog on the node restarts the node. If the DNS server comes back up, the restart succeeds. Otherwise, the watchdog makes 12 restart attempts after which the node is marked as disconnected from the cluster.
Workaround: Configure the vRealize Log Insight master node with a static IP address.
- The Interactive Analytics chart indicates that it has more data to load even though the back end has finished searching.
On rare occasions, the interactive analytics chart indicates it is still loading but the progress bar stops moving for several minutes. Although the search might have finished in the back end, the chart does not show the full results. This behavior is triggered more frequently if you choose a smaller time window grouping from the 1 bar = toggle in the upper right of a time series chart.
- The Interactive Analytics page does not show dynamically extracted fields inline.
If a search query lasts longer than one progress iteration (3-5 seconds), the list of events under the Events tab on the Interactive Analytics page does not show dynamically extracted fields inline.
- Worker nodes that are in maintenance mode send notifications when the vRealize Log Insight master node is down.
When the vRealize Log Insight master node is down, each worker node sends an alert email notification to the admin that the master is down. If one of the worker nodes is in maintenance mode, it is not expected to send such a notification, but it does.
Workaround: Ignore the alert email.
- A Worker node that is in maintenance mode automatically reconnects to the vRealize Log Insight master node.
If you put a vRealize Log Insight worker in maintenance mode and restart it, the worker automatically reconnects to the vRealize Log Insight master node.
Workaround: Manually put the worker node back in maintenance mode immediately after it restarts.
Top of Page
The topic Add a vRealize Log Insight Event Forwarding Destination,
states that tag use is restricted to use with the ingestion API. However, this restriction does not apply to vRealize Log Insight 3.3.
Top of Page