VMware vRealize Log Insight 3.6 Release Notes
vRealize Log Insight 3.6 (Build 4202923)
Last Document Update: 20 March 2017
Check frequently for additions and updates to these release notes.
These release notes include the following topics:
Introduction to vRealize Log Insight 3.6
VMware vRealize Log Insight 3.6 delivers the best real-time and archive log management for VMware environments. Machine learning-based Intelligent Grouping and high performance search enables faster troubleshooting across physical, virtual, and cloud environments. vRealize Log Insight can analyze terabytes of logs, discover structure in unstructured data, and deliver enterprise-wide visibility using a modern Web interface.
What's New in vRealize Log Insight 3.6
vRealize Log Insight 3.6 includes new and enhanced features as well as preview features.
vRealize Operations Manager Integration Enhancements
Alerts sent to vRealize Operations Manager now contain the same metadata as email alerts.
- Auto Cancel Alerts
User alerts to vRealize Operations Manager can be set to auto cancel in 10 minutes.
- Integration with High Availability
When integrating with vRealize Operations Manager, an Integrated Load Balancer virtual IP is used to ensure high availability.
- More Dashboard Widgets
Event type and event trend queries can now be saved to the Dashboard page as widgets and included in Content Packs.
- Event Type Alerts
User alerts can now be created to alert based on new
- Syslog Event Forwarding Enhancements
Syslog Event Forwarding now supports send tags as well as complementary tags.
- Query API Enhancements
The query API now supports duration, Content Pack extracted fields, the group-by field, the order-by function, and event trends.
- Content Pack Upgrade Instructions
Content Packs now support separate installation and upgrade instructions.
vRealize Log Insight 3.6 includes several features that you can use on a preview basis.
- User Impersonation
Super Admin users can now impersonate another user, allowing the ability to view, edit, and disable another user's alerts.
- Agent Auto-Upgrade
This release includes support for IPv6. You can now use IPv6 addresses in the same way as IPv4 addresses.
- VMware Identity Manager (vIDM) Integration
Authentication with vIDM can be configured to allow Single Sign-On.
- Streaming Support Bundles
You can use this method to create a support bundle that uses no disk space on the node.
Review this section before you begin installing and configuring vRealize Log Insight.
Ports Used by vRealize Log Insight
For a list of all ports required for correct communication, see in Ports and External Interfaces that the vRealize Log Insight Virtual Appliance Uses in Administering vRealize Log Insight.
Virtual Appliance Deployment
- Use the instructions in Getting Started to install and configure the vRealize Log Insight virtual appliance.
- Always configure the master node in a cluster setup of vRealize Log Insight with a fully qualified domain name (FQDN) and a static IP address.
- As a best practice, configure a minimum of three nodes in a vRealize Log Insight cluster to provide ingestion, configuration, and user space high availability. Two-node clusters are not supported.
- vRealize Log Insight does not support removing worker nodes that are functioning correctly from a vRealize Log Insight cluster.
Important Security Updates
- Before installing or upgrading software, be sure to review the latest security advisories on the VMware Security Advisories site.
- IT decision makers, architects, administrators, and others who must be aware of the security components of vRealize Log Insight must familiarize themselves with Security Considerations for vRealize Log Insight.
- For details about how to secure your environment, see the VMware Security Advisories site.
Note: vRealize Log Insight runs its processes as root user of the virtual appliance. This might cause security risks to your environment. Always deploy vRealize Log Insight in trusted secure environments.
Licensing vRealize Log Insight 3.6
- After you deploy the vRealize Log Insight virtual appliance, you must assign a valid license key.
- All license management tasks are performed in the vRealize Log Insight Administration Web interface. The URL is http://log-insight-ip/admin/license, where log-insight-ip is the IP address of the vRealize Log Insight vApp. Follow the instructions in Administering vRealize Log Insight to assign a license.
Top of Page
vRealize Log Insight 3.6 supports the following VMware products and versions:
- vRealize Log Insight can pull events, tasks, and alarms data from VMware vCenter Server 5.0 or later.
- ESXi 5.0 or later hosts can be configured to push syslog data to vRealize Log Insight.
- You can integrate vRealize Log Insight 3.6 with vRealize Operations Manager version 6.0 or later.
vRealize Log Insight 3.6 version supports the following browser versions. More recent browser versions also work with vRealize Log Insight, but have not been validated.
- Mozilla Firefox 45.0 and above
- Google Chrome 51.0 and above
- Safari 9.1 and above
- Internet Explorer 11.0 and above
Note: Internet Explorer Document mode must be used in Standards Mode. Other modes are not supported. The Compatibility View browser mode is not supported.
The minimum supported browser resolution is 1280 by 800 pixels.
Important: Cookies must be enabled in your browser.
vRealize Log Insight Windows Agent Support
The vRealize Log Insight 3.6 Windows agent supports the following versions.
- Windows Vista, Windows 7, Windows 8, Windows 8.1, and Windows 10
- Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2
vRealize Log Insight Linux Agent Support
The vRealize Log Insight 3.6 Linux agent supports the following distributions and versions.
- RHEL 5, RHEL 6, RHEL 7
- SLES 11 SP3
- Ubuntu 12.04 LTS and 14.04 LTS
Top of Page
vRealize Log Insight 3.6 has the following limitations.
- vRealize Log Insight does not handle non-printable ASCII characters correctly.
- vRealize Log Insight does not support printing. However, you can use the Print options of your browser. The printed results might vary depending on the browser that you use. We recommend Internet Explorer or Firefox for printing portions of the vRealize Log Insight user interface.
The hosts table might display devices more than once with each in a different format, including some combination of IP address, hostname, and FQDN. For example, a device named foo.bar.com might appear as both foo and foo.bar.com.
The hosts table uses the hostname field that is defined in the syslog RFC. If an event sent by a device over the syslog protocol does not have a hostname, vRealize Log Insight uses the source as the hostname. This might result in the device being listed more than once because vRealize Log Insight cannot determine if the two formats point to the same device.
vRealize Log Insight Windows and Linux Agents
- Non-ASCII characters in hostname/source fields are not delivered correctly when vRealize Log Insight Windows and Linux agents are running in syslog mode.
vRealize Log Insight Windows Agent
- The vRealize Log Insight Windows agent is a 32-bit application and all its requests for opening files from C:\Windows\System32 sub-directories are redirected by WOW64 to C:\Windows\SysWOW64. However, you can configure the vRealize Log Insight Windows agent to collect from C:\Windows\System32 by using the special alias C:\Windows\Sysnative. For example, to collect logs from their default location for the MS DHCP Server, add the following line to the corresponding section of the vRealize Log Insight Windows agent configuration file: =C:\Windows\Sysnative\dhcp.
vRealize Log Insight Linux Agent
- Due to an operating system limitation, the vRealize Log Insight Linux agent does not detect network outages when configured to send events over syslog.
- The vRealize Log Insight Linux agent does not support non-English (UTF-8) symbols in field or tag names.
- The vRealize Log Insight Linux agent collects hidden files and directories by default. To prevent this, you must add an exclude=.* option to every configuration section. The option exclude uses the glob pattern .* which represents hidden file format.
- When standard output redirection to a file is used to produce logs, the vRealize Log Insight agent might not correctly recognize event boundaries in such log files.
- vRealize Log Insight does not support multiple domains for Active Directory login when they are not trusted domains.
Top of Page
Upgrading from a Previous Version of vRealize Log Insight
vRealize Log Insight vRealize Log Insight 3.6 supports upgrading from vRealize Log Insight 3.3.x. For more information, see the vRealize Log Insight Upgrade Path.
- When performing a manual upgrade, workers must only be upgraded one at a time. Upgrading multiple workers at the same time causes an upgrade failure. When you upgrade the master node to vRealize Log Insight 3.6, a rolling upgrade occurs unless specifically disabled.
- To upgrade to vRealize Log Insight 3.6, from vRealize Log Insight 3.0, you must first upgrade to vRealize Log Insight 3.3.x and then upgrade to vRealize Log Insight 3.6.
- Upgrading vRealize Log Insight 3.3 to vRealize Log Insight 3.6 must be done from the master node's FQDN. Upgrading using the Integrated Load Balancer IP address is not supported.
vRealize Log Insight 3.6 offers the following internationalization support:
- The vRealize Log Insight server web user interface is localized to Japanese, French, German, Simplified Chinese, Traditional Chinese, and Korean.
- The vRealize Log Insight server Web user interface supports Unicode data, including machine learning features.
- The vRealize Log Insight agent works on non-English native Windows.
Internationalization Support Limitations
- The agent installer and content pack are not localized. Parts of the vRealize Log Insight server Web user interface might display unlocalized strings and have layout issues.
- vRealize Log Insight is interoperable with localized versions of vCenter Server and vRealize Operations Manager. However, Content Packs depend on matching non-localized log messages. vCenter Server events are retrieved in its default locale, which should be set to en_US. For more information, see http://kb.vmware.com/kb/2121646.
- User names with non-ASCII characters are not supported for integrations with Active Directory, vSphere, and vRealize Operations Manager.
- The date/time calendar format shown on the vRealize Log Insight server Web user interface is English only and does not display language/locale settings.
- Localization of event logs is not supported. Event logs support UTF-8 and UTF-16 character encoding only.
Top of Page
In addition to these Release Notes, you can access the complete documentation set for vRealize Log Insight 3.6 from the VMware vRealize Log Insight Documentation website.
This section contains issues that have been resolved since the vRealize Log Insight 3.3.2 release.
Active Directory authentication with child domains or nested groups may fail.
- When selecting Test Alert under user alerts, multiple alerts were sent instead of one.
When searching for a vRealize Operations Manager Default Resource under user alerts, no results were returned.
VMware tools may result in the vRealize Log Insight virtual appliance locking up.
Unique count chart queries were case sensitive.
User alerts did not allow for a threshold of more than zero.
Certificate replacement did not take effect for syslog traffic until service restart.
This section describes known issues for this release.
Deployment and Configuration
- Event forwarding stops working after upgrading deployments that use SSL when JRE is upgraded as part of the deployment.
JRE is upgraded as part of vRealize Log Insight upgrade. For sites configured with SSL, certificate information remains
stored in the old JRE version therefore the certificate cannot be retrieved for the upgraded installation and event forwarding fails.
Workaround:Reimport the certificate using the procedure "Configuring vRealize Log Insight Event Forwarding
with SSL" in the vRealize Log Insight documentation center.
The Active Directory authentication from vRealize Log Insight is not able to add the LDAP source.
In rare cases involving the firewall with the correct ports open, vRealize Log Insight is not able to integrate with Active Directory.
New vRealize Log Insight deployment fails to start.
On rare occasions, when you first deploy a vRealize Log Insight virtual appliance you might see the error message Failed to start new deployment.
Workaround: Restart the newly-deployed vRealize Log Insight virtual appliance.
New vRealize Log Insight deployment fails to bootstrap.
If you deploy a vRealize Log Insight appliance and do not bootstrap it shortly after deployment, you might see the error message Failed to start new deployment when you try to bootstrap it later.
Workaround: Restart the newly-deployed vRealize Log Insight virtual appliance.
- Running parallel configuration tasks might result in incorrect settings.
For example, if two administrator users try to run configuration tasks simultaneously on a target ESXi host, it might result in incorrect syslog settings.
Workaround: Verify that no other administrator user is configuring the settings that you intend to configure
During a vRealize Log Insight cluster upgrade you might see HTTP Error 401: Unauthorized,
During, or immediately after you upgrade a vRealize Log Insight cluster, you might see the error HTTP Error 401: Unauthorized when you try to access the Web user interface.
Workaround: The error is transitory and disappears after a minute or so.
Top of Page
Hosts with logs rotated out of Log Insight 3.6 are still seen in the Host list.
The help states that "Only hosts that have searchable events are shown. A host will not be shown if all of its events have been rotated out of the system."
This is incorrect.
Inclusion on the Hosts page is not based on existing logs. As result, it is possible for hosts with logs rotated out to still remain in the Host list. In addition, these old entries should be automatically cleared after some amount of time, although at present they are not
the Hosts page is not based on logs.
Content packs exported from vRealize Log Insight 3.0.x or earlier with a hyphenated namespace cannot be imported into vRealize Log Insight 3.3 or later.
vRealize Log Insight 3.3 or later does not support the use of hyphens in the namespace of content packs. vRealize Log Insight 3.0.x and earlier releases default to a namespace with hyphens. As a result, a content pack exported from vRealize Log Insight 3.0.x or earlier that uses a hyphenated namespace cannot be imported into vRealize Log Insight 3.3 or later.
Workaround: Export the content pack from vRealize Log Insight 3.0.x or earlier with a namespace that does not contain a hyphen.
Messages get lost when restarting the Event Forwarder.
If you restart an Event Forwarder during the forwarding process, messages that reside in the non-persistent cache might get lost.
vRealize Log Insight is not interoperable with localized versions of vCenter Server and vRealize Operations Manager.
Workaround: Refer to Knowledge Base article 2121646 for a workaround procedure.
The Administration user interface shows multiple agents with the same IP address.
In rare cases, multiple agents with the same IP address can appear in the Administration user interface. Only one of the agents displayed is active and is the valid running agent. The other invalid agents display with the state "disconnected."
Workaround: Restart vRealize Log Insight.
You cannot name a smart field in the Event Types tab if you do not have the Edit Shared permission.
When you open the Event Types tab and click on one of the automatically detected fields (smart fields), a context menu appears. If you have the Edit Shared permission, you can give the field a friendly name that can then be used for regular queries. If you do not have the Edit Shared permission, you cannot name the field and can only refer to it using the application-generated name, for example smart field host (2) [v2_3cb0181].
Workaround: If you require the ability to name a smart field, verify that you have the Edit Shared permission.
Exporting events from the Interactive Analytics page may not succeed.
- Autocomplete may take a long time to return on instances that have a large number of fields.
- Linux log files rotated with the copytruncate option may not be processed properly by the vRealize Log Insight agent.
Workaround: Use a different rotation option such as rename-recreate.
- The Log Insight Admin Alert: Too many VIP failovers may be received when no VIP failover has occurred.
Workaround: Verify that there is no virtual IP failover and ignore the alert.
- On the Dashboard page, the legend pop-up for widgets may interfere with hovering.
- The vRealize Log Insight icon might flicker on the content pack page.
- There are UI display issues when entering a NSX license key.
The startup wizard license table is not properly formatted.
The OSI Count and CPU Count fields are empty on the license page.
A vRealize Log Insight cluster compound support bundle contains the wrong archive file name and the archive cannot be imported by vRealize Log Insight Importer.
The vRealize Log Insight Importer generates a "
Zlib error code: -3" for a specific support bundle and the events are not sent.
Workaround: Manually extract support bundles for each node and import one by one.
You cannot check the status of an import operation if your user session ends before the end of the import.
To start the data import process, you connect to a vRealize Log Insight instance through a SSH session or through the virtual appliance console. The data import process might take a long time. In the case of SSH, if the SSH session terminates unexpectedly, or you close the SSH session before the import process completes, you cannot check whether the import completed successfully.
Workaround: Install a "screen" package on the vRealize Log Insight virtual appliance. This package allows you to run Linux processes in the background without interruption, even when you disconnect from an SSH session.
The import of archived log data might fail if vRealize Log Insight cannot access the NFS server on which data is stored.
If, during the data import process, the NFS server becomes inaccessible due to network failure or errors on the NFS server, the import of archived data might fail.
The import of archived data might fail if the vRealize Log Insight virtual appliance runs out of disk space.
The vRealize Log Insight repository import utility does not check for available disk space on the vRealize Log Insight virtual appliance. Therefore, the import of archived logs might fail if the virtual appliance runs out of disk space.
vRealize Log Insight does not display progress information during log imports.
As the import of archived data is in progress, you are unable to infer from the console output how much time is left before the import finishes or how much data is already imported.
vRealize Log Insight might run out of disk space even though data archiving is enabled.
If the network connection to the NFS storage is slow, and the rate of the incoming data is later than the data archiving rate, vRealize Log Insight might run out of disk space.
Top of Page
Administration - SMTP, vRealize Operations Manager, and Active Directory Known Issues
You can see messages related to launch in context even if launch in context is not enabled or not supported in the vRealize Operations Manager version that you use.
The details of vRealize Log Insight notification events that appear in the vRealize Operations Manager user interface contain the following message that suggests using the launch in context feature:
Log Insight found <Number> messages matching the criteria for alert "<Name of the Alert>": Use the context menu item to review the matches in Log Insight.
This message appears even if you have not enabled launch in context, or if you are using vRealize Operations Manager versions earlier than 5.7.1 that do not support launch in context.
Workaround: Ignore the message if launch in context is not enabled in your instance of vRealize Operations Manager. Open a browser and type the IP address of the vRealize Log Insight virtual appliance to search for matching messages related to the notification event.
Email notifications might be dropped if you use the default SMTP settings of vRealize Log Insight.
If, in the vRealize Log Insight administration interface, you leave the default SMTP settings of localhost:25, the email notifications that vRealize Log Insight sends might be dropped by the receiving email server, such as Yahoo or Gmail.
Workaround: Click the Send Test Email option and verify that you receive an email to validate that email notifications are not being dropped.
You cannot change the network properties of the vRealize Log Insight virtual appliance at run time.
vRealize Log Insight does not support changing the IP address, network mask, gateway, DNS, or hostname of the virtual appliance at run time.
Workaround: You can only make network configuration changes using the vApp options of the vRealize Log Insight virtual appliance.
- Open a vSphere Client and locate the vRealize Log Insight virtual appliance.
- Shut down the virtual appliance.
- Right-click the virtual appliance, select Edit Settings, and under vApp options apply the changes to the network configuration.
- Power on the virtual appliance.
Note: You must re-enable launch in context each time you change the network properties of the vRealize Log Insight virtual appliance.
Active Directory (AD) binding user disallows valid special character '@'.
When integrating with Active Directory, vRealize Log Insight disallows the valid special character '@' that should be allowed in Active Directory.
Workaround: Choose a binding username that does not contain the '@' character.
vRealize Log Insight cannot send alerts against an object in vRealize Operations Manager when the name of the object has changed.
When you set up notifications in vRealize Log Insight against an object in vRealize Operations Manager, after which the name of the object is changed, vRealize Log Insight can no longer generate alerts against that object.
Workaround: Update the alert to point to the renamed object.
vRealize Log Insight Active Directory (AD) users cannot log in when the binding credentials for the AD domain have expired.
vRealize Log Insight uses a binding user to control integration with Active Directory in a number of scenarios. For example, when a user specifies a UPN suffix that has not been seen by vRealize Log Insight, it uses the binding credentials to determine if that suffix is an alias for a domain that has users or groups with access. If the binding credentials are invalid, vRealize Log Insight cannot perform the query and authentication fails.
Workaround: Verify that AD credentials of the binding user are current. Navigate to Administration > Authentication, enter the credentials, and click Test Connection.
- One or more nodes in a vRealize Log Insight cluster restart when the DNS server is unreachable.
If the master node of your vRealize Log Insight cluster is configured with a fully qualified domain name (FQDN) and the DNS server becomes unreachable, the watchdog on the node restarts the node. If the DNS server comes back up, the restart succeeds. Otherwise, the watchdog makes 12 restart attempts after which the node is marked as disconnected from the cluster.
Workaround: Configure the vRealize Log Insight master node with a static IP address.
The Interactive Analytics chart indicates that it has more data to load even though the back end has finished searching.
On rare occasions, the interactive analytics chart indicates it is still loading but the progress bar stops moving for several minutes. Although the search might have finished in the back end, the chart does not show the full results. This behavior is triggered more frequently if you choose a smaller time window grouping from the 1 bar = toggle in the upper right of a time series chart.
The Interactive Analytics page does not show dynamically extracted fields inline.
If a search query lasts longer than one progress iteration (3-5 seconds), the list of events under the Events tab on the Interactive Analytics page does not show dynamically extracted fields inline.
Worker nodes that are in maintenance mode send notifications when the vRealize Log Insight master node is down.
When the vRealize Log Insight master node is down, each worker node sends an alert email notification to the admin that the master is down. If one of the worker nodes is in maintenance mode, it is not expected to send such a notification, but it does.
Workaround: Ignore the alert email.
A Worker node that is in maintenance mode automatically reconnects to the vRealize Log Insight master node.
If you put a vRealize Log Insight worker in maintenance mode and restart it, the worker automatically reconnects to the vRealize Log Insight master node.
Workaround: Manually put the worker node back in maintenance mode immediately after it restarts.
Top of Page
This section presents corrections and additions to vRealize Log Insight documentation for version 3.6.
vRealize Log Insight accepts VMware NSX licenses.
The following additional information applies to the topic Assign a Permanent License to vRealize Log Insight.
VMware NSX licenses also entitle you to vRealize Log Insight access. When you install vRealize Log Insight with your VMware NSX installation, enter the VMware NSX key as the license key on the vRealize Log Insight license screen. For a description of the license window, see For further information, consult VMware NSX documentation.
vCenter Operations Manager 5.8.5 version not supported.
The documentation topic Product Compatibility incorrectly states that vCenter Operations Manager 5.8.5 version is supported for use with vRealize Log Insight 3.6.
The vRealize Log Insight Linux Agent is not configured to collect messages by default.
The documentation topic
Overview of the vRealize Log Insight Linux Agent incorrectly states that the vRealize Log Insight Linux Agent is configured for message collection by default.
- Windows Event Channel Limits
Documentation erroneously states that the vRealize Log Insight Windows Agent can collect events from a maximum of 60 Windows Event Log channels. There are no restrictions on the number of event channels.
Top of Page