VMware vRealize Log Insight 4.5 Release Notes
VMware vRealize Log Insight | 13 June 2017
Updated 26 June 2017
Server Build 5654101
These release notes describe changes to vRealize Log Insight 4.5. Check frequently for updates to these release notes.
What's in the Release Notes?
The release notes cover the following topics:
vRealize Log Insight delivers the best real-time and archive log management, especially for VMware environments. Machine learning-based Intelligent Grouping and high-performance search enables faster troubleshooting across physical, virtual, and cloud environments. vRealize Log Insight can analyze terabytes of logs, discover structure in unstructured data, and deliver enterprise-wide visibility using a modern Web interface.
This release of VMware vRealize Log Insight delivers product improvements and updates to the previous release, including these features:
- Server Features
- Added API to query alert execution and notification history
- Added ability to specify basic authentication for webhooks
- New product configuration APIs added
- The source field is maintained when forwarding from vRealize Log Insight forwarder to a vRealize Log Insight server
- Hosts on the /admin/hosts page can now be exported
- External load balancer support will be removed in a later version.
- VMware Identity Manager (vIDM) is recommended for vRealize Log Insight. Native Active Directory use is supported in vRealize Log Insight 4.5, but will be removed in a later version. You can download a licensed version of vIDM for use with this release from the vRealize Log Insight Download page.
- General User Interface Items
- Dashboard legend mouse-over in one widget now highlights corresponding chart items across widgets
- Added ability to show a given time across all dashboard chart widgets simultaneously
- Separate options are available for descriptions and recommendations for user alerts.
- User alert history for aggregation queries now includes count
- Agent Items
- Added ability to send unaltered raw syslog to destination server
- Added ability for agent syslog parser to parse structured data (SD), PRI, PROCID, and MSGID syslog fields
- Added auto-update checkbox option on MSI user interface
- Added support for sending logs to multiple destinations
- Added directory wildcard support
- Added support for Photon OS
- Support for Ubuntu 12.04 LTS has been deprecated
- Content Packs
- Updated General and vSphere content packs
- VSAN and vROps content packs included out of the box
vRealize Log Insight 4.5 supports the following VMware products and versions:
- vRealize Log Insight can pull events, tasks, and alarms data from VMware vCenter Server 5.5 or later. See the VMware knowledge base article at http://kb.vmware.com/kb/2145103 for more information.
- You can integrate vRealize Log Insight 4.5 with vRealize Operations Manager version 6.0 or later.
vRealize Log Insight 4.5 supports the following browser versions. More recent browser versions also work with vRealize Log Insight, but have not been validated.
- Mozilla Firefox 45.0 and above
- Google Chrome 51.0 and above
- Safari 9.1 and above
- Internet Explorer 11.0 and above
Note: Internet Explorer Document mode must be used in Standards Mode. Other modes are not supported. The Compatibility View browser mode is not supported.
The minimum supported browser resolution is 1280 by 800 pixels.
Important: Cookies must be enabled in your browser.
vRealize Log Insight Windows Agent Support
The vRealize Log Insight 4.5 Windows agent supports the following versions.
- Windows 7, Windows 8, Windows 8.1, and Windows 10
- Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016
vRealize Log Insight Linux Agent Support
The vRealize Log Insight Linux agent supports the following distributions and versions.
- RHEL 5, RHEL 6, and RHEL 7
- SUSE Enterprise Linux (SLES 11 SP3) and SLES 12 SP1
- Ubuntu 14.04 LTS, and 16.04 LTS
- VMware Photon, version 1 revision 2
vRealize Log Insight 4.5 has the following limitations.
- vRealize Log Insight does not handle non-printable ASCII characters correctly.
- vRealize Log Insight does not support printing. However, you can use the Print options of your browser. The printed results might vary depending on the browser that you use. We recommend Internet Explorer or Firefox for printing portions of the vRealize Log Insight user interface.
- The hosts table might display devices more than once with each in a different format, including some combination of IP address, hostname, and FQDN. For example, a device named foo.bar.com might appear as both foo and foo.bar.com.
The hosts table uses the hostname field that is defined in the syslog RFC. If an event sent by a device over the syslog protocol does not have a hostname, vRealize Log Insight uses the source as the hostname. This might result in the device being listed more than once because vRealize Log Insight cannot determine if the two formats point to the same device.
vRealize Log Insight Windows and Linux Agents
- Non-ASCII characters in hostname and source fields are not delivered correctly when vRealize Log Insight Windows and Linux agents are running in syslog mode.
vRealize Log Insight Windows Agent
- The vRealize Log Insight Windows agent is a 32-bit application and all its requests for opening files from C:\Windows\System32 sub-directories are redirected by WOW64 to C:\Windows\SysWOW64. However, you can configure the vRealize Log Insight Windows agent to collect from C:\Windows\System32 by using the special alias C:\Windows\Sysnative. For example, to collect logs from their default location for the MS DHCP Server, add the following line to the corresponding section of the vRealize Log Insight Windows agent configuration file: =C:\Windows\Sysnative\dhcp.
vRealize Log Insight Linux Agent
- Due to an operating system limitation, the vRealize Log Insight Linux agent does not detect network outages when configured to send events over syslog.
- The vRealize Log Insight Linux agent does not support non-English (UTF-8) symbols in field or tag names.
- The vRealize Log Insight Linux agent collects hidden files and directories by default. To prevent this, you must add an exclude=.* option to every configuration section. The option exclude uses the glob pattern .* which represents hidden file format.
- When standard output redirection to a file is used to produce logs, the vRealize Log Insight agent might not correctly recognize event boundaries in such log files.
Upgrading from a Previous Version of vRealize Log Insight
You can upgrade to 4.5 directly from vRealize Log Insight 4.3. If you are running an earlier version of vRealize Log Insight, you must first incrementally upgrade your installation to 4.3.
Important Upgrade Notes
- To upgrade to vRealize Log Insight 4.5, you must be running vRealize Log Insight 4.3.
- When performing a manual upgrade, you must upgrade workers one at a time. Upgrading multiple workers at the same time causes an upgrade failure. When you upgrade the master node to vRealize Log Insight 4.5, a rolling upgrade occurs unless specifically disabled.
- Upgrading must be done from the master node's FQDN. Upgrading with the Integrated Load Balancer IP address is not supported.
- vRealize Log Insight does not support two-node clusters. Add a third vRealize Log Insight node of the same version as the existing two nodes before performing an upgrade.
- If the vRLI upgrade (.pak file) has a new JRE version, then the user-installed certificates in a vRealize Log Insight setup (such as for event forwarding) become invisible after upgrade. See Event forwarding stops working after upgrading deployments that use SSL.
vRealize Log Insight 4.5 includes the following localization features.
- The vRealize Log Insight server web user interface is localized to Japanese, French, Spanish, German, Simplified Chinese, Traditional Chinese, and Korean.
- The vRealize Log Insight server Web user interface supports Unicode data, including machine learning features.
- vRealize Log Insight agents work on non-English native Windows.
- The agent installer and content pack are not localized. Parts of the vRealize Log Insight server Web user interface might still show non-localized strings and have layout issues.
- vRealize Log Insight is interoperable with localized versions of vCenter Server and vRealize Operations Manager. However, Content Packs depend on matching non-localized log messages. vCenter Server events are retrieved in its default locale, which should be set to en_US. For more information, see http://kb.vmware.com/kb/2121646.
- Integration with Active Directory, vSphere, and vRealize Operations Manager for user names with non-ASCII characters is not supported.
- The date/time calendar format shown on the vRealize Log Insight server Web user interface is English only and does not display language/locale settings.
- Localization of event logs is not supported. Event logs only support UTF-8 and UTF-16 character encoding.
When a vRealize Log Insight instance uses the VMware Identity Manager integration and a cluster that is configured without a virtual IP address, links to alerts in automatically generated email messages are incorrect.
This is also true for site configurations that use multiple virtual IPs.
The alert links sent in email alerts are created using a FQDN, but VMware Identity Manager redirects back to the IP address of the vRealize Log Insight master node instead of the FQDN of the virtual IP address.
Workaround: From the drop-down menu icon on the Web interface, select Administration > Cluster. In the Integrated Load Balancer section, open the Add New IP Address window and add the virtual IP address to the vRealize Log Insight cluster by specifying its FQDN.
Reconfigure VMware Identity Manager integration with the newly created VIP.
- In rare cases, data from re-created folders might not be collected.
When a vRealize Log Insight agent is configured to monitor a complex-structured hierarchy of folders, such as 100 or more nested folders, and the directory wildcard feature is used, folders that have been deleted and re-created with the same name might not be indicated for monitoring.
Workaround: Restart the vRealize Log Insight agent service.
- Export events data does not always return the complete list of events in the exported file.
When you export a large number of events, there might be points where all cluster resources are used for ingestion/query processing and some internal query requests might be missed. This can result in an incomplete list of events in the exported file.
Workaround: Try the export again.
- Upgrade fails when the /storage/var partition is full.
Cluster nodes can enter a disconnected state when the /storage/var partition is full.
/storage/var partition is full, it may result in failed upgrades and cause cluster nodes to intermittently enter a disconnected state. The
loginsight_daemon_stdout.log file in the partition has been known to grow to a very large size and can be safely deleted.
For upgrade failure, this is indicated by a
no space on device message in the
For nodes, you might see the message
Internal Server Error when you open the interface from a VIP address or IP address of an affected node. For unaffected nodes, the user interface remains accessible. The admin/cluster page shows the disconnect status for affected nodes.
Workaround: Manually clean up the log file, restart services on affected nodes, and retry the operation.
- Run the
du command on the Log Insight cluster nodes to verify that one or more nodes show the /storage/var partition is is 100% full.
- Log into the appliance as root user.
- Run the command
rm /storage/var/loginsight/loginsight_daemon_stdout.log to delete the log file.
- Run the command
/etc/init.d/loginsight stop && /etc/init.d/loginsight start to restart the loginsight service.
- When you do not provide a license on the License page, a tooltip for evaluation licenses is displayed.
The tooltip is concerned solely with evaluation licenses. You can still use the 25 OSI licenses for vRealize Log Insight that are provided with vCenter.