VMware

VMware vCenter Log Insight 1.5 Release Notes

vCenter Log Insight 1.5 | Build 1435442

Last Document Update: 09 DEC 2013

Check frequently for additions and updates to these release notes.

These release notes include the following topics:

Introduction to Log Insight

VMware vCenter Log Insight is the solution of VMware for log management and analytics for dynamic hybrid cloud environments. It delivers superior technology for automated log management through log analytics, aggregation, and search to extend the leadership of VMware in analytics to log data. Log Insight can analyze vast amounts of unstructured machine generated data and enable interactive, real-time search and analytics through an easy to use interface providing superb time to value. It analyzes log data of all types and from all devices, enabling deep, enterprise-wide visibility. With a focus on integrated cloud operations management, and an analytics driven approach, Log Insight provides the operational intelligence needed to proactively enable service levels and operational efficiency in dynamic hybrid cloud environments.

What's New in Log Insight 1.5

  • Easy creation and import/export of Content Packs for administrators and users
  • Active Directory support for authentication
  • Added unique count function
  • Significant query performance improvements by optimizing the execution of common queries
  • Usability improvements
  • User interface for syslog configuration of ESXi hosts
  • User interface for upgrading from previous versions of Log Insight through Administration UI

Top of Page

Before You Begin

Review this section before you begin installing and configuring Log Insight.

Virtual Appliance Deployment

  • Always use a VMware vSphere Client to connect to a VMware vCenter Server and deploy the Log Insight virtual appliance through the vCenter Server.
    The Log Insight virtual appliance should be deployed on an ESX/ESXi host version 4.0 or later that is managed by VMware vCenter Server 4.0 Update 2 or later.
  • Use the instructions provided in the VMware vCenter Log Insight Getting Started Guide to install and configure the Log Insight virtual appliance.

Licensing Log Insight 1.5

This paragraph contains notes on licensing Log Insight 1.5

  • After you deploy the Log Insight virtual appliance, you must assign a valid license key.
  • All license management tasks are performed in the Administration Web interface of Log Insight. The URL is http://<log-insight-ip>/admin/license, where <log-insight-ip> is the IP address of the Log Insight vApp. Follow the instructions from the vCenter Log Insight Getting Started Guide to assign a license.

Compatibility Notes

Log Insight 1.5 supports the following VMware products and versions:

  • Log insight can pull events, tasks, and alarms data from VMware vCenter Server 4.0, 4.1, 5.0, 5.1, and 5.5.
  • ESXi hosts of the following versions can be configured to push syslog data to Log Insight: ESXi 4.0, 4.1, 5.0, 5.1, and 5.5.
  • You can integrate Log Insight with vCenter Operations Manager as follows.
    • The vCenter Operations Manager edition should be Standard or higher.
    • Log Insight can send notification events to vCenter Operations Manager 5.6 or later.
    • You can view Log Insight alerts in vCenter Operations vSphere UI 5.7.1 or later.
    • You can view Log Insight alerts in vCenter Operations Custom UI 5.6 or later.
      Note: You cannot view the details of Log Insight alerts in vCenter Operations Manager 5.6.
    • You can enable launch in context for Log Insight in vCenter Operations Manager 5.7.1 or later.
    • You can remove the Log Insight adapter that enables launch in context
      • from the admininstration UI in vCenter Operations Manager 5.8 or later
      • from Log Insight 1.5

Browser Support

Log Insight 1.5 supports the following browser versions.
  • Mozilla Firefox 10.x, 19.x, 20.x, 21.0, and 23
  • Google Chrome 25.x, 26.x, 27.x, and 29.x
  • Safari 6.0
  • Internet Explorer 9.x and 10.x
    Note: Internet Explorer Document mode must be used in Standards Mode. Other modes are not supported. Browser Mode: Compatibility View is not supported.

The minimum supported browser resolution is 1024 by 768 pixels.

Important: Cookies must be enabled in your browser.

Top of Page

Limitations

Log Insight 1.5 has the following limitations.
  • Log Insight does not support multiple domains for active directory login when they are not trusted domains.
  • Log Insight does not handle non-printable ASCII characters properly.
  • Log Insight does not support multi-line messages.
  • Log Insight does not support printing, however you can use the Print options of your browser. The printed results might vary depending on the browser that you use. We recommend Internet Explorer 10 or Firefox for printing Log Insight user interface. Printing the Log Insight UI does not work in Internet Explorer 9.
  • Log Insight does not raise a warning about the expiration of the Log Insight license.
  • Log Insight does not support sending alerts against resources in vCenter Operations Manager when the resource has been renamed in vCenter Operations Manager.

Security

IT decision makers, architects, administrators, and others who must be aware of the security components of Log Insight must familiarize themselves with the VMware vCenter Log Insight Security Guide.

For details on how to secure your environment, check the VMware vSphere Security guide and the VMware Security Advisories site.

Note: Log Insight runs its processes as root user of the virtual appliance. This might cause security risks to your environment. Always deploy Log Insight in trusted secure environments.

Virtual Appliance Requirements

The following section lists the computing requirements and assumptions for the Log Insight virtual appliance.
  • Memory: 8GB RAM
  • vCPU: 2 vCPUs, 1GHz each
  • Storage space: approximately 140GB

User Accounts

  • To pull events, tasks, and alarms data from a vCenter Server, you must provide a set of user credentials for that vCenter Server. The minimum role required to register and unregister Log Insight with a vCenter Server is Read-only, set at the vCenter Server level, and propagated to child objects . To configure ESXi hosts that a vCenter Server manages, Log Insight requires more privileges. See the Known Issues section.
  • The hosting vCenter Server credentials are needed to deploy the Log Insight virtual appliance.
  • The default credentials for the Log Insight Admin user are admin/<blank>. To improve security, Log Insight requires you to change these credentials when you first access the Log Insight Web user interface.
  • The default credentials for the root user on the Log Insight virtual appliance are root/<blank>. You are prompted to change the root account password when you first access the Log Insight virtual appliance console.
  • To enable notification events and the launch in context functionality in a vCenter Operations Manager instance, you must provide user credentials for that vCenter Operations Manager instance.

Top of Page

Upgrading from a Previous Version of Log Insight

Log Insight 1.5 supports upgrading from Log Insight 1.0, Log Insight 1.5 TP1, TP2 and later. See Upgrading from a Previous Version of Log Insight in the Log Insight 1.5 documentation center.

Internationalization Support

Log Insight 1.5 has not been officially internationalized. It has been tested in English only.

Log Insight 1.5 should work properly in non-English web browsers, as long as data input is in English.
Following is information on use cases that have been tested.

  • The Log Insight Web user interface was accessed successfully via Chinese and German version of the Firefox browser.
  • The non-ASCII users with non-ASCII password are created and logged into the UI successfully.
  • The non-ASCII name for other object names, such as the Saved dashboard and the Saved Query, are created and displayed successfully.
  • The non-ASCII log contents (with various encodings, such as UTF-8, UTF-16, and native ANSI encoding) were displayed garbled on the Log Insight Web user interface.
  • Due to the issue with the garbled non-ASCII log contents, the search and filtering features for those non-ASCII log contents won't be performed.
  • The date/time format for various timestamp and calendar shown on the Log Insight user interface are in English, even though the OS and browser are in Chinese and German.
  • No Log Insight message is externalized.

Product Documentation

In addition to the current Release Notes, you can use the documentation set for Log Insight 1.5 that includes the following deliverables.

Active Directory Support

See the following topics in the Log Insight 1.5 documentation center.
Note: Active Directory that runs only in SSL/TLS mode is not supported.

Top of Page

Resolved Issues

This section contains resolved issues since Log Insight 1.0 GA release.

  • The System Monitor page does not display any metrics about data that is imported from archived NFS locations
    If you import archived log data in a Log Insight instance, you cannot use the Resources tab on the System Monitor page to check the amount of log data and the count of events that were imported from the archive location. The System Monitor page on the Administration UI tracks only live log data.
    This problem is fixed.

  • The alert criticality setting for notification events is ignored in vCenter Operations Manager Custom user interface
    When, in Log Insight, you create an alert query to send notification events to vCenter Operations Manager, you can modify the level of alert criticality displayed in the Custom user interface. However, all notification events appear as Info, regardless of your settings.
    This problem is fixed.

  • Restart status does not change to successful after uploading a self-signed certificate
    After a self-signed certificate has been uploaded, if you restart Log Insight from the Administration Web user interface, the restart status does not change to success even after the operation has completed.
    This problem is fixed.

  • vCenter task and event collector might exit silently
    This problem is fixed.

  • The total number of search results is not always accurate
    The total number of results in the event results list, for example "1 to 50 out of XXXX results", is an estimation and is not always accurate. Therefore, when clicking on a bar in the chart, the number in the event results might not match the number shown in the bar.
    This problem is fixed.

  • Custom dashboards disappear after an upgrade through the command line interface
    If, while you are logged in the Web user interface of Log Insight, you perform an upgrade operation by using the command line utility, the custom dashboards are no longer visible in the Dashboards UI.
    This problem is fixed.

  • The first login to Log Insight Web user interface after an upgrade might encounter an exception
    After you upgrade Log Insight from version 1.0 GA to version 1.5 TP2, if you try to navigate to the Log Insight Web user interface, an exception error might occur after you accept the certificate and proceed.
    This problem is fixed.

Top of Page

Known Issues

This section contains known issues for this release.

Deployment and Configuration

  • Changes to the loginsight-config-base.xml file are not preserved during an upgrade
    If you applied changes to the loginsight-config-base.xml file by using a SSH connection or the virtual appliance console, these changes will be lost during an upgrade.
    Workaround: None. Any changes needed to loginsight-config-base.xml must be re-applied after an upgrade. You must not apply changes to the loginsight-config-base.xml file unless directed by VMware Support Services.

  • License file is overwritten during an upgrade
    If you upgrade from Log Insight 1.5 TP3 by using the Web user interface, the license file gets overwritten with a blank one. After the upgrade the License section of the Administration page in the Web user interface shows an empty license key.
    Workaround: In the Web user interface navigate to Administration > License, enter your license key and click Set Key.

  • vCenter Operations Manager integration Web user interface page fails to load
    If you have integrated Log Insight 1.5 with a vCenter Operations Manager instance and for some reason the vCenter Operations Manager instance is down, the vCenter Operations Manager integration page in the Web user interface page fails to load.
    Workaround: Verify that the vCenter Operations Manager instance is up and running before you navigate to Administration > vCenter Operations Manager.

  • You cannot specify static networking properties for the Log Insight virtual appliance
    The configuration of networking properties for the Log Insight virtual appliance requires vApp options. As such, the Log Insight virtual appliance must be deployed to a vCenter Server or vCloud Director instance. Deploying the Log Insight virtual appliance to ESX/ESXi, Fusion, or Workstation is not supported.
    Workaround: Deploy the Log Insight virtual appliance to a vCenter Server or vCloud Director instance.

  • Connecting to too many vCenter Server instances can result in slow collection of vCenter Server events, tasks, and alarms
    To collect events, tasks, and alarms data, Log Insight polls all connected vCenter Server instances sequentially. Collecting events from an individual server can take over 30 seconds and the collector always waits for two minutes after completion. For example, if there are 10 vCenter Server instances configured, the collector iterates through each of them taking up to 300 seconds. Combined with the additional two minutes of wait, this example would collect events from each server every 7 minutes.
    Workaround: Do not connect more than two vCenter Server instances to a Log Insight instance.

  • Configuring syslog by using configure-esxi from admin UI or CLI fails when a non-administrator user account is used for authentication with the vCenter Server
    When using the configure-esxi CLI utility or the Log Insight Administration UI to integrate Log Insight with a vCenter Server instance, if you provide the credentials of a non-root or non-administrator user to the vCenter Server, and you try to configure the ESXi hosts on that server, the configuration fails with the following error message for each host: esxcli returned exit code 1 on <hostname>.
    Workaround: Create a custom user that has enough privileges to configure ESXi hosts, and use the credentials to configure vCenter Server integration with the configure-esxi CLI utility or through the Administration UI.
    1. Use the vSphere Client to connect to the vCenter Server and navigate to Home > Administration > Roles.
    2. Create a new custom role and add the user that you want to use for integration with Log Insight to the custom role.
    3. Verify that the custom role that you created has the following privileges at the minimum:
      • Host.Configuration.Change settings
      • Host.Configuration.Network configuration
    4. Use the credentials of the user that you created to run the configure-esxi CLI utility or in the Administration UI to integrate Log Insight with the vCenter Server.

    If you want to use the vSphere Client to configure individual ESXi hosts, verify that you have the following privileges at the minimum:

    • Host.Configuration.Advanced settings
    • Host.Configuration.Security profile and firewall

  • Changes applied to ESXi syslog configuration through command line are not reflected in the Web user interface
    Assume that you use the configure-esxi utility to configure ESXi hosts to forward their syslog feeds to Log Insight. The configuration that you apply through CLI is not displayed in the vSphere Integration section of the Administration UI. As a result, Log Insight runs the configuration utility even on ESXi hosts that are already configured through CLI.
    Workaround: Always use the vSphere Integration section of the Administration UI to configure vCenter Server integration and ESXi syslog forwarding.
  • Running parallel configuration tasks might result in incorrect settings
    For example, if two administrator users try to run configuration tasks simultaneously on a target ESXi host, it may result in incorrect syslog settings.
    Workaround:Verify that no other administrator user is configuring the settings that you intent to configure.

  • Admin users that had configured Active Directory support in Log Insight 1.5 TP2 cannot add new AD users or groups after upgrading to Log Insight 1.5 GA
    The way Log Insight handles AD authentication changed between the TP2 and the GA release. In the TP2 release, Admin users had to provide active directory credentials each time they added a new AD user or group. Log Insight 1.5 GA uses a binding user account to verify active directory users and groups. Admin users save the binding user credentials in the Administration UI and Log Insight GA uses them to verify AD users and groups instead of needing the credentials input each time.
    Because Log Insight 1.5 TP2 does not store binding user credentials, Admin users cannot add new AD users or groups after upgrading to Log Insight 1.5 GA.
    Workaround: Add a binding user in the Administration UI before you attempt to add new AD users or groups.
    Note: Verify that you set the time on your machine with Log Insight instance to UTC time. Otherwise, the AD authentication will not work.
    1. In the Log Insight Web user interface, navigate to the Administration UI.
    2. Under Configuration, click Authentication.
    3. Type the credentials of a binding user and click Save.

Top of Page

General

  • Importing a content pack that contains the unique count function does not work as expected in Log Insight 1.0
    If you import a Log Insight 1.5 content pack into a Log Insight 1.0 instance, and the content pack contains a unique count query, the appearance of the unique count query on the Dashboards and the Interactive Analytics page in Log Insight 1.0 are not consistent. In addition, the query on the Interactive Analytics page does not function as expected.
    Workaround: None. Log Insight 1.0 does not support the unique count function.

  • Importing a content pack that has a duplicate namespace with an already existing content pack overrides the existing content pack
    If you import a content pack into a Log Insight instance, and the content pack has a namespace that is already used by a different content pack, Log Insight displays a warning message. If you select the override option, the old content pack will be removed. The newer content pack may or may not have the same name as the old content pack.
    Workaround: None. This is expected behavior.

  • Log Insight might not be able to distinguish between content packs with duplicate namespaces
    If you import a content pack into a Log Insight instance, and the content pack has a namespace that is already used by a different content pack, Log Insight displays a warning message. The warning message states that a duplicate namespace was detected, but it does not state what the name of the conflicting content pack is. If the content pack names are not the same between the conflicting namespaces, you cannot determine which content pack is conflicting.
    Workaround: None. Ensure content pack names are consistent between versions for easier identification.

  • Importing a content pack fails with error "This Content Pack is from a newer version of Log Insight and is not currently supported"
    Content packs created in Log Insight 1.5 include a version parameter. The above error message is observed if the version parameter is not equal to 1.0. The version parameter is separate from the contentVersion parameter. While the contentVersion parameter can be modified from the web UI of Log Insight, the version parameter cannot. The version parameter can only be changed by manually editing the VLCP file.
    Workaround: Do not edit VLCP files manually.

  • Wildcard following a dot and a number is sometimes not correctly parsed in queries
    If you use wildcard to search for numbers immediately following a dot, the query might not return the correct results.
    Workaround: Replace dot with a space in your query expression, and enclose it in quotes. For example, to find messages containing naa.6034018, use "naa 603*" instead of naa.603*.

  • Content packs exported from different product versions might not be fully compatible
    Content packs created with the current release of Log Insight have new functionality that will be ignored in older versions of Log Insight. All new metadata added to a content pack, such as author, website, icon, and notes, will not be shown in Log Insight 1.0. Additionally, any queries saved using the Save Current Query option will not be seen in Log Insight 1.0.
    If you want to save queries in a content pack that can be viewed in Log Insight 1.0, use the Add Current Query to Dashboard menu item; choose a Widget Type of "query" to add the query to a query list in a dashboard, similar to the Relevant Queries widget in the vSphere content pack.

  • Log Insight does not send system notification emails when data archiving fails
    You can configure Log Insight to send notification emails when important events occur on the Log Insight virtual appliance. Important system events include, but are not limited to, email notifications when data archiving fails. However, the current Log Insight version does not send email notifications when data archiving fails.
    Workaround: None.

  • You cannot check the status of an import operation if your user session ends before the end of the import
    To start the data import process, you connect to a Log Insight instance through a SSH session or through the virtual appliance console. The data import process may take a long time. In the case of SSH, if the SSH session gets dropped or you close the SSH session before the import process completes you are not able to check whether the import completed successfully.
    Workaround:Install a "screen" package on the Log Insight virtual appliance. This package allows you to run the Linux processes in the background without interruption, even when you disconnect from the SSH session.

  • The import of archived log data might fail if Log Insight cannot access the NFS server where data is stored
    If, during the data import process, the NFS server becomes inaccessible due to network failure or errors on the NFS server, the import of archived data might fail.
    Workaround: None

  • The import of archived data might fail if the Log Insight virtual appliance runs out of disk space
    The Log Insight repository import utility does not check for available disk space on the Log Insight virtual appliance. Therefore, the import of archived logs might fail if the virtual appliance runs out of disk space.
    Workaround: None

  • Log Insight does not display progress information during log imports
    As the import of archived data is in progress, you are unable to infer from the console output how much time is left before the import finishes or how much data is already imported.
    Workaround: None

  • Log Insight might run out of disk space even though data archiving is enabled
    If the network connection to the NFS storage is slow, and the rate of the incoming data is higher than the data archiving rate, Log Insight might run out of disk space.
    Workaround: None

  • Multi-line messages that are sent to Log Insight though syslog from ESXi hosts and other applications are split incorrectly
    By default, the syslog protocol supports only single line messages, so each line of a multi-line message is sent as a separate message. This creates problems with field extractions, aggregation, and analysis of multi-line messages.
    Workaround: None

  • You can see messages related to launch in context even if launch in context is not enabled or not supported in the vCenter Operations Manager version that you use
    The details of Log Insight notification events that appear in vCenter Operations Manager UI contain the following message that suggests using the launch in context feature:
    Log Insight found <Number> messages matching the criteria for alert "<Name of the Alert>": Use the context menu item to review the matches in Log Insight.
    This message is displayed even if you have not enabled launch in context, or if you are using vCenter Operations Manager versions earlier than 5.7.1 that do not support launch in context.
    Workaround: Ignore the message if launch in context is not enabled in your instance of vCenter Operations Manager. Open a browser and type the IP address of the Log Insight virtual appliance to search for matching messages related to the notification event.

  • Email notifications might be dropped if you use the default SMTP settings of Log Insight
    If, in the Log Insight administration interface, you leave the default SMTP settings of localhost:25, the email notifications that Log Insight sends might be dropped by the receiving email server, such as Yahoo or Gmail.
    Workaround: Use the Send Test Email option and ensure you receive an email to validate that email notifications are not being dropped.

  • Unable to set the root ssh password of Log Insight in the VMware Remote Client Console (VMRC)
    If you open the VMRC from the vSphere Client or from the vSphere Web Client from a wide-area or low-bandwidth connection, the time delay over the network may be long enough to cause the virtual machine to start auto-repeat. This might prevent you from setting the root password in the VMRC console.
    Workaround: Increase the time threshold necessary for auto-repeat in the remote console. See Repeated characters when typing in remote console (KB 196).

  • You cannot change the network properties of the Log Insight virtual appliance at run time
    Log Insight does not support changing the IP address, network mask, gateway, DNS, or hostname of the virtual appliance at run time.
    Workaround: Network configuration changes are only supported from the vApp options of the Log Insight virtual appliance.
    1. Open a vSphere Client and locate the Log Insight virtual appliance.
    2. Shut down the virtual appliance.
    3. Right-click the virtual appliance, select Edit Settings, and under vApp options apply the changes to the network configuration.
    4. Power on the virtual appliance.
      Note: You must re-enable launch in context each time you change the network properties of the Log Insight virtual appliance.

  • Accessing the HTTPS-based secure web interface at https://<loginsight-host>/generates an invalid SSL certificate warning
    By default, Log Insight installs a self-signed SSL certificate. The self-signed certificate generates security warnings when you connect to the Log Insight Web user interface.
    Workaround: You can ignore these security warnings.
    If you do not want to use a self-signed security certificate, an admin user can install a custom SSL certificate. For procedure on uploading a custom SSL certificate, see the Log Insight documentation center. The use of a custom SSL certificate is optional and does not affect the features of Log Insight.

  • In charts containing group-by values other than time, if there is a large range on the Y-axis, smaller valued bars might not be visible
    As an example, if you create a chart grouped by hostname and one host has 100,000 events, and another host has 5 events, the bar for the smaller host might be too small to be visible.
    Workaround: Hover over the bottom of the chart to view the tooltips for the small bar.

Top of Page