VMware vRealize Log Insight 4.3 Release Notes
VMware vRealize Log Insight | 2 March 2017
Server Build 5084751 | Agent Build 5052904
Updated 26 June 2017
These release notes describe changes to vRealize Log Insight 4.3. Check frequently for updates to these release notes.
What's in the Release Notes?
The release notes cover the following topics:
VRealize Log Insight delivers the best real-time and archive log management, especially for VMware environments. Machine learning-based Intelligent Grouping and high-performance search enables faster troubleshooting across physical, virtual, and cloud environments. vRealize Log Insight can analyze terabytes of logs, discover structure in unstructured data, and deliver enterprise-wide visibility using a modern Web interface.
This release of VMware vRealize Log Insight delivers product improvements and updates to the previous release, including these features:
- Server Features
- Now supports VMware Identity Manager Single Sign-On (vIDM SSO)
- Host table entries now expire after they are idle for three months (after the last ingested event)
- New upgrade APIs
- User Interface Features
- New alert history for individual alerts
- New percent labels on pie charts
- New trendline overlay on line charts
- Enhanced dashboard list selection
- Agent Features
- New FIPS-140-2 compliance
- New silent auto-update of deployed agents
- Enhanced timestamp parser that supports single-digit representation of days and months
- Now supports Windows Server 2016
vRealize Log Insight 4.3 supports the following VMware products and versions:
- vRealize Log Insight can pull events, tasks, and alarms data from VMware vCenter Server 5.5 or later. See the VMware knowledge base article at http://kb.vmware.com/kb/2145103 for more information.
- You can integrate vRealize Log Insight 4.3 with vRealize Operations Manager version 6.0 or later.
vRealize Log Insight 4.3 supports the following browser versions. More recent browser versions also work with vRealize Log Insight, but have not been validated.
- Mozilla Firefox 45.0 and above
- Google Chrome 51.0 and above
- Safari 9.1 and above
- Internet Explorer 11.0 and above
Note: Internet Explorer Document mode must be used in Standards Mode. Other modes are not supported. The Compatibility View browser mode is not supported.
The minimum supported browser resolution is 1280 by 800 pixels.
Important: Cookies must be enabled in your browser.
vRealize Log Insight Windows Agent Support
The vRealize Log Insight 4.3 Windows agent supports the following versions.
- Windows Vista, Windows 7, Windows 8, Windows 8.1, and Windows 10
- Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016
vRealize Log Insight Linux Agent Support
The vRealize Log Insight Linux agent supports the following distributions and versions.
- RHEL 5, RHEL 6, and RHEL 7
- SLES 11 SP3 and SLES 12 SP1
- Ubuntu 12.04 LTS, 14.04 LTS, and 16.04 LTS
vRealize Log Insight 4.3 has the following limitations.
- vRealize Log Insight does not handle non-printable ASCII characters correctly.
- vRealize Log Insight does not support printing. However, you can use the Print options of your browser. The printed results might vary depending on the browser that you use. We recommend Internet Explorer or Firefox for printing portions of the vRealize Log Insight user interface.
- The hosts table might display devices more than once with each in a different format, including some combination of IP address, hostname, and FQDN. For example, a device named foo.bar.com might appear as both foo and foo.bar.com.
The hosts table uses the hostname field that is defined in the syslog RFC. If an event sent by a device over the syslog protocol does not have a hostname, vRealize Log Insight uses the source as the hostname. This might result in the device being listed more than once because vRealize Log Insight cannot determine if the two formats point to the same device.
vRealize Log Insight Windows and Linux Agents
- Non-ASCII characters in hostname and source fields are not delivered correctly when vRealize Log Insight Windows and Linux agents are running in syslog mode.
vRealize Log Insight Windows Agent
- The vRealize Log Insight Windows agent is a 32-bit application and all its requests for opening files from C:\Windows\System32 sub-directories are redirected by WOW64 to C:\Windows\SysWOW64. However, you can configure the vRealize Log Insight Windows agent to collect from C:\Windows\System32 by using the special alias C:\Windows\Sysnative. For example, to collect logs from their default location for the MS DHCP Server, add the following line to the corresponding section of the vRealize Log Insight Windows agent configuration file: =C:\Windows\Sysnative\dhcp.
vRealize Log Insight Linux Agent
- Due to an operating system limitation, the vRealize Log Insight Linux agent does not detect network outages when configured to send events over syslog.
- The vRealize Log Insight Linux agent does not support non-English (UTF-8) symbols in field or tag names.
- The vRealize Log Insight Linux agent collects hidden files and directories by default. To prevent this, you must add an exclude=.* option to every configuration section. The option exclude uses the glob pattern .* which represents hidden file format.
- When standard output redirection to a file is used to produce logs, the vRealize Log Insight agent might not correctly recognize event boundaries in such log files.
Upgrading from a Previous Version of vRealize Log Insight
You can upgrade to 4.3 directly from vRealize Log Insight 4.0 or from the beta releases 4.1 or 4.2. If you are running an earlier version of vRealize Log Insight, you must first upgrade your installation to 4.0.
Important Upgrade Notes
- To upgrade to vRealize Log Insight 4.3, you must be running vRealize Log Insight 4.0 or later.
- When performing a manual upgrade, you must upgrade workers one at a time. Upgrading multiple workers at the same time causes an upgrade failure. When you upgrade the master node to vRealize Log Insight 4.3, a rolling upgrade occurs unless specifically disabled.
- Upgrading must be done from the master node's FQDN. Upgrading with the Integrated Load Balancer IP address is not supported.
- vRealize Log Insight does not support two-node clusters. Add a third vRealize Log Insight node of the same version as the existing two nodes before performing an upgrade.
- If the vRLI upgarde (.pak file) has new "Jre" version then the user installed certificates in an vRLI setup (e.g for Event forwarding) getting invisible after upgrade. Please look at the bug 1816858.
vRealize Log Insight 4.3 includes the following localization features.
- The vRealize Log Insight server web user interface is localized to Japanese, French, Spanish, German, Simplified Chinese, Traditional Chinese, and Korean.
- The vRealize Log Insight server Web user interface supports Unicode data, including machine learning features.
- vRealize Log Insight agents work on non-English native Windows.
- The agent installer and content pack are not localized. Parts of the vRealize Log Insight server Web user interface might still show non-localized strings and have layout issues.
- vRealize Log Insight is interoperable with localized versions of vCenter Server and vRealize Operations Manager. However, Content Packs depend on matching non-localized log messages. vCenter Server events are retrieved in its default locale, which should be set to en_US. For more information, see http://kb.vmware.com/kb/2121646.
- Integration with Active Directory, vSphere, and vRealize Operations Manager for user names with non-ASCII characters is not supported.
- The date/time calendar format shown on the vRealize Log Insight server Web user interface is English only and does not display language/locale settings.
- Localization of event logs is not supported. Event logs only support UTF-8 and UTF-16 character encoding.
- Setting domain controllers for AD configuration nowconsistently sets the KRB server correctly.
- The VIP tag and vSphere integration tag can now be thesame, without impacting vSphere collection.
- The scope of the vRealize Operations launch-in-contextcheckbox is no longer node specific for an integration withvRealize Log Insight.
Event forwarding stops working afterupgrading deployments that use SSL.
JRE is upgraded as part of vRealize Log Insightupgrade. For sites configured with SSL, certificate informationremains stored in the old JRE version therefore the certificatecannot be retrieved for the upgraded installation and eventforwarding fails.
Workaround:Reimport the certificate using the procedure "ConfiguringvRealize Log Insight Event Forwarding with SSL" in the vRealizeLog Insight documentation center.
When a Log Insight instance uses the VMwareIdentity Manager integration and a cluster that is configuredwithout a virtual IP address, links to alerts in automaticallygenerated email messages are incorrect.
This is also true for site configurations that usemultiple virtual IPs.
The alert links sent in emailalerts are created using a FQDN, but VMware Identity Managerredirects back to the IP address of the vRealize Log Insightmaster node instead of the FQDN of the virtual IP address.
Workaround: From the drop-down menu icon onthe Web interface, select Administration > Cluster. In theIntegrated Load Balancer section, open the Add New IP Addresswindow and add the virtual IP address to the vRealize LogInsight cluster specifying its FQDN.
ReconfigureVMware Identity Manager integration with newly created VIP.
- Upgrade fails when the /storage/var partition is full.
Cluster nodes can enter a disconnected state when the /storage/var partition is full.
/storage/var partition is full, it may result in failed upgrades and cause cluster nodes to intermittently enter a disconnected state. The
loginsight_daemon_stdout.log file in the partition has been known to grow to a very large size and can be safely deleted.
For upgrade failure, this is indicated by a
no space on device message in the
For nodes, you might see the message
Internal Server Error when you open the interface from a VIP address or IP address of an affected node. For unaffected nodes, the user interface remains accessible. The admin/cluster page shows the disconnect status for affected nodes.
Manually clean up the log file, restart services on affected nodes, and retry the operation.
- Run the
du command on the Log Insight cluster nodes to verify that one or more nodes show the /storage/var partition is is 100% full.
- Log into the appliance as root user.
- Run the command
rm /storage/var/loginsight/loginsight_daemon_stdout.log to delete the log file.
- Run the command
/etc/init.d/loginsight stop && /etc/init.d/loginsight start to restart the loginsight service.