VMware vCenter Log Insight Administration Guide -...

VMware vCenter Log InsightAdministration Guide

vCenter Log Insight 2.0

This document supports the version of each product listed andsupports all subsequent versions until the document isreplaced by a new edition. To check for more recent editionsof this document, see http://www.vmware.com/support/pubs.

EN-001424-00

http://www.vmware.com/support/pubs

VMware vCenter Log Insight Administration Guide

2 VMware, Inc.

You can find the most up-to-date technical documentation on the VMware Web site at:

http://www.vmware.com/support/

The VMware Web site also provides the latest product updates.

If you have comments about this documentation, submit your feedback to:

[email protected]

Copyright © 2014 VMware, Inc. All rights reserved. Copyright and trademark information.

VMware, Inc.3401 Hillview Ave.Palo Alto, CA 94304www.vmware.com

http://www.vmware.com/support/

mailto:[email protected]

http://pubs.vmware.com/copyright-trademark.html

Contents

About vCenter Log Insight Administration Guide 5

1 Administering Log Insight 7

Configure the Root SSH Password for the Log Insight Virtual Appliance 8Change the IP Address of the Log Insight vApp 8Assign a Permanent License to Log Insight 9Upgrading from Previous Versions of Log Insight 9Manage a Log Insight Cluster 12Check the Health of the Log Insight Virtual Appliance 16Managing User Accounts in Log Insight 18Overview of the Log Insight Windows Agent 22Configure Log Insight System Alerts 38Synchronize the Time on the Log Insight Virtual Appliance 43Configure the SMTP Server for Log Insight 44Integrating Log Insight with Other VMware Products 44Enable or Disable Data Archiving in Log Insight 59Enable User Authentication Through Active Directory 59Install a Custom SSL Certificate by Using the Log Insight Web Interface 61Change the Default Timeout Period for Log Insight Web Sessions 64Import a Log Insight Archive into Log Insight 64Restart the Log Insight Service 65Power Off the Log Insight Virtual Appliance 66Add Memory and CPU to the Log Insight Virtual Appliance 66Stop Sending Trace Data to VMware 67

2 Troubleshooting Log Insight 69

ESXi Logs Stop Arriving in Log Insight 69Log Insight Runs Out of Disk Space 70Download a Log Insight Support Bundle 71Use the Virtual Appliance Console to Create a Support Bundle of Log Insight 71Reset the Admin User Password 72Reset the Root User Password 72Alerts Could Not Be Delivered to vCenter Operations Manager 73Unable to Log In Using Active Directory Credentials 73SMTP does not work with STARTTLS option enabled 74

Index 75

VMware, Inc. 3


4 VMware, Inc.

About vCenter Log Insight Administration Guide

The VMware vCenter Log Insight Administration Guide provides information about administering Log Insight,including how to manage user accounts, integrate with other VMware products and troubleshoot commonproblems.

Intended AudienceThis information is intended for anyone who wants to administer Log Insight. The information is written forexperienced Windows or Linux system administrators who are familiar with virtual machine technologyand datacenter operations.

VMware, Inc. 5


6 VMware, Inc.

Administering Log Insight 1Administrator users can perform standard administration tasks by using the Administration section of theLog Insight Web user interface.

Some changes to the configuration of Log Insight are applied only after you restart the loginsight service.Changes related to time configuration, vSphere integration, and authentication do not require restart.

This chapter includes the following topics:

n “Configure the Root SSH Password for the Log Insight Virtual Appliance,” on page 8

n “Change the IP Address of the Log Insight vApp,” on page 8

n “Assign a Permanent License to Log Insight,” on page 9

n “Upgrading from Previous Versions of Log Insight,” on page 9

n “Manage a Log Insight Cluster,” on page 12

n “Check the Health of the Log Insight Virtual Appliance,” on page 16

n “Managing User Accounts in Log Insight,” on page 18

n “Overview of the Log Insight Windows Agent,” on page 22

n “Configure Log Insight System Alerts,” on page 38

n “Synchronize the Time on the Log Insight Virtual Appliance,” on page 43

n “Configure the SMTP Server for Log Insight,” on page 44

n “Integrating Log Insight with Other VMware Products,” on page 44

n “Enable or Disable Data Archiving in Log Insight,” on page 59

n “Enable User Authentication Through Active Directory,” on page 59

n “Install a Custom SSL Certificate by Using the Log Insight Web Interface,” on page 61

n “Change the Default Timeout Period for Log Insight Web Sessions,” on page 64

n “Import a Log Insight Archive into Log Insight,” on page 64

n “Restart the Log Insight Service,” on page 65

n “Power Off the Log Insight Virtual Appliance,” on page 66

n “Add Memory and CPU to the Log Insight Virtual Appliance,” on page 66

n “Stop Sending Trace Data to VMware,” on page 67

VMware, Inc. 7

Configure the Root SSH Password for the Log Insight VirtualAppliance

By default the SSH connection to the virtual appliance is disabled. To enable SSH connections, you mustconfigure the root SSH password from the VMware Remote Console.

Prerequisites

Verify that the Log Insight virtual appliance is deployed and running.

Procedure

1 In the vSphere Client inventory, click the Log Insight virtual appliance, and open the Console tab.

2 Go to a command line by following the key combination specified on the splash screen.

3 In the console, type root, and press Enter. Leave the password empty and press Enter.

The following message is displayed in the console: Password change requested. Choose a newpassword.

4 Leave the old password empty and press Enter.

5 Type a new password for the root user, press Enter, type the new password again for the root user, andpress Enter.

The password must consist of at least eight characters, and must include at least one upper case letter,one lower case letter, one digit, and one special character. You cannot repeat the same character morethan four times.

The following message is displayed: Password changed.

What to do next

You can use the root password to establish SSH connections to the Log Insight virtual appliance.

Change the IP Address of the Log Insight vAppYou can change the IP address of the Log Insight virtual appliance by editing the vApp properties in thevSphere Client.

Prerequisites

Verify that you have permissions to edit vApp properties.

Procedure

1 Power off the Log Insight vApp.

2 Right-click the Log Insight vApp in the inventory and click Edit Settings.

3 Click the Options tab and select vApp Options > IP Allocation Policy.


8 VMware, Inc.

4 Select an IP allocation option.

Option Description

Fixed IP addresses are manually configured. No automatic allocation isperformed.

Transient IP addresses are automatically allocated using IP pools from a specifiedrange when the vApp is powered on. The IP addresses are released whenthe appliance is powered off

DHCP A DHCP server is used to allocate the IP addresses. The addressesassigned by the DHCP server are visible in the OVF environments ofvirtual machines started in the vApp.

5 (Optional) If you select Fixed, click vApp Options > Properties and assign an IP address for the

Log Insight vApp.

6 Power on the Log Insight vApp.

Assign a Permanent License to Log InsightYou can use Log Insight only with a valid license key.

You obtain an evaluation license when you download Log Insight from the VMware Web site. This license isvalid for 60 days. When the evaluation license expires, you must assign a permanent license to continueusing Log Insight.

You use the Administration section of the Log Insight Web user interface to check the Log Insight licensingstatus and manage your license.

Prerequisites

n Obtain a valid license key from My VMware™.

n Verify that you are logged in to the Log Insight Web user interface as an Admin user. The URL formatis https://log-insight-host, where log-insight-host is the IP address or host name of the Log Insight virtualappliance.

Procedure

1 Click the configuration drop-down menu icon and select Administration.

2 Under Management, select License.

3 In the License Key text box, type your license key and click Set Key.

4 Verify that the license status is Active, and the license type and expiry day are correct.

Upgrading from Previous Versions of Log InsightThe upgrade procedure to follow varies with the installed version of Log Insight that you want to upgrade.

Installed Version Upgrade Version Upgrade Procedure

Log Insight 1.0 GA and 1.5 TP1 Log Insight 1.5 GA See “Upgrade Log Insight by UsingCLI,” on page 10.

Log Insight 1.5 TP2 and later Log Insight 1.5 GA See “Upgrade Log Insight 1.5 by Usingthe Web Interface,” on page 11.

Log Insight 1.5 GA Log Insight 2.0 Beta See “Upgrade Log Insight 1.5 GA andlater by Using the Web Interface,” onpage 11 and “Upgrade a WorkerNode in a Log Insight Cluster,” onpage 15

Chapter 1 Administering Log Insight

VMware, Inc. 9

Installed Version Upgrade Version Upgrade Procedure

Log Insight 1.5 GA Log Insight 2.0 GA in cluster mode 1 “Upgrade Log Insight 1.5 GA andlater by Using the Web Interface,”on page 11.

2 “Add a Worker Node to a LogInsight Cluster,” on page 12

Log Insight 2.0 Beta standalone node Log Insight 2.0 GA See “Upgrade Log Insight 1.5 GA andlater by Using the Web Interface,” onpage 11

Log Insight 2.0 Beta worker node Log Insight 2.0 GA See “Upgrade a Worker Node in a LogInsight Cluster,” on page 15

Upgrade Log Insight by Using CLIBecause Log Insight 1.0 GA and 1.5 TP1 do not provide a user interface for upgrade, you must use a CLI toupdate these versions to Log Insight 1.5.

For Log Insight versions 1.5 TP2 and later, use the Administration user interface for upgrades. See “UpgradeLog Insight 1.5 by Using the Web Interface,” on page 11.

This procedure uses the virtual appliance console, but you can run it through SSH as well.

NOTE All active users of the Log Insight instance are logged out during the upgrade process.

Prerequisites

n Verify that you set the root user password on the Log Insight virtual appliance to enable SSH andconsole operations. See “Configure the Root SSH Password for the Log Insight Virtual Appliance,” onpage 8.

n Create a snapshot or backup copy of the Log Insight virtual appliance.

n Obtain a copy of the Log Insight upgrade bundle .rpm file.

Procedure

1 Download the .rpm file to a host that has SSH access to the Log Insight virtual appliance.

2 Use the secure copy protocol to copy the .rpm file to the Log Insight virtual appliance.

Operating System Command/Tool

Linux scp path to the RPM file/loginsight-cloudvm-version-log-insight-buildnumber.x86_64.rpm root@<LogInsightIPorHostname>:~

Windows For Windows systems, download an SCP client like WinSCP.

3 Use the vSphere Client console to log in to the Log Insight virtual appliance as the root user.

4 Run the service loginsight stop command.

5 Run the rpm -Uvh loginsight-cloudvm-<version>-<log-insight-build-number>.x86_64.rpm command,and wait for the upgrade to complete.

6 Run the service loginsight start command.


10 VMware, Inc.

7 Verify that you can log in to the Log Insight Web user interface.

REMEMBER The URL format is https://log-insight-host, where log-insight-host is the IP address or hostname of the Log Insight virtual appliance.

If you see an error page, log in as the root user in the virtual appliance console, and run the serviceloginsight restart command to restart the loginsight service.

Upgrade Log Insight 1.5 by Using the Web InterfaceAdmin users can upgrade Log Insight 1.5 TP2 and later by using the administration user interface.


Prerequisites


n Obtain a copy of the Log Insight upgrade bundle .rpm file.


n If you use Internet Explorer 9, verify that you have Adobe Flash Player installed on your system.

Procedure


2 Under Management, click Appliance.

3 Click Upload RPM, and browse for the .rpm file.

4 Click Upgrade.

Log Insight uploads the .rpm file to the virtual appliance and displays a confirmation dialog box.

5 Click Upgrade to confirm.

6 Accept the new EULA to complete the upgrade procedure.

Upgrade Log Insight 1.5 GA and later by Using the Web InterfaceAdmin users can upgrade Log Insight 1.5 GA and later by using the administration user interface.


Prerequisites


n Obtain a copy of the Log Insight upgrade bundle .pak file.



Procedure



VMware, Inc. 11


3 Click Upload PAK, and browse to the .pak file.

4 Click Upgrade.

Log Insight uploads the .pak file to the virtual appliance and displays a confirmation dialog box.

5 Click Upgrade to confirm.

6 Accept the new EULA to complete the upgrade procedure.

What to do next

You can deploy a new instance of the Log Insight virtual appliance and add it to the existing Log Insightnode to form a cluster. The existing node becomes a master node and the newly deployed Log Insightinstance becomes a worker node. See “Add a Worker Node to a Log Insight Cluster,” on page 12.

Manage a Log Insight ClusterYou can add, remove and upgrade the nodes of a Log Insight cluster by using the Log Insight Web interface.

Add a Worker Node to a Log Insight ClusterDeploy a new instance of the Log Insight virtual applicance and add it to an existing Log Insight masternode.

Procedure

1 Deploy the Log Insight Virtual Appliance on page 12Download the Log Insight virtual appliance. VMware distributes the Log Insight virtual appliance asan .ova file. Deploy the Log Insight virtual appliance by using the vSphere Client.

2 Join Existing Deployment on page 14After you deploy and set up a standalone Log Insight node, you can deploy a new Log Insightinstance and add it to the existing node to form a Log Insight cluster.

Deploy the Log Insight Virtual ApplianceDownload the Log Insight virtual appliance. VMware distributes the Log Insight virtual appliance asan .ova file. Deploy the Log Insight virtual appliance by using the vSphere Client.

Prerequisites

n Verify that you have a copy of the Log Insight virtual appliance .ova file.

n Verify that you have permissions to deploy OVF templates to the inventory.

n Verify that your environment has enough resources to accommodate the minimum requirements of theLog Insight virtual appliance. See the topic Minimum Requirements in the VMware vCenter Log InsightGetting Started Guide.

n Verify that you read and understand the virtual appliance sizing recommendations. See the topic Sizingthe Log Insight Virtual Appliance in VMware vCenter Log Insight Getting Started Guide.

Procedure

1 In the vSphere Client, select File > Deploy OVF Template.

2 Follow the prompts in the Deploy OVF Template wizard.


12 VMware, Inc.

3 On the Deployment Configuration page, select the size of the Log Insight virtual appliance based on thesize of the environment for which you intend to collect logs.

Small is the minimum requirement for production environments.

Option Log Ingest Rate vCPUs Memory IOPS Syslog Connections Events per Second

Extra Small 3GB/day 2 4GB 75 20 200

Small 15GB/day 4 8GB 500 100 1000

Medium 37.5GB/day 8 16GB 1000 250 2500

Large 112.5GB/day 16 32GB 1500 750 7500

NOTE If you select Large, you must upgrade the virtual hardware on the Log Insight virtual machineafter the deployment.

4 On the Disk Format page, select a disk format.

n Thick Provision Lazy Zeroed creates a virtual disk in a default thick format. Space required for thevirtual disk is allocated when the virtual disk is created. The data remaining on the physical deviceis not erased during creation, but is zeroed out on demand at a later time, on first write from thevirtual appliance.

n Thick Provision Eager Zeroed creates a type of thick virtual disk that supports clustering featuressuch as Fault Tolerance. Space required for the virtual disk is allocated at creation time. In contrastto the flat format, the data remaining on the physical device is zeroed out when the virtual disk iscreated. it might take much longer to create disks in this format than to create other types of disks.

IMPORTANT Deploy the Log Insight virtual appliance with thick provisioned eager zeroed diskswhenever possible for better performance and operation of the virtual appliance.

n Thin Provision creates a disk in thin format. The disk grows as the data saved on it grows. If yourstorage device does not support thick provisioning disks or you want to conserve unused diskspace on the Log Insight virtual appliance, deploy the virtual appliance with thin provisioneddisks.

NOTE Shrinking disks on the Log Insight virtual appliance is not supported and might result in datacorruption or data loss.

5 (Optional) On the Properties page, set the networking parameters for the Log Insight virtual appliance.

If you do not provide network settings, such as IP address, DNS servers, and gateway, Log Insightutilizes DHCP to set those settings.

CAUTION Do not specify more than two domain name servers. If you specify more than two domainname servers, all configured domain name servers are ignored in the Log Insight virtual appliance.

Use comma to separate domain name servers.

6 (Optional) On the Properties page, set the root password for the Log Insight virtual appliance.

7 Follow the prompts to complete the deployment.

For information on deploying virtual appliances, see the User's Guide to Deploying vApps and VirtualAppliances.

After you power on the virtual appliance, an initialization process begins. The initialization processtakes several minutes to complete. At the end of the process, the virtual appliance restarts.


VMware, Inc. 13

8 Navigate to the Console tab and check the IP address of the Log Insight virtual appliance.

IP Address Prefix Description

https:// The DHCP configuration on the virtual appliance is correct.

http:// The DHCP configuration on the virtual appliance failed.a Power off the Log Insight virtual appliance.b Right-click the virtual appliance and select Edit Settings.c Set a static IP address for the virtual appliance.

What to do next

n To enable SSH connections to the Log Insight virtual appliance, configure the root password in thevirtual appliance console. See topic Configure the Root SSH Password for the Log Insight Virtual Appliancein the Log Insight Administration Guide.

n If you want to configure a standalone Log Insight deplpyment, see topic Configure New Log InsightDeployment in the Log Insight Getting started Guide.

The Log Insight Web interface is available at https://log-insight-host/ where log-insight-host is the IPaddress or host name of the Log Insight virtual appliance.

Join Existing DeploymentAfter you deploy and set up a standalone Log Insight node, you can deploy a new Log Insight instance andadd it to the existing node to form a Log Insight cluster.

Log Insight can scale out by using multiple virtual appliance instances. This enables linear scaling of theingestion throughput, increases query performance and allows for ingestion high availability. In clustermode, Log Insight provides master and worker nodes. Both master and worker nodes are responsible for asubset of data. Master nodes can query all subsets of data and aggregate the results.

Prerequisites

n In the vSphere Client, note the IP address of the worker Log Insight virtual appliance.

n Verify that you have the IP address or host name of the master Log Insight virtual appliance.

n Verify that you have an administrator account on the master Log Insight virtual appliance.

n For information on supported browser versions, see the topic Minimum Requirements in the VMwarevCenter Log Insight Getting Started Guide.

Procedure

1 Use a supported browser to navigate to the Web user interface of the Log Insight worker.

The URL format is https://log_insight-host/, where log_insight-host is the IP address or host name of theLog Insight worker virtual appliance.

The initial configuration wizard opens.

2 Click Join Existing Deployment.

3 Enter the IP address or host name of the Log Insight master and click Go.

The worker sends a request to the Log Insight master to join the existing deployment.

4 Click the Click here to access the Cluster Management page link.

5 Log in as an administrator.

The Cluster page loads.


14 VMware, Inc.

6 Click Allow.

The worker joins the existing deployment and Log Insight begins to operate in a cluster.

What to do next

To add another worker, deploy a new Log Insight instance and add it to the cluster using the startupwizard.

Upgrade a Worker Node in a Log Insight ClusterYou can upgrade one or more worker nodes in a Log Insight cluster .

The Log Insight master node updates worker nodes centrally through the Web user interface .

Prerequisites


n Obtain a copy of the Log Insight upgrade bundle .pak file.



n Upgrade the master node of the Log Insight cluster. See “Upgrade Log Insight 1.5 GA and later byUsing the Web Interface,” on page 11.

n If you use an external load balancer, take the node off the balancer before you put it in maintenancemode.

Procedure


2 Under Configuration, click Cluster.

3 In the Workers table, find the the node you want, click , and click Continue.

The node is now in maintenance mode.

NOTE A node in maintenance mode continues to receive logs.

4 Click and then click Upgrade worker to confirm.

NOTE The icon is only available for workers that run earlier versions than the master . The icon isnot visible after the worker successfully upgrades to the version of the master.

When the upgrade completes, the worker restarts and reconnects to the cluster.

What to do next

Upgrade the remaining worker nodes in your Log Insight cluster.


VMware, Inc. 15

Remove a Worker Node from a Log Insight ClusterYou can remove a worker node from a Log Insight cluster and add it to a different clyster or start astandalone deployment.

Prerequisites


n If you use an external load balancer, take the node off the balancer before you put it in maintenancemode.

Procedure


2 Under Configuration, click Cluster.

3 In the Workers table, find the the node you want, click , and click Continue.

The node is now in maintenance mode.

NOTE A node in maintenance mode continues to receive logs.

4Click to remove the node.

Log Insight removes the node from the cluster and sends out an email notification.

Example:

What to do next

Navigate to the Web user interface of the removed node to configure it. You can add the node to differentexisting Log Insight cluster or start a new standalone deployment.

Check the Health of the Log Insight Virtual ApplianceYou can check available resources and active queries on the Log Insight virtual appliance, and view currentstatistics about the operation of Log Insight.

Prerequisites

Verify that you are logged in to the Log Insight Web user interface as an Admin user. The URL format ishttps://log-insight-host, where log-insight-host is the IP address or host name of the Log Insight virtualappliance.

Procedure


2 Under Management, click System Monitor.

3 If Log Insight is running as a cluster, click Show resources for and choose the node you want tomonitor.


16 VMware, Inc.

4 Click the buttons on the System Monitor page to view the information that you need.

Option Description

Resources View information about the CPU, memory, IOPS (read and write activity),and storage usage on the Log Insight virtual appliance.The charts on the right represent historical data for the last 24 hours, andare refreshed at five-minute intervals. The charts on the left displayinformation for the last five minutes, and are refreshed every threeseconds.

Active Queries View information about the queries that are currently active in Log Insight.

Statistics View statistics about the log ingest operations and rates.To view more detailed statistics, click Show advanced statistics.

What to do next

You can use the information from the System Monitor page to manage resources on the Log Insight virtualappliance.

Log Storage PolicyThe Log Insight virtual appliance uses a minimum of 100GB of storage for incoming logs.

When the volume of logs imported into Log Insight reaches the 100GB limit, old log messages areautomatically and periodically retired on a first-come-first-retired basis. To preserve old messages, you canenable the archiving feature of Log Insight. See “Enable or Disable Data Archiving in Log Insight,” onpage 59.

Data stored by Log Insight is immutable. After a log has been imported, it cannot be removed until it isautomatically retired.

Increase the Storage Capacity of the Log Insight Virtual ApplianceYou can increase the storage resources allocated to Log Insight as your needs grow.

You increase the storage space by adding a new virtual disk to the Log Insight virtual appliance. You canadd as many disks as you need, and as your environment permits.

Prerequisites

n Log in to the vSphere Client as a user who has privileges to modify the hardware of virtual machines inthe environment.

n Shut down the Log Insight virtual appliance safely. See “Power Off the Log Insight Virtual Appliance,”on page 66.

Procedure

1 In the vSphere Client inventory, right-click the Log Insight virtual machine and select Edit Settings.

2 On the Hardware tab, click Add.

3 Select Hard Disk and click Next.


VMware, Inc. 17

4 Select Create a new virtual disk and click Next.

a Type the disk capacity.

b Select a disk format.

Option Description

Thick Provision Lazy Zeroed Creates a virtual disk in the default thick format. The space required forthe virtual disk is allocated when the virtual disk is created. The dataresiding on the physical device is not erased during creation, but iszeroed out on demand at a later time, after first write from the virtualappliance

Thick Provision Eager Zeroed Creates a type of thick virtual disk that supports clustering featuressuch as Fault Tolerance. The space required for the virtual disk isallocated at creation time. In contrast to the flat format, the dataresiding on the physical device is zeroed out when the virtual disk iscreated. it might take much longer to create disks in this format than tocreate other types of disks.Create thick provisioned eager zeroed disks whenever possible forbetter performance and operation of the Log Insight virtual appliance.

Thin Provision Creates a disk in thin format. Use this format to save storage space.

NOTE Snapshots can negatively affect the performance of a virtual machine. Do not use snapshotswhenever possible .

c (Optional) To select a datastore, browse for the datastore location and click Next .

5 Accept the default virtual device node and click Next.

6 Review the information and click Finish.

7 Click OK to save your changes and close the dialog box.

When you power on the Log Insight virtual appliance, the virtual machine discovers the new virtual diskand automatically adds it to the default data volume.

CAUTION After you add a disk to the virtual appliance, you cannot remove it safely. Removing disks fromthe Log Insight virtual appliance may result in complete data loss.

Managing User Accounts in Log InsightAdministrators can create user accounts to provide users with access to the Log Insight Web interface.

The current version of Log Insight supports two user roles, Normal user and Admin user.

Only administrator users can create and edit all user accounts.

Normal users can modify their own accounts to change their email or account password.

Create a New User Account in Log InsightAdministrators can create user accounts to provide access to the Log Insight Web user interface.

The current version of Log Insight supports two user roles, Normal user and Admin user.

Prerequisites



18 VMware, Inc.

Procedure


2 Under Management, click Users.

3 Click New User.

4 In the Authentication Method drop-down menu, select Default (built-in).

5 Type a user name and email address.

The email address is optional.

6 From the Role drop-down menu, select the user role.

Option Description

Normal User Normal users can access the full functionality of Log Insight to view logevents, run queries to search and filter logs, import content packs into theirown user space, add alert queries, and manage their own user accounts tochange their password or email address. Normal users do not have accessto the administration options, cannot share content with other users,cannot modify the accounts of other users, and cannot install a contentpack as a content pack.

Admin Admin users can access the full functionality of Log Insight, canadminister Log Insight, and can manage the accounts of all other users.

7 Copy the password from the Password text box and provide it to the user.

8 Click Save.

Add an Active Directory User to Log InsightYou can allow active directory users (AD) to log in to Log Insight by using their domain credentials.

When you enable AD support in Log Insight, you configure a domain name and provide a binding user thatbelongs to the domain. Log Insight uses the binding user to verify the connection to the AD domain, and toverify the existence of AD users and groups.

The AD users that you add to Log Insight must either belong to the domain of the binding user, or to adomain that trusts the domain of the binding user.

Prerequisites


n Verify that you configured the AD support. See “Enable User Authentication Through ActiveDirectory,” on page 59.

Procedure



3 Click New User.

4 From the Authentication Method drop-down menu, select Active Directory.

The default domain name that you specified when you configured AD support appears in the Domaintext box. If you are adding users from the default domain, do not modify the domain name.


VMware, Inc. 19

5 (Optional) If you want to add a user from a domain that trusts the default domain, type the name of thetrusting domain in the Domain text box.

6 Type the name of a domain user.


Option Description



8 Click Save.

Log Insight verifies whether the user exists in the domain that you specified or in its trusted domains. Ifthe user does not exist, a dialog box informs you that Log Insight cannot verify that user. You can savethe user without verification or cancel and correct the user name.

AD users that you add can use their domain credentials to log in to Log Insight.

Add an Active Directory Group to Log InsightInstead of adding individual domain users, you can add domain groups to allow users to log in toLog Insight.

When you enable AD support in Log Insight, you configure a domain name and provide a binding user thatbelongs to the domain. Log Insight uses the binding user to verify the connection to the AD domain, and toverify the existence of AD users and groups.

The AD groups that you add to Log Insight must either belong to the domain of the binding user, or to adomain that is trusted by the domain of the binding user.

Prerequisites


n Verify that you configured the AD support. See “Enable User Authentication Through ActiveDirectory,” on page 59.

Procedure



3 Under Active Directory Groups, click New Group.

The default domain name that you specified when you configured AD support appears in the Domaintext box. If you are adding groups from the default domain, do not modify the domain name.

4 (Optional) If you want to add a group from a domain that trusts the default domain, type the name ofthe trusting domain in the Domain text box.

5 Type the name of the AD group that you want to add.


20 VMware, Inc.


Option Description



7 Click Save.

Log Insight verifies whether the AD group exists in the domain that you specified or in a trustingdomain. If the group cannot be found, a dialog box informs you that Log Insight cannot verify thatgroup. You can save the group without verification or cancel to correct the group name.

Users that belong to the AD group that you added can use their domain account to log in to Log Insight andhave the same level of permissions as the group to which they belong.

Modify a User Account in Log InsightA Log Insight administrator can change the user account type and reset their passwords. All users canchange their email addresses and passwords.

Prerequisites


Procedure


2 Under Management, select Users.

3 Select the user account that you want to modify and click the Edit icon .

4 Modify the parameters of the account and click Save.

NOTE The modified user permissions are applied the next time a user logs in. If a user is logged in whileyou apply changes to their account, your changes are not applied until the user logs out and logs in again.

Delete a User Account from Log InsightYou can delete user accounts by using the Log Insight Administration user interface.

Prerequisites


Procedure



VMware, Inc. 21


3 Select the check box beside the user name that you want to delete.

4Click the Delete icon .

Overview of the Log Insight Windows AgentThe Log Insight Windows Agent collects events from Windows event channels and log files, and forwardthem to the Log Insight server.

A Windows event channel is a pool for collecting related events in a Windows system. By default theLog Insight Windows Agent collects events from the Application, System, and Security channels.

In a Windows system, applications can store log data in flat text files on the file system. TheLog Insight Windows Agent can monitor directories and collect events from flat text log files.

The Log Insight Windows Agent has a limit of 64 KB per request to the Log Insight server.

The Log Insight Windows Agent runs as a Windows service and starts immediately after installation.During and after installation, you can configure the following options for the Log Insight Windows Agent:

n Select the target Log Insight server to which the Log Insight Windows Agent forwards events.

n Select the communication protocol and port that the Log Insight Windows Agent uses.

n Add additional Windows event channels from which the Log Insight Windows Agent collects events to.

n Select Windows directories to monitor and add flat log files to collection.

The Log Insight Windows Agent requires Windows Vista or later, or Windows Server 2008 or later.

To download the Log Insight Windows Agent .msi file, navigate to the Administration page of theLog Insight Web user interface, in the Management section, click Agents, and click the Download LogInsight Windows agent link.

Install the Log Insight Windows Agent with Default ConfigurationInstall the Log Insight Windows Agent with default configuration by using the GUI wizard.

Prerequisites

n Verify that you have a copy of the Log Insight Windows Agent .msi file.To download theLog Insight Windows Agent .msi file, navigate to the Administration page of the Log Insight Web userinterface, in the Management section click Agents, and click the Download Log Insight Windows agentlink.

n Verify that you have permissions to perform installations and start services on the Windows machine.

Procedure

1 Log in to the Windows machine on which you want to install the Log Insight Windows Agent.

2 Change to the directory where you have the Log Insight Windows Agent .msi file.

3 Double-click the Log Insight Windows Agent .msi file, accept the terms of the License Agreement, andclick Next.

4 Enter the IP address or host name of the Log Insight server and click Install.

The wizard installs the the Log Insight Windows Agent as an automatic Windows Service under theLocalSystem service account.

5 Click Finish.


22 VMware, Inc.

What to do next

Configure the Log Insight Windows Agent by editing liagent.ini file. See topic related to theLog Insight Windows Agent configuration in the Log Insight Administration Guide

Install the Log Insight Windows Agent with ParametersInstall the Log Insight Windows Agent by using the Windows Command Prompt and provide configurationparameters.

For MSI command-line options, see the Microsoft Developer Network (MSDN) Library Web site and searchfor MSI command-line options.

Prerequisites


n Verify that you have permissions to perform installations and start services on the Windows machine.

n If you use the silent installation options /quiet or /qn, verify that you run the installation as anadministrator. If you run silent installation as a non-administrator, the installation will not prompt foradministrator privileges and will fail. Use the logging option and parameters /lxv* file_name fordiagnostic purposes.

Procedure

1 Log in to the Windows machine on which you want to install the Log Insight Windows Agent.

2 Open a Command Prompt window.

3 Change to the directory where you have the Log Insight Windows Agent .msi file.

4 Run the following command :

Drive:\path-to-msi_file>VMware-vCenter-Log-Insight-Agent-*.msi and replace * with your versionand build number.

5 (Optional) Specify a user service account under which the Log Insight Windows Agent service will run.

Drive:\path-to-msi_file>VMware-vCenter-Log-Insight-Agent-*.msi SERVICEACCOUNT=.\user

SERVICEPASSWORD=user_password

NOTE The account supplied in the SERVICEACCOUNT parameter must have the Log On As a Serviceprivilege and full write access to %ProgramData%\VMware\Log Insight Agent directory for the installer toexecute correctly. If you do not specify a SERVICEACCOUNT parameter, the Log Insight Windows Agentservice is installed under the LocalSystem service account.


VMware, Inc. 23

6 (Optional) Enter the Log Insight server, port, and protocol.

Parameter Description

SERVERHOST The IP address or host name of the Log Insight virtual appliance.

SERVERPROTO The protocol that the Log Insight Windows Agent uses to send events tothe Log Insight server. The possible values are cfapi and syslog.VMware recommends using the default cfapi setting.

SERVERPORT The port number depends on the value of SERVERPROTO. The default valuefor SERVERPORT is 9000, which corresponds to the defaultSERVERPROTO=cfapi. Use SERVERPORT=514 for SERVERPROTO=syslog.

The command-line parameters correspond to hostname, proto, and port in the [server] section of theliagent.ini file.

7 Press Enter.

The command installs the Log Insight Windows Agent as a Windows service. TheLog Insight Windows Agent service starts automatically when you start the Windows machine.

What to do next

Verify that the command-line parameters you set are applied correctly in the liagent.ini file. See “Configure the Log Insight Windows Agent After Installation,” on page 24.

Configure the Log Insight Windows Agent After InstallationYou can configure the Log Insight Windows Agent after the installation. You must edit the liagent.ini fileto configure Log Insight Windows Agent to send events to a Log Insight server of your choice, setcommunication protocol and port, add Windows event channels, and configure flat file log collection.

Default Configuration of the Log Insight Windows AgentAfter installation, the liagent.ini file contains preconfigured default settings for theLog Insight Windows Agent.

liagent.ini Default Configuration

[server]

proto=cfapi

hostname=LOGINSIGHT

port=9000

; Force agent reconnection every 30 minutes.

reconnect=30

[storage]

max_disk_buffer=200

[winlog|Application]

channel=Application

[winlog|Security]

channel=Security

[winlog|System]

channel=System


24 VMware, Inc.

Parameter Value Description

proto cfapi The protocol that theLog Insight Windows Agent uses tosend events to the Log Insight server.The possible values are cfapi andsyslog. VMware recommends usingthe default cfapi setting.

hostname LOGINSIGHT The IP address or host name of theLog Insight virtual appliance.

port 9000 The communication port thatLog Insight Windows Agent uses tosend events to the Log Insight server.The default values are 9000 for cfapiand 514 for syslog

max_disk_buffer 200 The maximum disk space in MB thatthe Log Insight Windows Agent usesto buffer events and its own logs.

channel Application, Security, System The default Windows Event Logchannels that theLog Insight Windows Agent collects.See “Collect Events from WindowsEvents Channels,” on page 26

Set Target Log Insight ServerYou can set or change the target Log Insight server that the Log Insight Windows Agent sends event to, ifyou have not set the values during the installation process.

Prerequisites

Log in to the Windows machine on which you installed the Log Insight Windows Agent and start theServices manager to verify that the VMware vCenter Log Insight Agent service is installed.

Procedure

1 Navigate to the program data folder of the Log Insight Windows Agent.

%ProgramData%\VMware\Log Insight Agent

2 Open the liagent.ini file in any text editor.

3 Modify the following parameters and set the values for your environment.


proto The protocol that the Log Insight Windows Agent uses to send events tothe Log Insight server. The possible values are cfapi and syslog.VMware recommends using the default cfapi setting.

hostname The IP address or host name of the Log Insight virtual appliance.

port The communication port that Log Insight Windows Agent uses to sendevents to the Log Insight server. The default values are 9000 for cfapi and514 for syslog

[server]

proto=server_protocol

hostname=loginsight_host

port=port_number

4 Save and close the liagent.ini file.


VMware, Inc. 25

5 Restart the VMware Log Insight Agent service.

NOTE Any change you make to the liagent.ini file requires a restart of the VMware Log Insight Agentservice for the configuration change to take effect.

Example: Configuration

[server]

proto=cfapi

hostname=LOGINSIGHT

port=9000

Collect Events from Windows Events ChannelsYou can add a Windows event channel to the Log Insight Windows Agent configuration. TheLog Insight Windows Agent will collect the events and send them to the Log Insight server.

Prerequisites


Procedure




3 Add the following parameters and set the values for your environment.


[winlog|section_name] A unique name for the configuration section.

channel The full name of the event channel as shown in theEvent Viewer built-in Windows application. To copy thecorrect channel name, right-click a channel in EventViewer, select Properties and copy the contents of FullName field.

enabled An optional parameter to enable or disable theconfiguration section. The possible values are yes or no.The default value is yes.

tags An optional parameter to add custom tags to the fieldsof collected events. Define tags using JSON notation. Tagnames can contain letters, numbers, and underscores. Atag name can only begin with a letter or an underscoreand cannot exceed 64 characters. Tag names are not casesensitive. For example, if you use tags={"tag_name1" :"tag value 1", "Tag_Name1" : "tag value 2" }, Tag_Name1will be ignored as a duplicate. You cannot useevent_type and timestamp as tag names. Any duplicateswithin the same declaration are ignored.

whitelist, blacklist Optional parameters to explicitly include or exclude logevents.

[winlog|section_name]

channel=event_channel_name

enabled=yes_or_no

tags={"tag_name1" : "Tag value 1", "tag_name2" : "tag value 2" }


26 VMware, Inc.




Example: Configurations

[winlog|Events_Firewall ]

channel=Microsoft-Windows-Windows Firewall With Advanced Security/Firewall

enabled=no

[winlog|custom]

channel=Custom

tags={"ChannelDescription": "Events testing channel"}

Set up Windows Event Channel Filtering

You can set up filters for Windows Event Channels to explicitly include or exclude log events.

You use the whitelist and blacklist parameters to evaluate a filter expression. The filter expression is aBoolean expression that consists of Windows event fields and operators.

n whitelist collects only log events for which the filter expression evaluates to non-zero. If you omitwhitelist, the value is an implied 1.

n blacklist excludes log events for which the filter expression evaluates to non-zero. The default value is0.

For a complete list of Windows event fields and operators see “Event Fields and Operators,” on page 28

Prerequisites


Procedure




3 Add a whitelist or blacklist parameter in the [winlog|] section.

For example

[winlog|unique_section_name]

channel = event_channel_name

blacklist = filter_expression

4 Create a filter expression from Windows events fields and operators.

For example

whitelist = level > WINLOG_LEVEL_SUCCESS and level < WINLOG_LEVEL_INFO





VMware, Inc. 27

Example: Filter Configurations

Collect only error events

[winlog|Security-Error]

channel = Security

whitelist = Level == WINLOG_LEVEL_CRITICAL or Level == WINLOG_LEVEL_ERROR

Collect only VMware Network events from Application channel

[winlog|VMwareNetwork]

channel = Application

whitelist = ProviderName == "VMnetAdapter" or ProviderName == "VMnetBridge" or ProviderName ==

“VMnetDHCP”

Collects all events from Security channel except particular events

[winlog|Security-Verbose]

channel = Security

blacklist = EventID == 4688 or EventID == 5447

Event Fields and Operators

Use the Windows event fields and operators to build filter expressions.

Filter Expresison Operators

Operator Description

==, != equal and not equal. Use with both numeric and string fields.

>=, >, <, <= greater or equal, greater than, less than, less than or equal. Use with numeric fields only.

&, |, ^, ~ Bitwise AND, OR, XOR and complement operators. Use with numeric fields only.

and, or Logical AND and OR. Use to build complex expressions by combining simple expressions.

not Unary logical NOT operator. Use to reverse the value of an expression.

() Use parentheses in a logical expression to change the order of evaluation.

Windows Event Fields

You can use the following Windows event fields in a filter expression.

Field name Field type

Hostname string

Text string

ProviderName string

EventSourceName string

EventID numeric

EventRecordID numeric

Channel string

UserID string


28 VMware, Inc.

Field name Field type

Level numericYou can use the following predefined constantsn WINLOG_LEVEL_SUCCESS = 0n WINLOG_LEVEL_CRITICAL = 1n WINLOG_LEVEL_ERROR = 2n WINLOG_LEVEL_WARNING = 3n WINLOG_LEVEL_INFO = 4n WINLOG_LEVEL_VERBOSE = 5

Task numeric

OpCode numeric

Keywords numericYou can use the following predefined bit masksn WINLOG_KEYWORD_RESPONSETIME = 0x0001000000000000;n WINLOG_KEYWORD_WDICONTEXT = 0x0002000000000000;n WINLOG_KEYWORD_WDIDIAGNOSTIC = 0x0004000000000000;n WINLOG_KEYWORD_SQM = 0x0008000000000000;n WINLOG_KEYWORD_AUDITFAILURE = 0x0010000000000000;n WINLOG_KEYWORD_AUDITSUCCESS = 0x0020000000000000;n WINLOG_KEYWORD_CORRELATIONHINT = 0x0040000000000000;n WINLOG_KEYWORD_CLASSIC = 0x0080000000000000;

Examples

Collect all critical, error and warning events

[winlog|app]

channel = Application

whitelist = level > WINLOG_LEVEL_SUCCESS and level < WINLOG_LEVEL_INFO

Collect only Audit Failure events from Security channel

[winlog|security]

channel = Security

whitelist = Keywords & WINLOG_KEYWORD_AUDITFAILURE

Collect Events from a Log FileYou can configure the Log Insight Windows Agent to collect events from one or more log files.

Prerequisites


Procedure




3 Add configuration parameters and set the values for your environment


[filelog|section_name] A unique name for the configuration section.

directory The full path to the log file directory.


VMware, Inc. 29


include (Optional) The name of a file name or a file mask (glob pattern) fromwhich to collect data . You can provide values as a semicolon separatedlist. The default value is *, which means that all files are included.

exclude (Optional) A file name or file mask (glob pattern) to exclude fromcollection. You can provide values as a semicolon separated list. Thedefault value is empty, which means that no file is excluded.

event_marker (Optional) A regular expression that denotes the start of an event in the logfile. If omitted defaults to newline.

enabled (Optional) A parameter to enable or disable the configuration section. Thepossible values are yes or no. The default value is yes.

charset (Optional) The character encoding of the log files that theLog Insight Windows Agent monitors. The possible values are UTF-8,UTF-16LE, and UTF-16BE. The default value is UTF-8.

tags An optional parameter to add custom tags to the fields of collected events.Define tags using JSON notation. Tag names can contain letters, numbers,and underscores. A tag name can only begin with a letter or an underscoreand cannot exceed 64 characters. Tag names are not case sensitive. Forexample, if you use tags={"tag_name1" : "tag value 1", "Tag_Name1" : "tagvalue 2" }, Tag_Name1 will be ignored as a duplicate. You cannot useevent_type and timestamp as tag names. Any duplicates within the samedeclaration are ignored.

[filelog|section_name]

directory=path_to_log_directory

include=regular_expression

event_marker=regular_expression

tags={"tag_name1":"Tag value 1", "tag_name2" : "tag value 2" }



Example: Configurations

[filelog|vCenterMain]

directory=C:\ProgramData\VMware\VMware VirtualCenter\Logs

include=vpxd-*.log

exclude=vpxd-alert-*.log;vpxd-profiler-*.log

event_marker=^\d{4}-\d{2}-\d{2}[A-Z]\d{2}:\d{2}:\d{2}\.\d{3}

[filelog|ApacheAccessLogs]

enabled=yes

directory=C:\Program Files (x86)\Apache Software Foundation\Apache2.2\logs

include=*.log

exclude=*_old.log

tags={"Provider" : "Apache"}

[filelog|MSSQL]

directory=C:\Program Files\Microsoft SQL Server\MSSQL10.MSSQLSERVER\MSSQL\Log

charset=UTF-16LE

event_marker=^[^\s]


30 VMware, Inc.

Centralized Configuration of Log Insight Windows AgentsYou can configure multiple Log Insight Windows Agents from the Web user interface of Log Insight.

Each Log Insight Windows Agent has a local configuration and a server-side configuration. The localconfiguration is stored in a liagent.ini file on the machine where the Log Insight Windows Agent isinstalled. The server-side configuration is accessible and editable from Administration > Agents page of theWeb user interface. The configuration of each Log Insight Windows Agent is composed of sections and keys.Keys have configurable values.

The Log Insight Windows Agents periodically poll the Log Insight server and receive the server-sideconfiguration. The server-side configuration and the local configuration are merged and the result is theeffective configuration. Each Log Insight Windows Agent uses the effective configuration as its operatingconfiguration. Configurations merge section by section and key by key. The values in the server-sideconfiguration override the values in the local configuration. The merging rules are the following:

n If a section is present only in the local configuration or only in the server-side configuration, this sectionand all its content become a part of the effective configuration.

n If a section is present in both the local and server-side configuration, the keys in the section are mergedaccording to the following rules:

n If a key is present only in the local configuration or only in the server-side configuration, the keyand its value become a part of this section in the effective configuration.

n If a key is present in both the local configuration and the server-side configuration, the keybecomes a part of this section in the effective configuration, and the value in the server-sideconfiguration is used.

An Admin Log Insight user can apply centralized configuration to all Log Insight Windows Agents by usingthe the Web user interface of Log Insight. Navigate to the Administration page, and in the Managementsection, click Agents. Enter configuration settings in the Agent Configuration box and click SaveConfiguration for All Agents. The configuration is applied to all the connected agents during the next pollcycle.

NOTE You can apply centralized configuration only to Log Insight Windows Agents that use the cfapiprotocol.

See “Configure the Log Insight Windows Agent After Installation,” on page 24.

An Example of Configuration Merging

An example of merging local and server-side configuration of the Log Insight Windows Agent.

Local Configuration

You can have the following local configuration of the Log Insight Windows Agent.

[server]

proto=cfapi

hostname=HOST

port=9000


channel=Application

[winlog|Security]

channel=Security

[winlog|System]

channel=System


VMware, Inc. 31


enabled=yes


include=*.log

exclude=*_old.log

event_marker=^(\d{1,3}\.){3}\d{1,3} - -

Server-Side Configuration

You can use the Administration > Agents page of the Web user interface to apply centralized configurationto all agents. For example, you can exclude and add collection channels, and change the default reconnectsetting.

[server]

reconnect=20

[winlog|Security]

channel=Security

enabled=no

[winlog|Microsoft-Windows-DeviceSetupManagerOperational]

channel=Microsoft-Windows-DeviceSetupManager/Operational

Effective Configuration

The effective configuration is a result of the merging of the local and the server-side configurations. TheLog Insight Windows Agent is configured to

n reconnect to the Log Insight server every 20 minutes

n continue to collect Application and System event channels

n stop collecting Security event channel

n start to collect Microsoft-Windows-DeviceSetupManager/Operational event channel

n continue to collect ApacheAccessLogs

[server]

proto=cfapi

hostname=HOST

port=9000

reconnect=20


channel=Application

[winlog|Security]

channel=Security

enabled=no

[winlog|System]

channel=System

[winlog|Microsoft-Windows-DeviceSetupManagerOperational]

channel=Microsoft-Windows-DeviceSetupManager/Operational


enabled=yes


32 VMware, Inc.


include=*.log

exclude=*_old.log

event_marker=^(\d{1,3}\.){3}\d{1,3} - -

Forward Events to the Log Insight Windows AgentYou can forward events from Windows machines to a machine where the Log Insight Windows Agent isrunning.

You can use Windows Event Forwarding to forward events from multiple Windows machines to a machineon which the Log Insight Windows Agent is installed. You can then configure theLog Insight Windows Agent to collect all forwarded events and send them to a Log Insight server.

Get familiar with Windows Event Forwarding. See http://technet.microsoft.com/en-us/library/cc748890.aspxand http://msdn.microsoft.com/en-us/library/windows/desktop/bb870973(v=vs.85).aspx.

Prerequisites

See “Collect Events from Windows Events Channels,” on page 26.

Procedure

1 Add a new section to the Log Insight Windows Agent configuration to collect events from the Windowsevent channel that receives forwarded events.

The default channel name is ForwardedEvents.

.

2 Set up Windows Event Forwarding.

3 Restart the Log Insight Windows Agent service.

What to do next

Go to the Log Insight Web user interface and verify that forwarded events are arriving.

Deploying the Log Insight Windows Agent to Multiple MachinesYou can deploy the Log Insight Windows Agent to multiple target machines in a Windows domain.

Prepare to Deploy the Log Insight Windows Agent .msi fileTo specify installation parameters to be used during deployment, create an .mst transform file. You canconfigure the Log Insight Windows Agent to send events to a Log Insight server of your choice, and to setthe communication protocol, port, and user account for installing and starting the Log Insight Agent service.

Prerequisites


n Download and install Orca database editor. See http://support.microsoft.com/kb/255905.

Procedure

1 Open the Log Insight Windows Agent .msi fie in Orca editor and click Transform > New Transform.


VMware, Inc. 33

2 Edit the Property table and add necessary parameters and values for customized installation orupgrade.


SERVERHOST The IP address or host name of the Log Insight virtual appliance.

SERVERPROTO The protocol that the Log Insight Windows Agent uses to send events tothe Log Insight server. The possible values are cfapi and syslog.VMware recommends using the default cfapi setting.

SERVERPORT The communication port that Log Insight Windows Agent uses to sendevents to the Log Insight server. The default values are 9000 for cfapi and514 for syslog

SERVICEACCOUNT The user service account under which the Log Insight Windows Agentservice will run.NOTE The account supplied in the SERVICEACCOUNT parameter must havethe Log On As a Service privilege and write access to %ProgramData%\VMware\Log Insight Agent directory so that the installer runscorrectly. If you do not specify a SERVICEACCOUNT parameter, theLog Insight Windows Agent service is installed under the LocalSystemservice account.

SERVICEPASSWORD The password of the user service account.

3 Click Transform > Generate Transform and save the .mst file.

What to do next

Use the .msi and .mst files to deploy the Log Insight Windows Agent.

Perform a Mass Deployment of the Log Insight Windows AgentYou can perform a mass deployment of the Log Insight Windows Agent on target computers in a Windowsdomain.

Get familiar with the procedures described in http://support.microsoft.com/kb/887405 and http://support.microsoft.com/kb/816102.

Prerequisites

n Verify that you have an administrator account or an account with administrative privileges on thedomain controller.


Procedure

1 Log in to the domain controller (DC) as an administrator or a user with administrative privileges.

2 Create a distribution point and copy the Log Insight Windows Agent .msi file to the distribution point.

3 Open the Group Policy Management Console (GPMC) and create a Group Policy Object (GPO) for thedeployment of the Log Insight Windows Agent .msi file.

4 Edit the GPO for software deployment and assign a package.

5 (Optional) If you have generated an .mst file before deployment, edit a GPO to deploy the .msi packageusing Advanced method. Select the .mst configuration file on the Modifications tab of the GPOProperties window.


34 VMware, Inc.

6 (Optional) To upgrade the Log Insight Windows Agent, copy the upgrade .msi file to the distributionpoint and go to the Upgrade tab of the GPO Properties window. Add the initially installed version ofthe .msi file in the Packages that this package will upgrade section.

7 Deploy the Log Insight Windows Agent to specific security groups that include the domain users.

8 Close all GPMC and GPM Editor windows on the DC and restart client machines twice.

9 Verify that Log Insight Windows Agent is installed on the client machines as a local service.

If you configured SERVICEACCOUNT and SERVICEPASSWORD parameters for mass deployment using an .mstfile, you must verify that Log Insight Windows Agent is installed on the client machines under the useraccount you specified.

What to do next

If the mass deployment of the Log Insight Windows Agent is not successful, see “Mass Deployment of theLog Insight Windows Agent is Not Successful,” on page 38.

Monitor the Status of the Log Insight Windows AgentYou can monitor the status of the Log Insight Windows agents and view current statistics about theiroperation.

Prerequisites


Procedure


2 Under Management, click Agents.

What to do next

You can use the information from the Agents page to monitor the operation of the installedLog Insight Windows Agents.

Uninstall the Log Insight Windows AgentYou can uninstall the Log Insight Windows Agent.

Prerequisites


Procedure

1 Go to Control Panel > Programs and Features.

2 Select the VMware vCenter Log Insight Windows Agent and click Uninstall.

The uninstaller stops the VMware vCenter Log Insight Windows Agent service and removes its files fromthe system.


VMware, Inc. 35

Troubleshooting the Log Insight Windows AgentKnown troubleshooting information can help you diagnose and correct problems related to the operation ofthe Log Insight Windows Agent.

Administration UI Does Not Show Log Insight Windows AgentsInformation about the Log Insight Windows Agent instance does not appear on the Agents page of theAdministration UI.

Problem

After you install the Log Insight Windows Agent you do not see the Log Insight Windows Agent in theAgents page of the Administration UI.

Cause

The most common causes are network connectivity problems or incorrect configuration of theLog Insight Windows Agent in the liagent.ini file.

Solution

n Verify that the Windows system that the Log Insight Windows Agent is installed on has connectivity tothe Log Insight server.

n Verify that the Log Insight Windows Agent uses the cfapi protocol. When using the syslog protocol theUI does not show Log Insight Windows Agents.

n View the contents of the Log Insight Windows Agent log files located at %ProgramData%\VMware\LogInsight Agent\log. Look for log messages that contain the phrases Config transport error: Couldn'tresolve host name and Resolver failed. No such host is known.

n Verify that the liagent.ini contains the correct configuration for the target Log Insight server. See theSet Target Log Insight Server topic in the Administration Guide.

Allow Outbound Connections from the Log Insight Windows Agent in a WindowsFirewallConfigure Windows firewall settings to allow outbound connections of the Log Insight Windows Agent tothe Log Insight server.

After you install and start the Log Insight Windows Agent service, the Windows domain or local firewallmay restrict the connectivity to the target Log Insight server.

The procedure applies to Windows Server 2008 R2 and later, and to Windows 7 and later.

Prerequisites

n Verify that you have an administrator account or an account with administrative privileges.

Procedure

1 Select Start > Run.

2 Type wf.msc and click OK.

3 In the Actions pane click Properties

4 On the Domain Profile tab, select Allow(default) from the Outbound connections drop-down menu.

If the computer is not connected to a domain, you can select Private Profile or Public Profile,depending on the network type the computer is connected to.


36 VMware, Inc.

5 Click OK.

What to do next

Define an unblocking exception rule for the Log Insight Windows Agent in the Windows firewall. See “Addan Outbound Exception Rule for the Log Insight Windows Agent,” on page 37.

Add an Outbound Exception Rule for the Log Insight Windows AgentDefine an exception rule for unblocking the Log Insight Windows Agent in the Windows firewall.

The procedure applies to Windows Server 2008 R2 and later, and to Windows 7 and later.

Prerequisites

n Verify that you have an administrator account or an account with administrative privileges.

Procedure

1 Select Start > Run.

2 Type wf.msc and click OK.

3 Right-click Outbound rules in the left pane and click New Rule.

4 Select Custom and follow the wizard to set the following options.

Option Description

Program liwinsvc.exe

Service LogInsightAgentService

Protocol and Ports TCP 9000 for cfapi and 514 for syslog

5 On the Specify the profiles for which this rule applies page, select the appropriate network type.

n Domain

n Public

n Private

NOTE You can select all network types to make sure that the exception rule is active regardless of thenetwork type.

What to do next

Go to the Log Insight Windows Agent log directory %ProgramData%\VMware\Log Insight Agent\log andopen the latest log file. If recent events contain the messages Config transport error: Couldn't resolvehost name and Resolver failed. No such host is known, restart the Log Insight Windows Agent serviceand the Windows machine.

NOTE The Log Insight Windows Agent service can take up to 5 minutes to reconnect to the server.

Log Insight Windows Agent Does Not Forward EventsIncorrect configuration can prevent the Log Insight Windows Agent from forwarding events to theLog Insight server.

Problem

The Log Insight Windows Agent instance appears on the Administration > Agent page but no eventsappear in Interactive Analytics page from the Log Insight Windows Agent host name.


VMware, Inc. 37

Cause

Incorrect configuration can prevent the Log Insight Windows Agent from forwarding events to theLog Insight server.

Solution

n View the contents of the Log Insight Windows Agent log files located at %ProgramData%\VMware\LogInsight Agent\log. Look for log messages related to channel configuration that contain the phrasesSubscribed to channel CHANNEL_NAME. The default channel names are Application, System, andSecurity.

n If a channel is not configured correctly, you might see log messages similar to Could not subscribe tochannel CHANNEL_NAME events. Error Code: 15007. The specified channel could not be found.

Check channel configuration. You might see an error code number other than 15007.

n If no flat file collection channel is configured, you might see messages similar to Cannot find section'filelog' in the configuration. The flat file log collector will stay dormant until properly

configured.

n If a flat file collection channel is not configured correctly, you might see messages like Invalidsettings were obtained for channel 'CHANNEL_NAME'. Channel 'CHANNEL_NAME' will stay dormant

until properly configured .

What to do next

For more information about configuring the Log Insight Windows Agent see “Configure the Log InsightWindows Agent After Installation,” on page 24.

Mass Deployment of the Log Insight Windows Agent is Not SuccessfulThe mass deployment of the Log Insight Windows Agent is not successful on target machines.

Problem

After performing a mass deployment on Windows domain machines by using Group Policy Objects, theLog Insight Windows Agent fails to install as a local service.

Cause

Group policy settings might prevent the Log Insight Windows Agent from being installed correctly.

Solution

n Edit the following Group Policy Object (GPO) settings and redeploy the Log Insight Windows Agentagent.

a Right-click the GPO, click Edit and navigate to Computer Configuration > AdministrativeTemplates > System > Logon. Enable the Always wait for the network at computer startup andlogon policy.

b Navigate to Computer Configuration > Policies > Administrative Templates > System > GroupPolicy. Enable the Startup policy processing wait time, and set Amount of time to wait (inseconds) to 120 .

n Run the gpupdate /force /boot command on target machines.

Configure Log Insight System AlertsAn administrator can configure Log Insight to send notifications related to its own health.

Log Insight generates these notifications when an important system event occurs, for example when the diskspace is almost exhausted and Log Insight must start deleting or archiving old log files.


38 VMware, Inc.

Prerequisites


Procedure


2 Under Configuration, click General.

3 Under the Alerts header, set the system notifications.

a In the Email System Notifications To text box, type the email addresses to be notified.

Use commas to separate multiple email addresses.

b Select the Send a notification when capacity drops below check box and set the threshold thattriggers the notifications.

c (Optional) Verify that the Suspend User Alerts check box is not selected.

You can select this check box to stop all user defined email alerts.

NOTE System notifications can be disabled by removing the email addresses specified in the EmailSystem Notification To text box (not recommended).

4 Click Save.

5 Click Restart Log Insight to apply your changes.

Email Notifications that Log Insight SendsLog Insight sends two types of email notifications, system notifications and user defined notifications.

Administrators can configure Log Insight to send email notifications when certain events occur in thesystem. The from address of system notification emails is configured by the administrator user on the SMTPconfiguration page of the Administration UI, in the Sender text box. See “Configure the SMTP Server forLog Insight,” on page 44.

Administrator users can also configure Log Insight to send notification emails when the storage capacitydrops below a defined threshold.

Every Log Insight user can create alert queries to receive email notifications from Log Insight when certaincriteria are met.

Administrator users can disable all user defined notifications.


VMware, Inc. 39

Type Alert Name Description

System Oldest Data Will Be UnsearchableSoon

This alert notifies you whenLog Insight is expected to startdecommissioning old data from thevirtual appliance storage and what isthe expected size of searchable data atthe current ingest rate. Data that hasbeen rotated out will be archived ifyou have configured archiving, ordeleted if you have not.The alert is sent after each restart of theLog Insight service.

System Repository Retention Time This alert notifies you about theamount of searchable data thatLog Insight can store at the currentingest rates and in the storage spacethat is available on the virtualappliance. Admin users can define thestorage notification threshold. See “Configure Log Insight SystemAlerts,” on page 38.

System Dropped Events This alert notifies you that Log Insightfailed to ingest all incoming logmessages.n In case of any TCP Message drops,

as tracked by Log Insight server, asystem alert is sent in both cases asfollows:n Once a dayn Each time the Log Insight

service is restarted, manuallyor automatically.

n The email contains the number ofmessages dropped since last alertemail was sent and total messagedrops since the last restart ofLog Insight.

NOTE The time in the sent line iscontrolled by the email client, and is inthe local time zone, while the emailbody displays UTC time.

System Corrupt Index Buckets This alert notifies you that part of theon-disk index is corrupt. A corruptindex usually indicates serious issuesof the underlying storage system. Thecorrupt part of the index will beexcluded from serving queries. Acorrupt index affects the ingestion ofnew data. Log Insight checks theintegrity of the index upon servicestart-up. In case of detected corruptionLog Insight sends a system alert asfollows:n Once a dayn Each time the Log Insight service

is restarted, manually orautomatically.


40 VMware, Inc.

Type Alert Name Description

System Out Of Disk This alert notifies you that Log Insightis running out of allocated disk space.This alert signals that Log Insight hasmost probably run into a storagerelated issue.

System Archive Space Will Be Full This alert notifies you that the diskspace on the NFS server used forarchiving Log Insight data will be usedup soon.

System Archive Failure This alert notifies you that anoperation of archiving Log Insight datato the NFS server has failed. Thisusually means that Log Insight ishaving trouble connecting to orwriting to the NFS server.

System Total Disk Space Change This alert notifies you that the totalsize of the partition for Log Insightdata storage has decreased. Thisusually signals a serious issue in theunderlying storage system. WhenLog Insight detects the condition itsends this alert as follows:n Immeadiatelyn Once a day

System Pending Archivings This alert notifies you that Log Insightcannot archive data as expected. Thealert usually indicates problems withthe NFS storage that you configuredfor data archiving.

System License is about to be expired This alert notifies you that theLog Insight is about to expire.

System License is expired This alert notifies you that theLog Insight is to expired.

User Defined Alert Queries This alert notifies you that a queryreturned results that match the criteriathat you have set for the alert. Everyuser can define alert queries that sendemail notifications when certaincriteria are met.See topic Add an Alert Query in LogInsight to Send Email Notifications inthe Log Insight User's Guide.


VMware, Inc. 41

Scale Out System AlertsLog Insight sends specific system alerts to notify you of scale-out events such as node joining andmembership status changes.

Sent by Alert Name Description

Master node Approval needed for new workernode

This alert notifies you of a membershiprequest from a worker node. AnAdmin user needs to approve or denythe request.

Master node New worker node approved This alert notifies you that an Adminuser approved a membership requestfrom a worker node to join aLog Insight cluster

Master node New worker node denied This alert notifies you that an Adminuser denied a membership requestfrom a worker node to join aLog Insight cluster. If the request wasdenied by mistake, an Admin user canplace the request again from theworker and then approve it at themaster node.

Master node Maximum supported nodes exceededdue to worker node

This alert notifies you that the numberof worker nodes in the Log Insightcluster has exceeded the maximumsupported count due to a new workernode.

Master node Allowed nodes exceeded, newworker node denied

This alert notifies you that an Adminuser attempted to add more nodes tothe cluster than the maximum allowednode count and the node has beendenied.

Master node Worker node disconnected This alert notifies you that a previouslyconnected worker node disconnectedfrom the Log Insight cluster.

Master node Worker node reconnected This alert notifies you that a workernode reconnected to the Log Insightcluster.

Master node Worker node revoked by admin This alert notifies you that an Adminuser revoked a worker nodemembership and the node is no longera part of the Log Insight cluster.

Master node Unknown worker node rejected This alert notifies you that theLog Insight master node rejected arequest by a worker node because theworker node is unknown to themaster. If the worker is a valid nodeand it should be added to the cluster,log in to the worker node, remove itstoken file and user configurationat/storage/core/loginsight/config/, and run restart loginsightservice on the worker node.


42 VMware, Inc.

Sent by Alert Name Description

Master node Worker node has entered intomaintenance mode

This alert notifies you that a workernode entered into maintenance modeand an Admin user has to remove theworker node from maintenance modebefore it can receive configurationchanges and serve queries.

Master node Worker node has returned to service This alert notifies you that a workernode exited maintenance mode andreturned to service.

Worker node Master failed or disconnected fromworker node

This alert notifies you that a workernode that sends the alert is unable tocontact the Log Insight master node.This might indicate that the masternode failed, and might need to berestarted. If the master node failed, thecluster cannot be configured andqueries cannot be submitted until it isback online. Worker nodes continue toingest messages.NOTE You might receive many suchalerts because many workers mightdetect the master node failureindependently and raise notifications.

Worker node Master connected to worker node This alert notifies you that a workernode that sends the alert isreconnected to the Log Insight masternode.

Synchronize the Time on the Log Insight Virtual ApplianceYou must synchronize the time on the Log Insight virtual appliance with an NTP server or with theESX/ESXi host on which you deployed the virtual appliance.

Time is critical to the core functionality of Log Insight.

By default, Log Insight synchronizes time with a pre-defined list of public NTP servers. If public NTPservers are not accessible due to a firewall, you can use the internal NTP server of your company. If no NTPservers are available, you can sync time with the ESX/ESXi host where you have deployed the Log Insightvirtual appliance.

Prerequisites


Procedure


2 Under Configuration, click Time.


VMware, Inc. 43

3 From the Sync time with drop-down menu, select the time source.

Option Description

NTP server Synchronizes the time on the Log Insight virtual appliance with one of thelisted NTP servers.

ESX/ESXi host Synchronizes the time on the Log Insight virtual appliance with theESX/ESXi host on which you have deployed the virtual appliance.

4 (Optional) If you selected NTP server synchronisation, list the NTP server addresses, and click Test.

NOTE Testing the connection to NTP servers might take up to 20 seconds per server.

5 Click Save.

Configure the SMTP Server for Log InsightYou can configure an SMTP to allow Log Insight to send email alerts.

System alerts are generated when Log Insight detects an important system event, for example when thestorage capacity on the virtual appliance reached the thresholds that you set. See “Email Notifications thatLog Insight Sends,” on page 39.

Prerequisites


Procedure


2 Under Configuration, click SMTP.

3 Type the SMTP server address and port number.

4 If the SMTP server users an encrypted connection, select the encryption protocol.

5 In the Sender text box, type an email address to use when sending system alerts.

The Sender address appears as the From address in system notification emails. It need not be a realaddress, and can be something that represents the specific instance of Log Insight. Forexample, [email protected].

6 Type a user name and password to authenticate with the SMTP server when sending system alerts.

7 Type a destination email and click Send Test Email to check the connection.

8 Click Save.

Integrating Log Insight with Other VMware ProductsLog Insight can integrate with other VMware products to use events and log data, and provide bettervisibility of the events that occur in your virtual environment.

Integration with VMware vSphereLog Insight Administrator users can set up Log Insight to connect to vCenter Server systems at two-minuteintervals, and collect events, alarms, and tasks data from these vCenter Server systems. In addition,Log Insight can configure ESXi hosts via vCenter Server. See “Connect Log Insight to a vSphereEnvironment,” on page 45.


44 VMware, Inc.

Integration with VMware vCenter Operations ManagerYou can integrate Log Insight with vCenter Operations Manager vApp and vCenter Operations ManagerInstallable. Integrating with the Installable version requires additional changes to thevCenter Operations Manager configuration. For information about configuringvCenter Operations Manager Installable to integrate with Log Insight, see the Log Insight Getting StartedGuide.

Log Insight and vCenter Operations Manager can be integrated in two independent ways.

Notification Events Log Insight administrator users can set up Log Insight to send notificationevents to vCenter Operations Manager based on queries that you create.These notification events are not alerts in vCenter Operations Manager, anddo not affect the values of the Health, Risk, or Efficiency badge. See “Configure Log Insight to Send Notification Events to vCenter OperationsManager,” on page 51.

Launch in Context Launch in context is a feature in vCenter Operations Manager that lets youlaunch an external application via URL in a specific context. The context isdefined by the active UI element and object selection. Launch in context letsthe Log Insight adapter add menu items to a number of different viewswithin the Custom user interface and the vSphere user interface ofvCenter Operations Manager. See “Enable Launch in Context for Log Insightin vCenter Operations Manager,” on page 54.

NOTE Notification events do not depend on the launch in context configuration. You can send notificationevents from Log Insight to vCenter Operations Manager even if you do not enable the launch in contextfeature.

If the environment changes, Log Insight administrator users can change, add, or remove vSphere systemsfrom Log Insight, change or remove the instance of vCenter Operations Manager to which alert notificationsare sent, and change the passwords that are used to connect to vSphere systems andvCenter Operations Manager.

Connect Log Insight to a vSphere EnvironmentBefore you configure Log Insight to collect alarms, events, and tasks data from your vSphere environment,you must connect Log Insight to one or more vCenter Server systems.

Log Insight can collect two types of data from vCenter Server instances and the ESXi hosts that theymanage.

n Events, tasks, and alerts are structured data with specific meaning. If configured,Log Insight pullsevents, tasks, and alerts from the registered vCenter Server instances.

n Logs contain unstructured data that can be analyzed in Log Insight. ESXi hosts orvCenter Server Appliance instances can push their logs to Log Insight through syslog.


VMware, Inc. 45

Prerequisites

n For the level of integration that you want to achieve, verify that you have user credentials with enoughprivileges to perform the necessary configuration on the vCenter Server system and its ESXi hosts.

Level of Integration Required Privileges

Events, tasks, and alarmscollection

n System.ViewNOTE System.View is a system-defined privilege. When you add a custom roleand do not assign any privileges to it, the role is created as a Read Only role withthree system-defined privileges: System.Anonymous, System.View, andSystem.Read.

Syslog configuration on ESXihosts

n Host.Configuration.Change settingsn Host.Configuration.Network configuration

NOTE You must configure the permission on the top-level folder within the vCenter Server inventory,and verify that the Propagate to children check box is selected.

n Verify that you know the IP address or domain name of the vCenter Server system.


Procedure


2 Under Integration, click vSphere.

3 Type the IP address and credentials for a vCenter Server, and click Test Connection.

4 (Optional) To register another vCenter Server, click Add vCenter Server and repeat steps 3 through 5.

NOTE Do not register vCenter Server systems with duplicate names or IP addresses . Log Insight doesnot check for duplicate vCenter Server names. You must verify that the list of registered vCenter Serversystems does not contain duplicate entries.

5 Click Save.

What to do next

n Start collecting events, tasks, and alarms data from the vCenter Server instance that you registered. See “Configure Log Insight to Pull Events, Tasks, and Alarms from vCenter Server Instance,” on page 46.

n Start collecting syslog feeds from the ESXi hosts that the vCenter Server manages. See “Configure anESXi Host to Forward Log Events to Log Insight,” on page 47.

Configure Log Insight to Pull Events, Tasks, and Alarms from vCenter ServerInstanceEvents, tasks, and alerts are structured data with specific meaning. You can configure Log Insight to collectalarms, events, and tasks data from one or more vCenter Server systems.

You use the Administration UI to configure Log Insight to connect to vCenter Server systems. Theinformation is pulled from the vCenter Server systems by using the vSphere Web Services API and appearsas a vSphere content pack in the Log Insight Web user interface

NOTE Log Insight can pull alarms, events, and tasks data only from vCenter Server 5.1 and later.


46 VMware, Inc.

Prerequisites

Verify that you have user credentials with System.View privileges.

NOTE You must configure the permission on the top-level folder within the vCenter Server inventory, andverify that the Propagate to children check box is selected.

Procedure



3 Locate the vCenter Server instance from which you want to collect data, and select the Collect vCenterServer events, tasks, and alarms check box.

4 Click Save.

Log Insight connects to the vCenter Server every two minutes and ingests all new information since the lastsuccessful poll.

What to do next

n Analyze vSphere events using the vSphere content pack or custom queries.

n Enable vSphere content pack alerts or custom alerts.

Log Insight as a Syslog ServerLog Insight includes a built-in syslog server that is constantly active when the Log Insight service isrunning.

The syslog server listens on ports 514/TCP, 1514/TCP, and 514/UDP, and is ready to ingest log messages thatare sent from other hosts. Messages that are ingested by the syslog server become searchable in theLog Insight Web user interface near real time. The maximum syslog message length that Log Insight acceptsis 10 KB.

Configure an ESXi Host to Forward Log Events to Log InsightLogs contain unstructured data that can be analyzed in Log Insight. ESXi hosts or vCenter Server Applianceinstances can push their logs to Log Insight through syslog.

You must configure the ESXi hosts or vCenter Server Appliance instances to push their syslog data toLog Insight.

A Log Insight cluster can utilize a load balancer to distribute ESXi and vCenter Server Appliance syslogfeeds between the individual nodes of the cluster.

You use the Administration user interface of Log Insight to configure ESXi hosts on a registeredvCenter Server to forward syslog feeds to Log Insight.

CAUTION Running parallel configuration tasks might result in incorrect syslog settings on the target ESXihosts. Verify that no other administrator user is configuring the ESXi hosts that you intent to configure.

For information on configuring syslog feeds from a vCenter Server Appliance, see “Configure a vCenterServer Appliance to Forward Log Events to Log Insight,” on page 50.

NOTE Log Insight can receive syslog data from ESXi host versions 5.x and later.

Prerequisites

n Verify that the vCenter Server that manages the ESXi host is registered with your Log Insight instance.


VMware, Inc. 47

n Verify that you have user credentials with enough privileges to configure syslog on ESXi hosts.

n Host.Configuration.Advanced settings

n Host.Configuration.Security profile and firewall


Procedure



3 Locate the vCenter Server instance that manages the ESXi host from which you want to receive syslogfeeds.

4 Select the Configure ESXi hosts to send logs to Log Insight check box.

By default, Log Insight configures all reachable ESXi hosts of version 5.x and later to send their logsthrough UDP. ESX hosts are not supported.

5 (Optional) Enter the hostname or IP address of a load balancer you want to use to distribute syslogfeeds.

6 (Optional) To select which ESXi hosts forward their logs to Log Insight, which protocol is used forforwarding logs to Log Insight, and how to handle syslog configuration on ESXi 5.x hosts, clickAdvanced Options.

7 Click Save.

Configure Syslog Manually Through the vSphere Web Client

You can use the vSphere Web Client to configure syslog on an ESXi host to forward log messages toLog Insight.

To forward log messages from multiple ESXi hosts within the vCenter Server to Log Insight, you mustconfigure each ESXi host.

NOTE The procedure might vary depending on the version of the ESXi host that you configure, and thevSphere Web Client that you use .

Prerequisites

NOTE If you already configured an ESXi host to forward log events to Log Insight by following the “Configure an ESXi Host to Forward Log Events to Log Insight,” on page 47 procedure, you can ignore themanual configuration procedure.





n Verify that you are logged in to the vCenter Server that manages the ESXi host that you want toconfigure.


48 VMware, Inc.

Procedure

1 From the object navigator, select the ESXi host that you want to configure, and click the Manage tab.

2 On the Settings tab, click Advanced System Settings.

3Locate the Syslog.global.logHost property and click the Edit icon .

4 Modify the Syslog.global.logHost property to point to the Log Insight IP address or host name and clickOK.

The format is tcp|udp|ssl://log_insight-host:514|1514, where log_insight-host is the IP address orhost name of the Log Insight virtual appliance.

NOTE Use port 514 for UDP and TCP communication, and port 1514 for SSL protocol.

5 Verify that Firewall is not blocking the communication ports.

a On the Settings tab, click Security Profile, and verify that syslog appears in the OutgoingConnections list.

b If you do not see syslog in the Outgoing Connections list, click Edit on the upper right.

c On the list of services, scroll down to locate the syslog service, and select the syslog check box.

d Click OK.

Configure Syslog Manually Through Command Line

You can set up syslog by using the esxcli utility to forward log events to Log Insight.

You can run the esxcli command in the console of an ESXi host, in the vSphere CLI, or in the vSphereManagement Assistant.

Prerequisites

NOTE If you already configured an ESXi host to forward log events to Log Insight by following the “Configure an ESXi Host to Forward Log Events to Log Insight,” on page 47 procedure, you can ignore themanual configuration procedure.

n If you want to configure an ESXi host version 5.x, read and understand the information in the VMwareknowledge base article Configuring syslog on ESXi 5.x (KB 2003322).

n If you want to configure an ESXi host version 4.x, read and understand the information in the VMwareknowledge base article Enabling syslog on ESXi 3.5 and 4.x (KB 1016621).





Procedure

1 Open an ESXi Shell console session where the esxcli command is available.

For example, you can use vMA or open the session directly on the ESXi host.

2 To view the current configuration options on the host, run the following command.

esxcli system syslog config get


VMware, Inc. 49

http://kb.vmware.com/kb/2003322


3 To modify a host configuration, run the following command to specify the options to change.

esxcli system syslog config set --loghost=tcp|udp|ssl://log_insight-host:514

NOTE You must use udp or tcp, but not both.

For example, the following command configures remote syslog using udp on port 514.

esxcli system syslog config set --loghost=udp://10.11.12.13:514

To configure your ESXi host to forward logs to multiple endpoints, you can list the endpoints,separated by commas, in the command.

esxcli system syslog config set --loghost=udp://10.11.12.13:514,tcp://192.168.100.101:514

4 To ensure that the ESXi firewall is configured to allow syslog traffic to leave the host, run the followingcommands.

esxcli network firewall ruleset set --ruleset-id=syslog --enabled=true

esxcli network firewall refresh

5 Load the new configuration by running the esxcli system syslog reload command.

NOTE If you do not run this command, the configuration change does not take effect.

Configure a vCenter Server Appliance to Forward Log Events to Log InsightYou can configure a vCenter Server Appliance to send its log messages to Log Insight trough syslog.

To configure ESXi hosts to forward their logs to Log Insight, see the topic Connect Log Insight tovCenter Server 5.1.x Systems in the Log Insight Administration Guide.

Prerequisites

n Verify that you have the root user credentials for the vCenter Server Appliance.

n If you plan to connect to the Log Insight virtual appliance by using SSH, verify that TCP port 22 is open.

Procedure

1 Establish an SSH connection to the vCenter Server Appliance host and log in as the root user.

2 Navigate to /etc/syslog-ng/.

3 Open the syslog-ng.conf file for editing and add the following text at the end of the file.

source vpxd {

file("/var/log/vmware/vpx/vpxd.log" follow_freq(1) flags(no-parse));

file("/var/log/vmware/vpx/vpxd-alert.log" follow_freq(1) flags(no-parse));

file("/var/log/vmware/vpx/vws.log" follow_freq(1) flags(no-parse));

file("/var/log/vmware/vpx/vmware-vpxd.log" follow_freq(1) flags(no-parse));

file("/var/log/vmware/vpx/inventoryservice/ds.log" follow_freq(1) flags(no-parse));

};

destination loginsight { udp("<loginsight-host>"); };

log { source(vpxd); destination(loginsight); };

NOTE You can use tcp instead of udp.

4 Run service syslog restart to load the new configuration.


50 VMware, Inc.

Configure Log Insight to Send Notification Events tovCenter Operations Manager

You can configure Log Insight to send alert notifications to vCenter Operations Manager.

You can integrate Log Insight with vCenter Operations Manager vApp and vCenter Operations ManagerInstallable. Integrating with the Installable version requires additional changes to thevCenter Operations Manager configuration. For information about configuringvCenter Operations Manager Installable to integrate with Log Insight, see the Log Insight Getting StartedGuide.

Integrating Log Insight alerts with vCenter Operations Manager allows you to view all information aboutyour environment in a single user interface.

You can send notification events from multiple Log Insight instances to a singlevCenter Operations Manager instance. You can enable launch in context for a single Log Insight instance pervCenter Operations Manager instance.

Prerequisites

n Verify that the version of vCenter Operations Manager supports alert notifications from Log Insight.For more information about supported product versions, see topic Product Compatibility in the LogInsight Getting Started Guide.

NOTE Log Insight does not check the version of the target vCenter Operations Manager and lets youproceed with the configuration of the notifications. However, the notification events might not appearas expected in the vCenter Operations Manager user interface.

n Depending on the vCenter Operations Manager license that you own, verify that you have minimumuser credentials.

vCenter Operations Manager License Minimum Required Credentials

Standard Default Admin user credentials

Advanced or Enterprise Read Only user credentials

NOTE If you want to use Active Directory or vCenter Server accounts, verify that these accounts areadded in vCenter Operations Manager Custom user interface. For information about adding activedirectory users in vCenter Operations Manager, see the VMware vCenter Operations ManagerAdministration Guide.

n Verify that you know the IP address or host name of the target vCenter Operations Manager instance.


Procedure


2 Under Integration, select vCenter Operations Manager.

3 Type the IP address or host name, and user credentials for the UI VM of thevCenter Operations Manager instance, and click Test Connection .

Log Insight uses the credentials to push notification events to vCenter Operations Manager.

4 In the vCenter Operations Manager pane, select Enable alerts integration.


VMware, Inc. 51

http://www.vmware.com/pdf/vcops-57-custom-ui-admin-guide.pdf


5 Click Save.

What to do next

You can configure alert queries to send notification events to vCenter Operations Manager. See topic Add anAlert Query in Log Insight to Send Notification Events to vCenter Operations Manager in the Log InsightUser's Guide.

Log Insight Notification Events in vCenter Operations ManagerYou can configure Log Insight to send notification events to vCenter Operations Manager based on the alertqueries that you create.

When you configure a notification alert in Log Insight, you select a resource in vCenter Operations Managerthat is associated with the notification events. See the topic Add an Alert Query in Log Insight to SendNotification Events to vCenter Operations Manager in the Log Insight User's Guide.

The location of Log Insight notification events depends on the vCenter Operations Manager user interfaceversion that you use.

Table 1‑1. Sections of the vCenter Operations Manager User Interface Where Notification Events Appear

vCenter Operations Manager User Interface Section that Displays Log Insight Notification Events

Custom user interface n The Alerts Overview pagen All dashboards that display the Alerts dashboard

widget

vSphere user interface n The Events tab under the Operations tabn The Events tab under the Planning tab

The alert name and description that you provided in Log Insight appear in the Alert Info column of the alertlists in vCenter Operations Manager.

In the Custom user interface, the Alert Info column is not visible by default. You can enable the Alert Infocolumn by expanding the drop-down menu in the table header and selecting the Alert Info check box.

Install the Log Insight Adapter in vCenter Operations Manager StandaloneYou install the Log Insight adapter in vCenter Operations Manager standalone to enable the Launch inContext functionality.

The Log Insight adapter provides the necessary information for vCenter Operations Manager to startLog Insight. This adapter does not collect data.

The Log Insight adapter is installed as part of the vCenter Operations Manager 5.7.1 vApp, but not installedas part of the standalone version of vCenter Operations Manager. Therefore, for the standalone version, youmust install the Log Insight adapter manually.

The Log Insight adapter is installed as part of vCenter Operations Manager 5.7.2 and 5.8.

VMware distributes the Log Insight adapter as a .tgz archive that contains the installation utilities forWindows and Linux.

Prerequisites

n Download the adapter installation TGZ file anonymously from ftp://ftp.integrien.com/.

n Make a note of the build number in the TGZ file name. The build number appears after the adaptername, for example, adaptername-buildnumber.tgz.

n Verify that you have access to the server where vCenter Operations Manager runs, and that you havepermissions to install software on the server.


52 VMware, Inc.

ftp://ftp.integrien.com/

n Verify that the version of vCenter Operations Manager is 5.7.1 or later.







Procedure

1 Open the TGZ file and extract the TAR file to a temporary folder on your vCenter Operations Managerserver.

2 In the temporary folder, open the TAR file and extract and run the installer for your operating systemplatform.

3 Log in to the Custom user interface as an administrator.

4 Select Admin > Support.

5 On the Info tab, find the Adapters Info pane and click the Describe icon ( ).

The Describe icon is located at the top right of the Adapters Info pane.

6 Click Yes to start the describe process and click OK.

The Custom user interface finds the adapter files, gathers information about the abilities of the adapter,and updates the user interface with information about the adapter. If you have remote collectors, itinstalls the adapter on the remote collectors.

The describe process might take several minutes. When the describe process is finished, the adapterappears in the Adapters Info pane. The build number is in the Adapter Version column.

7 Verify that the build number in the Adapter Version column for the adapter matches the build numberin the TGZ file that you downloaded.

What to do next

After you install the adapter, enable launch in context from the Administration Web user interface ofLog Insight.

See the topic Enable Launch in Context for Log Insight in vCenter Operations Manager in the Log InsightAdministration Guide.


VMware, Inc. 53



vCenter Operations Manager Content Pack for Log InsightThe vCenter Operations Manager content pack for Log Insight contain dashboards, extracted fields, savedqueries, and alerts that are used to analyze all logs redirected from a vCenter Operations Manager instance.

The vCenter Operations Manager content pack provides a way to analyze all logs redirected from avCenter Operations Manager instance. The content pack contains dashboards, queries and alerts to providediagnostics and troubleshooting capabilities to the vCenter Operations Manager administrator. Thedashboards are grouped according to the major components of vCenter Operations Manager like Analytics,UI, and Adapters to provide better manageability. You can enable various alerts to send notification eventsin vCenter Operations Manager and e-mails to administrators.

NOTE The vCenter Operations Manager content pack requires Log Insight version 1.5 andvCenter Operations Manager verison 5.8.

You can download the vCenter Operations Manager content pack from https://solutionexchange.vmware.com/store/loginsight?src=Product_Product_LogInsight_YES_US.

See topic Working with Content Packs in Log Insight User's Guide.

Enable Launch in Context for Log Insight in vCenter Operations ManagerYou can configure vCenter Operations Manager to display menu items related to Log Insight and launchLog Insight with an object-specific query.

You can integrate Log Insight with vCenter Operations Manager vApp and vCenter Operations ManagerInstallable. Integrating with the Installable version requires additional changes to thevCenter Operations Manager configuration. For information about configuringvCenter Operations Manager Installable to integrate with Log Insight, see the Log Insight Getting StartedGuide.

IMPORTANT One instance of vCenter Operations Manager supports launch in context for only one instanceof Log Insight. Because Log Insight does not check whether other instances are already registered withvCenter Operations Manager, you might override the settings of another user.

Prerequisites









54 VMware, Inc.

https://solutionexchange.vmware.com/store/loginsight?src=Product_Product_LogInsight_YES_US



n Verify that the version of vCenter Operations Manager is 5.7.1 or later.

NOTE Log Insight does not check the version of the target vCenter Operations Manager and allows youto proceed. However, vCenter Operations Manager 5.7.1 or later is required for the link back toLog Insight to work and open the alert that generated the notification event.

For more information about supported product versions, see the topic Product Compatibility in the LogInsight Getting Started Guide.

Procedure



3 Type the IP address or host name, and user credentials for the UI VM of thevCenter Operations Manager vApp, and click Test Connection.

NOTE You must provide the user credentials of a vCenter Operations Manager administrator user.

4 Click Save.

Log Insight configures the vCenter Operations Manager instance. This operation might take a few minutes.

Items related to Log Insight appear in the menus of vCenter Operations Manager.

What to do next

Launch a Log Insight query from the vCenter Operations Manager instance. See “Log Insight Launch inContext,” on page 55

Log Insight Launch in ContextYou can configure vCenter Operations Manager 5.7.1 or later to trigger actions related to Log Insight.

When you enable launch in context for Log Insight, a Log Insight resource is created under the HTTP Postadapter in vCenter Operations Manager. The resource identifier contains the IP address of the Log Insightinstance, and is used by vCenter Operations Manager to open Log Insight.

Launch in Context in the vSphere User Interface of vCenter Operations Manager

The launch in context options that are related to Log Insight appear in the Actions drop-down menu of thevSphere user interface. You can use these menu items to open Log Insight, and search for log events from anobject in vCenter Operations Manager.

The available launch in context action depends on the object that you select in vCenter Operations Managerinventory. The time range of the queries is limited to 60 minutes before you click a launch in context option.

Table 1‑2. Objects in vCenter Operations Manager vSphere UI and their Corresponding Launch in ContextOptions and Actions

Object selectedinvCenterOperationsManager

Launch in Context Option in theActions Drop-Down Menu

Action invCenter OperationsManager Action in Log Insight

World Open vCenter Log Insight Opens Log Insight. Log Insight displays theInteractive Analytics tab.

vCenter Server Open vCenter Log Insight Opens Log Insight. Log Insight displays theInteractive Analytics tab.


VMware, Inc. 55

Table 1‑2. Objects in vCenter Operations Manager vSphere UI and their Corresponding Launch in ContextOptions and Actions (Continued)

Object selectedinvCenterOperationsManager

Launch in Context Option in theActions Drop-Down Menu

Action invCenter OperationsManager Action in Log Insight

Datacenter Search for logs in vCenter LogInsight

Opens Log Insight andpasses the resourcenames of all host systemsunder the selectedDatacenter object.

Log Insight displays theInteractive Analytics tab andperforms a query to find logevents that contain names ofhosts within the data center.

Cluster Search for logs in vCenter LogInsight

Opens Log Insight andpasses the resourcenames of all host systemsunder the selectedCluster object.

Log Insight displays theInteractive Analytics tab andperforms a query to find logevents that contain names ofhosts within the cluster.

Host System Search for logs in vCenter LogInsight

Opens Log Insight andpasses the resource nameof the selected Hostobject.

Log Insight displays theInteractive Analytics tab andperforms a query to find logevents that contain the name ofthe selected Host system.

Virtual Machine Search for logs in vCenter LogInsight

Opens Log Insight andpasses the IP address ofthe selected virtualmachine and the resourcename of the related hostsystem.

Log Insight displays theInteractive Analytics tab andperforms a query to find logevents that contain the IP addressof the virtual machine, and thename of the host where thevirtual machine resides.

On the Alerts tab, if you select an alert and select Search for logs in Log Insight from the in-context menu,the time range of the query is limited to one hour before the alert is triggered. For example, if an alert wastriggered at 2:00 PM, the query in Log Insight displays all log messages that occurred between 1:00 PM and2:00 PM. This helps you identify events that might have triggered the alert.

You can open Log Insight from metric charts in vCenter Operations Manager. The time range of the querythatLog Insight runs matches the time range of the metric chart.

NOTE The time that you see in Log Insight and vCenter Operations Manager metric charts might differ ifthe time setting of the virtual appliances is different.

Launch in Context in the Custom User Interface of vCenter Operations Manager

The launch in context icon appears on several pages of the Custom user interface, but you can launchLog Insight only from the pages that display Log Insight notification events:

n The Alerts Overview page.

n The Alert Summary page of a Log Insight notification alert.

n The Alerts widgets on your dashboards, when a Log Insight notification alert is selected.

When you select a Log Insight notification event in the Custom user interface, you can choose between twolaunch in context actions.


56 VMware, Inc.

Table 1‑3. Launch in Context Options and Actions in vCenter Operations Manager Custom UI

Launch in Context Option invCenter Operations Manager

Action invCenter Operations Manager Action in Log Insight

Open vCenter Log Insight Opens Log Insight. Log Insight displays the Dashboardstab and loads the vSphere Overviewdashboard.

Search for Logs in vCenter Log Insight Opens Log Insight and passesthe ID of the query thattriggered the notificationevent.

Log Insight displays the InteractiveAnalytics tab and performs the querythat triggered the notification event.

When you select an alert that has not originated from Log Insight, the launch in context menu contains theSearch for VM and Host Logs in vCenter Log Insight menu item. If you select this menu item,vCenter Operations Manager opens Log Insight and passes the identifiers of the object that triggered thealert. Log Insight uses the resource identifiers to perform a search in the available log events.

Disable Launch in Context for Log Insight in vCenter Operations ManagerYou can uninstall the Log Insight adapter from the vCenter Operations Manager instance to remove menuitems related to Log Insight from the vCenter Operations Manager user interface.

You use the Administration UI of Log Insight to disable launch in context. If you do not have access toLog Insight or if the Log Insight instance is deleted before the connection with vCenter Operations Manageris disabled, you can unregister Log Insight from the Administration UI of vCenter Operations Manager. Seethe Help in the vCenter Operations Manager Administration portal.

CAUTION One instance of vCenter Operations Manager supports launch in context for only one instance ofLog Insight. If another instance of Log Insight has been registered after you registered the instance that youwant to disable, the second instance overrides the settings of the first one without notifying you.

Prerequisites


Procedure



3 Deselect the Enable Launch in Context check box.

4 Click Save.

Log Insight configures the vCenter Operations Manager instance to remove the Log Insight adapter. Thisoperation might take a few minutes.

Remove the Log Insight Adapter from a vCenter Operations Manager instanceWhen you enable launch in context on a vCenter Operations Manager instance, Log Insight creates aninstance of the Log Insight adapter on the vCenter Operations Manager instance.

This instance of the adapter remains in the vCenter Operations Manager instance when you uninstallLog Insight. As a result, the launch in context menu items continue to appear in the actions menus, andpoint to a Log Insight instance that no longer exists.

To disable the launch in context functionality in vCenter Operations Manager, you must remove theLog Insight adapter from the vCenter Operations Manager instance.


VMware, Inc. 57

You can use the command line utility cURL to send HTTP POST requests to vCenter Operations Manager.

Prerequisites

n Verify that cURL is installed on your system.







Procedure

1 In cURL, run the following query on the vCenter Operations Manager virtual appliance to find theLog Insight adapter.

curl -k --user admin username:passwd

https://URL:443/HttpPostAdapter/OpenAPIServlet -d

"action=getRelationships&resourceName=Log Insight

Server&adapterKindKey=LogInsight&resourceKindKey=LogInsightLogServer&

getChildren=true&getParents=false"

Where admin username and passwd are the administrator user credentials, and URL is the IP address ofthe vCenter Operations Manager instance.

The query returns a result in the following format.

resourceName=Log Insight Server&adapterKindKey=LogInsight&resourceKindKey=LogInsightLogServer

Parents:

Children:

resourceName=Log Insight Serverlog insight location&

adapterKindKey=LogInsight&

resourceKindKey=LogInsightLogServerHost&

identifiers=HOST::log insight location

Where log insight location is the HOST value of the child object of the queried resource. You can use thisvalue in the command that removes the adapter instance.

2 Run the following command to remove the Log Insight adapter.

curl -k --user admin username:passwd https://URL:443/HttpPostAdapter/OpenAPIServlet -d

"action=addRemoveParentChildRelationship&parentResource=Log Insight

Server&adapterKindKey=LogInsight&

resourceKindKey=LogInsightLogServer&addFlag=false&

childResources=Log Insight Serverlog insight

location,LogInsight,LogInsightLogServerHost,HOST::log insight location"

Where admin username and passwd are the administrator user credentials, URL is the IP address of thevCenter Operations Manager instance, and log insight location is the host location of the child resource ofthe relationship you want to remove.


58 VMware, Inc.



Log Insight launch in context items are removed from the menus in vCenter Operations Manager. For moreinformation about launch in context, see the topic Log Insight Launch in Context of the Log Insight in-producthelp.

Enable or Disable Data Archiving in Log InsightData archiving preserves old logs that might otherwise be removed from the Log Insight virtual appliancedue to storage constraints. Log Insight can store archived data to NFS mounts.

NOTE Log Insight does not manage the NFS mount used for archiving purposes. If system notifications areenabled, Log Insight sends an email when the NFS mount is about to run out of space or is unavailable . Ifthe NFS mount does not have enough free space or is unavailable for a period of time greater than theretention period of the virtual appliance, Log Insight stops ingesting new data until the NFS mount hasenough free space, becomes available, or archiving is disabled.

Prerequisites

n Verify that you have access to an NFS partition that meets the following requirements.

n The NFS partition must allow reading and writing operations for guest accounts.

n The mount must not require authentication.

n The NFS server must support NFS v3.


Procedure


2 Under Configuration, click Storage.

3 Select the Enable Data Archiving check box, type the path to an NFS partition where logs will bearchived, and click Test to verify the connection.

If data archiving is enabled, old log files are saved to the NFS partition.

4 Click Save.

NOTE Data archiving preserves log events that have since been removed from the Log Insight virtualappliance due to storage constraints. Log events that have been removed from the Log Insight virtualappliance, but have been archived are no longer searchable. If you want to search archived logs, you mustimport them into a Log Insight instance. For more information about importing archived log files, see “Import a Log Insight Archive into Log Insight,” on page 64.

What to do next

After Log Insight restarts, verify that syslog feeds from ESXi continue to arrive in Log Insight. Fortroubleshooting, see the topic related to ESXi logs in the Log Insight Administration Guide.

Enable User Authentication Through Active DirectoryLog Insight has a built-in authentication method that you can use to authenticate users.

When you create new user accounts by using the built-in authentication method, you provide users withpasswords that they must use to log in to Log Insight.


VMware, Inc. 59

To avoid having users remember multiple passwords, you can enable the support for Active Directoryauthentication.

Prerequisites


Procedure


2 Under Configuration, click Authentication.

3 Select the Enable Active Directory support check box.

4 In the Default Domain text box, type a domain name.

For example, company-name.com.

NOTE You cannot list multiple domains in the default domain text box. If the default domain that youspecify is trusted by other domains, Log Insight uses the default domain and the binding user to verifyAD users and groups in the trusting domains .

5 Type the credentials of a binding user that belongs to the default domain.

Log Insight uses the default domain and the binding user to verify AD users and groups in the defaultdomain, and in domains that trust the default domain.

6 Click Save.

What to do next

Give permissions to AD users and groups to access the current instance of Log Insight. See “Add an ActiveDirectory User to Log Insight,” on page 19.

Configure the Protocol to Use for Active DirectoryBy default, when Log Insight connects to Active Directory, it first tries non-SSL LDAP, and then SSL LDAPif necessary.

If you want to limit the Active Directory communication to one particular protocol, or want to change theorder of protocols that are tried, you must apply additional configurations in the Log Insight virtualappliance.

Prerequisites

n Verify that you have the root user credentials to log in to the Log Insight virtual appliance. See “Configure the Root SSH Password for the Log Insight Virtual Appliance,” on page 8

n To enable SSH connections, verify that TCP port 22 is open.

Procedure

1 Establish an SSH connection to the Log Insight virtual appliance and log in as the root user.

2 Open the /usr/lib/loginisight/application/etc/loginsight-config-base.xml file for editing.

If you use a VI editor, the command is vi loginsight-config-base.xml.


60 VMware, Inc.

3 In the Authentication section, add the line that corresponds to the configuration that you want toapply:

Option Description

<ad-protocols value="LDAP" /> For specifically using LDAP without SSL

<ad-protocols value="LDAPS" /> For specifically using LDAP with SSL only

<ad-protocolsvalue="LDAP,LDAPS" />

For specifically using LDAP first and then using LDAP with SSL.

<ad-protocolsvalue="LDAPS,LDAP" />

For specifically using LDAPS first and then using LDAP without SSL

When you do not select a protocol, Log Insight attempts to use LDAP first, and then uses LDAP withSSL.

4 Save and close the file.

5 Run the service loginsight restart command.

Install a Custom SSL Certificate by Using the Log Insight WebInterface

By default, Log Insight installs a self-signed SSL certificate on the virtual appliance.

The self-signed certificate generates security warnings when you connect to the Log Insight Web userinterface. If you do not want to use a self-signed security certificate, you can install a custom SSL certificate.The use of a custom SSL certificate is optional and does not affect the features of Log Insight.

NOTE The Log Insight Web user interface and the SSL syslog protocol use the same certificate forauthentication.

Prerequisites

n Verify that your custom SSL certificate meets the following requirements.

n The certificate file contains both a valid private key and a valid certificate chain.

n The private key is generated by the RSA or the DSA algorithm.

n The private key is not encrypted by a pass phrase.

n If the certificate is signed by a chain of other certificates, all other certificates are included in thecertificate file that you plan to import.

n The private key and all the certificates that are included in the certificate file are PEM-encoded.Log Insight does not support DER-encoded certificates and private keys.

n The private key and all the certificates that are included in the certificate file are in the PEM format.Log Insight does not support certificates in the PFX, PKCS12, PKCS7, or other formats.

n Verify that you concatenate the entire body of each certificate into a single text file in the followingorder.

a The Private Key - your_domain_name.key

b The Primary Certificate - your_domain_name.crt

c The Intermediate Certificate - DigiCertCA.crt

d The Root Certificate - TrustedRoot.crt


VMware, Inc. 61

n Verify that you include the beginning and ending tags of each certificate in the following format.

-----BEGIN RSA PRIVATE KEY-----

(Your Private Key: your_domain_name.key)

-----END RSA PRIVATE KEY-----

-----BEGIN CERTIFICATE-----

(Your Primary SSL certificate: your_domain_name.crt)

-----END CERTIFICATE-----


(Your Intermediate certificate: DigiCertCA.crt)



(Your Root certificate: TrustedRoot.crt)




Procedure

1 Generate a Certificate Signing Request on page 62Generate a certificate signing request by using the OpenSSL tool for Windows.

2 Request a Signature from a Certificate Authority on page 63Send your certificate signing request to a Certificate Authority of your choice and request a signature.

3 Concatenate Certificate Files on page 63Combine your key and certificate files into a PEM file.

4 Upload Signed Certificate on page 64Upload your signed certificate by using the Log Insight Web Interface.

Generate a Certificate Signing RequestGenerate a certificate signing request by using the OpenSSL tool for Windows.

Prerequisites

Download the appropriate installer for OpenSSL from http://www.openssl.org/related/binaries.html . Usethe downloaded OpenSSL installer to install it on Windows.

Procedure

1 Create a folder to save your certificate files, for example C:\Certs\LI-2.0.

2 Open a Command Prompt and run the following command to generate your private key.

C:\Certs\LI-2.0>openssl genrsa -out server.key 2048

3 Create a certificate signing request by running the following command.

C:\Certs\LI-2.0>openssl req -new -key server.key -out server.csr

NOTE This command runs interactively and asks you a number of questions. Your certificate authoritywill cross check your answers. Your answers must match the legal documents regarding theregistration of your company.


62 VMware, Inc.

http://www.openssl.org/related/binaries.html

4 Follow the onscreen instructions and enter the information that will be incorporated into yourcertificate request.

IMPORTANT In the Common Name field, enter the hostname or IP address of your server, for examplemail.your.domain. If you want to include all subdomains, enter *your.domain.

Your certificate signing request file server.csr is generated and saved.

Request a Signature from a Certificate AuthoritySend your certificate signing request to a Certificate Authority of your choice and request a signature.

Procedure

u Submit your server.csr file to a Certificate Authority.

NOTE Request that the Certificate Authority encode your file in the PEM format.

The Certificate Authority processes your request and sends you back a server.crt file encoded in thePEM format.

Concatenate Certificate FilesCombine your key and certificate files into a PEM file.

Procedure

1 Create a new server.pem file and open it in a text editor.

2 Copy the contents of your server.key file and paste it in server.pem using the following format.


(Your Private Key: server.key)


3 Copy the contents of your server.crt file and paste it in server.pem using the following format.


(Your Primary SSL certificate: server.crt)


4 If the Certificate Authorities provided you with an intermediate or chained certificate, append theintermediate or chained certificates to the end of the public certificate file in the following format.


(Your Private Key: server.key)



(Your Primary SSL certificate: server.crt)



(Your Intermediate certificate: DigiCertCA.crt)



(Your Root certificate: TrustedRoot.crt)


5 Save your server.pem file.


VMware, Inc. 63

Upload Signed CertificateUpload your signed certificate by using the Log Insight Web Interface.

Procedure


2 Under Configuration, click SSL Certificate.

3 Browse to your custom SSL certificate and click Open.

4 Click Save.

5 Restart Log Insight.

What to do next


Change the Default Timeout Period for Log Insight Web SessionsBy default, to keep your environment secure, Log Insight Web sessions expire in 30 minutes. You canincrease or decrease the timeout duration.

You can modify the timeout period by using the vSphere Client, or by establishing a SSH connection to theLog Insight virtual appliance.

Prerequisites



Procedure


2 Run the service loginsight stop command.

3 Open the /usr/lib/loginisight/application/3rd_party/apache-tomcat-*/webapps/ROOT/WEB-INF/web.xml file for editing.

4 Locate the <session-timeout> parameter.

5 Specify a timeout value in minutes.

The value -1 disables session timeouts.

6 Save and close the file.

7 Run the service loginsight start command.

Import a Log Insight Archive into Log InsightYou can use the command line to import logs that have been archived in Log Insight.

NOTE Although Log Insight can handle historic data and real-time data simultaneously, you are advised todeploy a separate instance of Log Insight to process imported log files.


64 VMware, Inc.

Prerequisites

n Verify that you have the root user credentials to log in to the Log Insight virtual appliance.

n Verify that you have access to the NFS server where Log Insight logs are archived.

n Verify that the Log Insight virtual appliance has enough disk space to accommodate the imported logfiles.

The minimum free space in the /storage/core partition on the virtual appliance must equalapproximately 10 times the size of the archived log that you want to import.

Procedure

1 Establish an SSH connection to the Log Insight vApp and log in as the root user.

2 Mount the shared folder on the NFS server where the archived data resides.

3 To import a directory of archived Log Insight logs, run the following command.

/usr/lib/loginsight/application/bin/loginsight repository import Path-To-Archived-Log-Data-

Folder.

NOTE Importing archived data might take a long time, depending on the size of the imported folder.

4 Close the SSH connection.

What to do next

You can search, filter, and analyze the imported log events.

Restart the Log Insight ServiceYou can restart Log Insight by using the Administration page in the Web user interface.

CAUTION Restarting Log Insight closes all active user sessions. Users of the Log Insight instance will beforced to log in again.

Prerequisites


Procedure



3 Click Restart Master and click Restart.

What to do next



VMware, Inc. 65

Power Off the Log Insight Virtual ApplianceTo avoid data loss when powering off a Log Insight master or worker node, you must power the node off byfollowing a strict sequence of steps.

You must power off the Log Insight virtual appliance before making changes to the virtual hardware of theappliance.

You can power off the Log Insight virtual appliance by using the Power > Shut Down Guest menu option inthe vSphere Client, by using the virtual appliance console, or by establishing an SSH connection to theLog Insight virtual appliance and running a command.

Prerequisites



Procedure


2 To power off the Log Insight virtual appliance, run shutdown -h now.

What to do next

You can safely modify the virtual hardware of the Log Insight virtual appliance.

Add Memory and CPU to the Log Insight Virtual ApplianceYou can change the amount of memory and CPUs allocated to a Log Insight virtual appliance afterdeployment.

You might need to adjust resource allocation if, for example, the number of events in your environmentincreases.

Prerequisites

n Log in to the vSphere Client as a user who has privileges to modify the hardware of virtual machines inthe environment.

n Shut down the Log Insight virtual appliance safely. See “Power Off the Log Insight Virtual Appliance,”on page 66.

Procedure

1 In the vSphere Client inventory, right-click the Log Insight virtual machine and select Edit Settings.

2 On the Hardware tab, click Add.

3 Adjust the amount of CPU and memory as needed.

4 Review the information and click Finish.

5 Click OK to save your changes and close the dialog box.

When you power on the Log Insight virtual appliance, the virtual machine begins to utilize the newresources.


66 VMware, Inc.

Stop Sending Trace Data to VMwareIf you no longer want to participate in the Customer Experience Improvement Program, you candiscontinue the transfer of anonymized trace data to VMware.

If you have any questions or concerns regarding the Customer Experience Improvement Program forLog Insight, contact [email protected].

Prerequisites


Procedure


2 Under Configuration, click General.

3 In the Customer Experience Improvement Program pane, deselect the Send weekly Trace Data toVMware as part of the Customer Experience Improvement Program check box.

4 Click Save.

Log Insight stops sending trace data to VMware.


VMware, Inc. 67

mailto:[email protected]


68 VMware, Inc.

Troubleshooting Log Insight 2You can attempt to solve common problems related to Log Insight administration before calling VMwareSupport Services.

This chapter includes the following topics:

n “ESXi Logs Stop Arriving in Log Insight,” on page 69

n “Log Insight Runs Out of Disk Space,” on page 70

n “Download a Log Insight Support Bundle,” on page 71

n “Use the Virtual Appliance Console to Create a Support Bundle of Log Insight,” on page 71

n “Reset the Admin User Password,” on page 72

n “Reset the Root User Password,” on page 72

n “Alerts Could Not Be Delivered to vCenter Operations Manager,” on page 73

n “Unable to Log In Using Active Directory Credentials,” on page 73

n “SMTP does not work with STARTTLS option enabled,” on page 74

ESXi Logs Stop Arriving in Log InsightAfter restarting the Log Insight service, syslog messages from ESXi hosts stop arriving in Log Insight.

Problem

Configuration changes in Log Insight require that you restart the Log Insight service. After the restart,syslog feeds from ESXi are no longer available.

Cause

Certain versions of ESXi stop sending logs if the connectivity to the remote syslog listener is interrupted,even briefly. This problem affects the following ESXi versions, depending on the communication protocolthat is used.

VMware, Inc. 69

Table 2‑1. ESXi Versions That Stop Sending Syslog Messages

Communication Protocol Affected ESXi Version

TCP n ESXi 5.0.xn ESXi 5.1.x

UDP ESXi 5.0 and 5.0 Update 1

IMPORTANT The issue is fixed in ESXi 5.1 Update 2 and ESXi 5.0, Patch ESXi500-201401401-BG. VMwarerecommends that you apply the update or patch to be sure that your ESXi hosts do not stop sending syslogmessages to their remote destinations. For more information see https://www.vmware.com/support/vsphere5/doc/vsphere-esxi-51u2-release-notes.html and VMware ESXi5.0, Patch ESXi500-201401401-BG: Updates esx-base (2065691). If you do not wish to apply the update orpatch, use the following solution.

Solution



3 For each vCenter Server instance that has the View ESXi syslog configuration details link, click theView ESXi syslog configuration details link.

4 Select all hosts that previously had a configuration and click Configure.

NOTE The configuration process can take several minutes. You must repeat the procedure every timeyou restart Log Insight. For details about syslog problems and solutions, see VMware ESXi 5.x hoststops sending syslogs to remote server (2003127).

Log Insight Runs Out of Disk SpaceA Log Insight master or worker node might run out of disk space if you are using a small virtual disk, andarchiving is not enabled.

Problem

Log Insight runs out of disk space if the rate of incoming logs exceeds 3 percent of the storage space perminute.

Cause

In normal situations, Log Insight never runs out of disk because every minute it checks if the free space isless than 3 percent. If the free space on the Log Insight virtual appliance drops below 3 percent, old databuckets are retired.

However, if the disk is small and log ingestion rate is so high that the free space (3 percent) is filled outwithin 1 minute, Log Insight runs out of disk.

If archiving is enabled, Log Insight archives the bucket before retiring it. If the free space is filled before theold bucket is archived and retired, Log Insight runs out of disk.

Solution

u Increase the storage capacity of the Log Insight virtual appliance. See “Increase the Storage Capacity ofthe Log Insight Virtual Appliance,” on page 17.


70 VMware, Inc.

https://www.vmware.com/support/vsphere5/doc/vsphere-esxi-51u2-release-notes.html



http://kb.vmware.com/kb/2003127?

http://kb.vmware.com/kb/2003127?

Download a Log Insight Support BundleIf Log Insight does not operate as expected because of a problem, you can send a copy of the log andconfiguration files to VMware Support Services.

Prerequisites


Procedure



3 Under the Support header, click Download Support Bundle.

The Log Insight system collects the diagnostic information and streams the data to your browser in acompressed tarball.

4 In the File Download dialog box, click Save.

5 Select a location to which you want to save the tarball archive and click Save.

What to do next

You can review the contents of log files for error messages. When you resolve or close issues, delete theoutdated support bundle to save disk space.

Use the Virtual Appliance Console to Create a Support Bundle ofLog Insight

If you cannot access the Log Insight Web user interface, you can download the support bundle by using thevirtual appliance console or after establishing an SSH connection to the Log Insight virtual appliance.

Prerequisites



Procedure


2 To generate the support bungle, run loginsight-support.

The support information is collected and saved in a *.tar.gz file that has the following naming convention:loginsight-support-YYYY-MM-DD_HHMMSS.xxxxx.tar.gz, where xxxxx is the process ID under which theloginsight-support process ran.

What to do next

Forward the support bundle to VMware Support Services as requested.

Chapter 2 Troubleshooting Log Insight

VMware, Inc. 71

Reset the Admin User PasswordIf an Admin user forgets the password to the Web user interface, the account becomes unreachable.

Problem

If Log Insight has only one Admin user and the Admin user forgets the password, the application cannot beadministered. If an Admin user is the only user of Log Insight, the whole Web user interface becomesinaccessible.

Cause

Log Insight does not provide a user interface for Admin users to reset their own passwords, if the user doesnot remember their current password.

NOTE Admin users who are able to log in can reset the password of other Admin users. Reset the Adminuser password only when all Admin user accounts' passwords are unknown.

Solution

Prerequisites



Procedure


2 Type li-reset-admin-passwd.sh and press Enter.

The script resets the Admin user password, generates a new password and displays it on thescreen.

What to do next

Log in to the Log Insight Web user interface with the new password and change the Admin user password.

Reset the Root User PasswordIf you forget the password of the root user, you can no longer establish SSH connections or use the consoleof the Log Insight virtual appliance.

Problem

If you cannot establish SSH connections or use the console of the Log Insight virtual appliance, you cannotaccomplish some of the administration tasks, nor can you reset the password of the admin user.

Solution

1 In the vSphere Client, restart the guest operating system of the Log Insight virtual appliance, and openthe console for the virtual machine.

2 Click in the console, wait for the GRUB menu to appear and press any letter key.

NOTE The GRUB prompt remains on the screen for 7 seconds before it starts the boot sequence.

3 On the GRUB menu, use the arrow keys to select SUSE Linux Enterprise Server for VMware.


72 VMware, Inc.

4 Press the spacebar, type init=/bin/sh, and press Enter.

The kernel boots in shell mode.

5 In the shell, type passwd, press Enter, and follow the on-screen instructions to change the root password.

The password must consist of at least eight characters, and must include at least one upper case letter,one lower case letter, one digit, and one special character such as $ or &. You cannot repeat the samecharacter more than four times.

6 In the shell, type reboot.

What to do next

Once Log Insight reboots, validate that you can log in as the root user.

Alerts Could Not Be Delivered to vCenter Operations ManagerLog Insight notifies you if an alert event cannot be sent to vCenter Operations Manager. Log Insight retriessending the alert every minute until the problem is resolved.

Problem

A red sign with an exclamation mark appears in the Log Insight toolbar when an alert could not bedelivered to vCenter Operations Manager.

Cause

Connectivity problems prevent Log Insight from sending alert notifications to vCenter Operations Manager.

Solution

n Click on the red icon to open the list of error messages, and scroll down to view the latest message.

The red sign disappears from the toolbar when you open the list of error messages, or if the problem isresolved.

n To fix the connectivity problem with vCenter Operations Manager, try the following.

n Verify that the vCenter Operations Manager vApp is not shut down.

n Verify that the you can connect to vCenter Operations Manager via the Test Connection button inthe vCenter Operations Manager section of the Administration page of the Log Insight Web userinterface.

n Verify that you have the correct credentials by logging directly into vCenter Operations Manager.

n Check Log Insight and vCenter Operations Manager logs for messages related to connectivityproblems.

n Verify that no alerts are filtered out in vCenter Operations Manager vSphere User Interface.

Unable to Log In Using Active Directory CredentialsYou cannot log in to the Log Insight Web user interface when you use Active Directory credentials.

Problem

You cannot log in to Log Insight by using your Active Directory domain user credentials, despite that anadministrator has added your Active Directory account to Log Insight.

Cause

The most common causes are expired passwords, incorrect credentials, connectivity problems, or lack ofsynch between the Log Insight virtual appliance and Active Directory clocks.

Chapter 2 Troubleshooting Log Insight

VMware, Inc. 73

Solution

n Verify that your credentials are valid, your password has not expired, and your Active Directoryaccount is not locked.

n If you have not specified a domain to use with Active Directory authentication, verify that you have anaccount on the default domain stored in Log Insight configurationat /usr/lib/loginsight/application/etc/loginsight-config-base.xml

n Verify Log Insight has connectivity to the Active Directory server.

n Go to the Authentication section of the Administration page of the Log Insight Web user interface,fill in your user credentials, and click the Test Connection button.

n Check the Log Insight /storage/var/loginsight/runtime.log for messages related to DNSproblems.

n Verify that the Log Insight and Active Directory clocks are in synch.

n Check the Log Insight /storage/var/loginsight/runtime.log for messages related to clock skew.

n Use an NTP server to synchronize the Log Insight and Active Directory clocks.

SMTP does not work with STARTTLS option enabledWhen you configure the SMTP server with the STARTTLS option enabled, test emails fail. Add your SSLcertificate for the SMTP server to the Java truststore to resolve the problem.

Prerequisites



Procedure


2 Copy the SSL certificate for the SMTP server to the Log Insight vApp.

3 Run the following command.

`/usr/java/latest/bin/keytool -import -alias certificate_name -file path_to_certificate -

keystore /usr/java/latest/lib/security/cacerts`

NOTE The outer quotes are inserted by using the back quote symbol that is on the same key as tilde onyour keyboard. Do not use single quotes.

4 Enter the default the password changeit.

5 Run the service loginsight restart command.

What to do next

Navigate to Administration > Smtp and use Send Test Email to test your settings. See “Configure theSMTP Server for Log Insight,” on page 44


74 VMware, Inc.

Index

Aactive directory

groups 20users 19

Active Directory credentials 73AD

authentication 59groups 20SSL 59, 60TCL 59users 19

adapter 52add worker 12add cpu 66add firewall exception 37add memory 66adding disks 17admin password 72administration, overview 7agent

install with parameters 23install with default configuration 22See also Log Insight Windows Agent

agent configuration 24agent configuration example 31agent mass deployment 34agent mass upgrade 34agent not showing 36agent overview 22alarms 46allow firewall connection 36appliance deployment 12

Ccentralized configuration 31certificate file, combine 63certificate authority signing request 63certificate signing request, generate 62CLI upgrade 10cluster mode 14collect events from log file 29configure agent 33configure ESXi 47content pack 54custom certificates 61

custom SSL certificate, upload 64

Ddata archiving 59default configuration 24default timeout 64default agent settings 24deployment 12deployment to multiple machines 33disable timeout 64disabling launch in context 57disabling trace data 67domain account 19domain groups 20

Eeffective agent configuration 31email system alerts 44ESXi configuration 47event forwarding, forward events to Log Insight

Windows Agent 33events, collect from Windows event channel 26

Fflat file collection 29forced logout 65forward Windows events 33

GGroup Policy Object 34

Hhealth 16

Iimporting logs 64incorrect agent configuration 37installation 12integrating Log Insight 44integration

vCenter Operations Manager 51vCenter Server 45vSphere 45

intended audience 5

VMware, Inc. 75

IP addresschange 8configuration 8

IP address settings 8

Jjoin cluster 14

Llaunch in context

disabling 57enable 54

LDAP SSL 60licensing 9load balancer 47log forwarding

ESXi 47ESXi syslog 48syslog 49vCenter Server Appliance 50

Log Insight cluster, adding worker nodes 12Log Insight notifications 52log files 71Log Insight, upgrading through UI, upgrading to

cluster 11log insight adapter 57Log Insight adapter 52log policies 17logging all users out 65Loginsight, running as syslog server 47logs import 64

Mmanage cluster 12mass deployment 33mass deployment fails 38master node 14merge configurations 31monitor agents 35multiple agents configuration 31

NNFS 59notification events 44, 52notifications, Log Insight 52

Oout of disk 70outbound connection 36outbound exception rule 37

Ppassword

admin 72root 72

password reset 21password SSH 8PEM file, create 63powering off 66

Rred sign in toolbar 73remove node 12, 16remove worker 16resetting passwords 21restarting 65root password 8, 72root SSH 8running out of disk 70

Sscale out alerts 42service, restarting 65session timeout 64set target server 25signed certificate, upload 64SMTP 44SMTP troubleshooting 74SSH root 8SSL 60ssl certificates 61SSL certificate for STARTTLS 74STARTTLS troubleshooting 74storage increasing 17support bundle 71supported upgrades 9syslog 47syslog configuration 47system notification 38system notifications 39, 42system alerts 44system health 16system logs 71

Ttasks 46time synchronization 43timeout, modifying 64timeout, disabling 64trace data, stop sending 67troubleshoot agent configuration 37troubleshoot Log Insight Windows Agent 36troubleshooting, ESXi logs 69


76 VMware, Inc.

troubleshooting agent 36, 38

Uunable to log in 73unable to send alerts 73uninstall agent 35upgrade node 12, 15upgrade paths 9upgrade worker 15upgrade cluster 15upgrading

CLI 10through UI 11

user accountsdeleting 21editing 21new 18password 21

user account, changing type 21users, management 18

VvCenter Server

alarms 46events 46tasks 46

vCenter Operations Manager 44, 54vCenter Operations Manager content pack 54vCenter Server Appliance 50virtual appliance deployment 12virtual appliance health 16vSphere integration 45

WWindows events channel, add 26Windows agent 22Windows event channel

add filter 27event fields and operators 28

worker node 14worker node, adding to a cluster 12

Index

VMware, Inc. 77


78 VMware, Inc.

Date post:	15-Sep-2018
Category:	Documents
Upload:	duongthuan
View:	273 times
Download:	0 times

VMware vCenter Log Insight Administration Guide -...

Documents