When an alert query is disabled, Log Insight does not send notification emails and does not trigger vCenter Operations Manager notification events.

Note

Alert queries are user specific. You can manage only your own alerts.

An alert query is disabled under the following conditions.

If you disable both notification options in the Edit Alert dialog box.

If the alert is part of a content pack.

Content pack alert queries are read-only. To save changes to a content pack alert, you have to save the alert to your custom content.

Verify that you are logged in to the Log Insight Web user interface. The URL format is https://log_insight-host, where log_insight-host is the IP address or host name of the Log Insight virtual appliance.

Verify that an administrator has configured SMTP to enable email notifications. See Configure the SMTP Server for Log Insight.

Verify that an administrator has configured the connection between Log Insight and vCenter Operations Manager to enable alert integration. See Enable the Sending of Notification Events to vCenter Operations Manager.

1

Navigate to the Interactive Analytics tab.

2

From the menu on the right of the Search button, click and select Manage Alerts.

3

In the Alerts list, click the alert query that you want to enable.

4

Select the notification options that you want to enable, and provide the required parameters.

Option

Description

Email

Type at least one email address in the text box. Use commas to separate multiple addresses.

Send to vCenter Operations Manager

Select a vCenter Operations Manager resource to associate with the notifications events, and select the criticality level of the events.

5

Save your changes.

Option

Description

Save

This button appears when you modify your own alerts.

Save to My Alerts

This button appears when you modify a shared alert or a content pack alert. The original alert remains unchanged, but you save a copy of the alert to your custom content.

When the alert query returns results that match the alerting criteria, Log Insight sends notifications according to your configuration.

The VMware - vSphere content pack contains several predefined alert queries, including the vCenter Server: ESX/ESXi stopped logging alert.

Enabling the vCenter Server: ESX/ESXi stopped logging alert is a good practice, because certain versions of ESXi hosts might stop sending syslog data when you restart Log Insight. This alert monitors for the vCenter Server event esx.problem.vmsyslogd.remote.failure to detect if there is an ESXi host that has stopped sending syslog feeds.

1

On the Interactive Analytics tab, expand the drop-down menu on the right of the Search button, and select Manage Alerts.

2

Under VMware - vSphere Content Pack, click vCenter Server: ESX/ESXi stopped logging.

3

Enable Email notifications or vCenter Operations Manager notification events.

4

Click Save to My Alerts.

To detect only ESXi hosts that stop sending feeds to your instance of Log Insight, you can add the following filter to the alert query: vc_remote_host (VMware - vSphere) contains <log-insight-hostname> , and save the new query to your alerts.

For details about syslog problems and solutions, see VMware ESXi 5.0 host stops sending syslogs to remote server (2003127).