VMware

VMware vCenter Log Insight 2.0 Release Notes

vCenter Log Insight 2.0 | Build 1879692

Last Document Update: 02 JUL 2014

Check frequently for additions and updates to these release notes.

These release notes include the following topics:

Introduction to Log Insight

VMware vCenter Log Insight delivers the best real-time log management for VMware environments, with machine learning-based Intelligent Grouping and high performance search, enabling faster troubleshooting and better operational across physical, virtual, and cloud environments. It can analyze terabytes of logs, discover structure in unstructured data, and deliver enterprise-wide visibility via a modern web interface.

What's New in Log Insight 2.0

  • Scale-Out with High Availability
    • 5x-10x throughput improvement in Cluster mode
    • Single UI to query all the data 
  • Proactive Analytics
    • Machine learning enabled summarization of event types & schema recognition
    • Smart fields to aid in extraction
  • Super-Powered Dashboards
    • Easily add new data filters on the fly
    • Interact between dashboard widgets
  • RESTful API for log ingestion
  • Improved self-monitoring tools
  • Windows collection agent
    • Forwards Windows event logs
    • Monitors & forwards flat log files
    • Centralized reporting & management
  • E-mail alerts to notify about license expiration

Top of Page

Before You Begin

Review this section before you begin installing and configuring Log Insight.

Virtual Appliance Deployment

  • Always use a VMware vSphere Client to connect to a VMware vCenter Server and deploy the Log Insight virtual appliance through the vCenter Server.
    The Log Insight virtual appliance should be deployed on an ESXi host version 5.0 or later that is managed by VMware vCenter Server 5.0 or later.
  • Use the instructions provided in the VMware vCenter Log Insight Getting Started Guide to install and configure the Log Insight virtual appliance.
  • Always configure the master node in a cluster setup of Log Insight with a fully qualified domain name (FQDN) or a static IP address.

Licensing Log Insight 2.0

This paragraph contains notes on licensing Log Insight 2.0

  • After you deploy the Log Insight virtual appliance, you must assign a valid license key.
  • All license management tasks are performed in the Administration Web interface of Log Insight. The URL is http://<log-insight-ip>/admin/license, where <log-insight-ip> is the IP address of the Log Insight vApp. Follow the instructions from the vCenter Log Insight Administration Guide to assign a license.

Compatibility Notes

Log Insight 2.0 supports the following VMware products and versions:

  • Log insight can pull events, tasks, and alarms data from VMware vCenter Server 5.0, 5.1, and 5.5.
  • ESXi hosts of the following versions can be configured to push syslog data to Log Insight: ESXi 5.0, 5.1, and 5.5.
  • You can integrate Log Insight with vCenter Operations Manager as follows.
    • The vCenter Operations Manager edition should be Standard or higher.
    • In vCenter Operations Manager 5.7.0, you need to install the Log Insight adapter manually.
    • Log Insight can send notification events to vCenter Operations Manager 5.6 or later.
    • You can view Log Insight alerts in vCenter Operations vSphere UI 5.7.1 or later.
    • You can view Log Insight alerts in vCenter Operations Custom UI 5.6 or later.
      Note: You cannot view the details of Log Insight alerts in vCenter Operations Manager 5.6.
    • You can enable launch in context for Log Insight in vCenter Operations Manager 5.7.1 or later.
    • You can remove the Log Insight adapter that enables launch in context
      • from the administration UI in vCenter Operations Manager 5.8 or later
      • from Log Insight 2.0

Browser Support

Log Insight 2.0 supports the following browser versions.
  • Mozilla Firefox 10.x, 19.x, 20.x, 21.0, 23 and 29.0.1
  • Google Chrome 25.x, 26.x, 27.x, 29 and 34
  • Safari 6.0 , 7.0.2
  • Internet Explorer 9.x , 10.x and 11.x
    Note: Internet Explorer Document mode must be used in Standards Mode. Other modes are not supported. Browser Mode: Compatibility View is not supported.

The minimum supported browser resolution is 1024 by 768 pixels.

Important: Cookies must be enabled in your browser.

Top of Page

Limitations

Log Insight 2.0 has the following limitations.

General

  • Log Insight does not support multiple domains for active directory login when they are not trusted domains.
  • Log Insight does not handle non-printable ASCII characters properly.
  • Log Insight does not support printing, however you can use the Print options of your browser. The printed results might vary depending on the browser that you use. We recommend Internet Explorer 10 or Firefox for printing Log Insight user interface. Printing the Log Insight UI does not work in Internet Explorer 9.
  • In cluster mode a Log Insight worker node logs all events to a local file before bootstrap. After bootstrap the worker sends all events to the Log Insight master node.

Log Insight Windows Agent

  • The Log Insight Windows Agent can collect events from a maximum of 60 Windows Event Log channels.
  • Non-ASCII characters in hostname/source fields are not delivered properly when the Log Insight Windows Agent is running in syslog mode.
  • Non-ASCII characters in hostname/computer name fields cause the Log Insight Windows Agent to fail to send events when running in cfapi mode.
  • Non-printable ASCII characters are displayed garbled on the Log Insight Web user interface.
  • The Log Insight Windows Agent is a 32-bit application and all its requests for opening files from C:\Windows\System32 sub-directories are redirected by WOW64 to C:\Windows\SysWOW64. However, you can configure the Log Insight Windows Agent to collect from C:\Windows\System32 by using the special alias C:\Windows\Sysnative. For example, to collect logs from their default location for the MS DHCP Server, add the following line to the corresponding section of the Log Insight Windows Agent configuration file: directory=C:\Windows\Sysnative\dhcp

Security

IT decision makers, architects, administrators, and others who must be aware of the security components of Log Insight must familiarize themselves with the VMware vCenter Log Insight Security Guide.

For details on how to secure your environment, check the VMware vSphere Security guide and the VMware Security Advisories site.

Note: Log Insight runs its processes as root user of the virtual appliance. This might cause security risks to your environment. Always deploy Log Insight in trusted secure environments.

Virtual Appliance Requirements

The following section lists the computing requirements and assumptions for the Log Insight virtual appliance.
  • Memory: 8GB RAM
  • vCPU: 4 vCPUs, 2GHz each
  • Storage space: approximately 140GB

User Accounts

  • To pull events, tasks, and alarms data from a vCenter Server, you must provide a set of user credentials for that vCenter Server. The minimum role required to register and unregister Log Insight with a vCenter Server is Read-only, set at the vCenter Server level, and propagated to child objects. To configure ESXi hosts that a vCenter Server manages, Log Insight requires more privileges. See the Known Issues section.
  • The hosting vCenter Server credentials are needed to deploy the Log Insight virtual appliance.
  • The default credentials for the Log Insight Admin user are admin/<blank>. To improve security, Log Insight requires you to change these credentials when you first access the Log Insight Web user interface.
  • Unless you specify a root password during the deployment of the OVA, the default credentials for the root user on the Log Insight virtual appliance are root/<blank>. You are prompted to change the root account password when you first access the Log Insight virtual appliance console. Note that SSH is disabled until you set the root password.
  • To enable notification events and the launch in context functionality in a vCenter Operations Manager instance, you must provide user credentials for that vCenter Operations Manager instance.

Top of Page

Upgrading from a Previous Version of Log Insight

Log Insight 2.0 supports upgrading from Log Insight 1.5 GA or later only. See Upgrading from a Previous Version of Log Insight in the Log Insight 2.0 documentation center.

Internationalization Support

Log Insight 2.0 has not been localized. It has only an English version.

  • Log Insight is interoperable with localized version of vCenter Server and vCOps.
  • Log Insight server Web UI can be accessed via non-EN browsers.
  • Log Insight server Web UI supports Unicode data, including machine learning features.
  • Log Insight agent works on non-English native Windows.

Limitations

  • Non-ASCII users imported from Active Directory cannot log to Log Insight Web UI.
  • The date/time/calendar format shown on the server Web UI is English only and does not honor language/locale settings.
  • UTF-8 characters in source field that are sent through syslog are not displayed correctly on server side.

Product Documentation

In addition to the current Release Notes, you can use the documentation set for Log Insight 2.0 that includes the following deliverables.

Active Directory Support

See the following topics in the Log Insight 2.0 documentation center.
Note: Active Directory that runs only in SSL/TLS mode is not supported.

Top of Page

Resolved Issues

This section contains resolved issues since Log Insight 1.5 GA release.

  • You are unable to login to Log Insight using your Active Directory credentials
    Issues with Log Insight Active Directory integration prevented users were from logging in when one of these scenarios occurred for an AD user:
    • User's SAM is different than their UPN prefix
    • User's NetBIOS domain is different than the AD domain
    • User's account uses an alternate UPN suffix
    This problem is fixed.

  • Changing the context of extracted field causes temporary fields in saved queries
    After you modify a field and view a dashboard widget that contains this field, there is (Temporary) next to the field name even though the modification claimed to successfully update the widget. If the context of the field contains a double quote, the field will incorrectly be reported as updated. The temporary field will also show up during content pack export.
    This problem is fixed.

  • vCenter Operations Manager integration Web user interface page fails to load
    If you have integrated Log Insight with a vCenter Operations Manager instance and for some reason the vCenter Operations Manager instance is down, the vCenter Operations Manager integration page in the Web user interface page fails to load.
    This problem is fixed.
  • Log Insight does not send system notification emails when data archiving fails
    You can configure Log Insight to send notification emails when important events occur on the Log Insight virtual appliance. Important system events include, but are not limited to, email notifications when data archiving fails. However, the current Log Insight version does not send email notifications when data archiving fails.
    This problem is fixed.
  • Unable to set the root ssh password of Log Insight in the VMware Remote Client Console (VMRC)
    If you open the VMRC from the vSphere Client or from the vSphere Web Client from a wide-area or low-bandwidth connection, the time delay over the network may be long enough to cause the virtual machine to start auto-repeat. This might prevent you from setting the root password in the VMRC console.
    This problem is fixed.

  • Changes to the loginsight-config-base.xml file are not preserved during an upgrade
    If you applied changes to the loginsight-config-base.xml file by using a SSH connection or the virtual appliance console, these changes will be lost during an upgrade.
    This problem is fixed.

  • License file is overwritten during an upgrade
    If you upgrade from Log Insight 1.5 TP3 by using the Web user interface, the license file gets overwritten with a blank one. After the upgrade the License section of the Administration page in the Web user interface shows an empty license key.
    This problem is fixed.

  • You cannot specify static networking properties for the Log Insight virtual appliance
    The configuration of networking properties for the Log Insight virtual appliance requires vApp options. As such, the Log Insight virtual appliance must be deployed to a vCenter Server or vCloud Director instance. Deploying the Log Insight virtual appliance to ESX/ESXi, Fusion, or Workstation is not supported.
    This problem is fixed.

  • Admin users that had configured Active Directory support in Log Insight 1.5 TP2 cannot add new AD users or groups after upgrading to Log Insight 1.5 GA
    The way Log Insight handles AD authentication changed between the TP2 and the GA release. In the TP2 release, Admin users had to provide active directory credentials each time they added a new AD user or group. Log Insight 1.5 GA uses a binding user account to verify active directory users and groups. Admin users save the binding user credentials in the Administration UI and Log Insight GA uses them to verify AD users and groups instead of needing the credentials input each time.
    Because Log Insight 1.5 TP2 does not store binding user credentials, Admin users cannot add new AD users or groups after upgrading to Log Insight 1.5 GA.
    This problem is fixed.

  • vCenter Server events, tasks, and alarms collection might stop
    After a period of time Log Insight might stop collecting vCenter Server events, tasks, and alarms from configured vCenter Server instances. No alert is generated when this occurs. This issue can be seen when the vCenter Server dashboards do not return any results in the vSphere content pack.
    This problem is fixed.

Top of Page

Known Issues

This section contains known issues for this release.

Deployment and Configuration

  • New Log Insight deployment fails to start
    On rare occasions when you first deploy a Log Insight virtual appliance you may see an error message "Failed to start new deployment".
    Workaround: Restart the newly deployed Log Insight virtual appliance to fix the problem.

  • New Log Insight deployment fails to bootstrap
    If you deploy a Log Insight appliance and do not bootstrap it shortly after deployment, you may see an error message "Failed to start new deployment" when you try to bootstrap it later.
    Workaround: Restart the newly deployed Log Insight virtual appliance to fix the problem.

  • Connecting to too many vCenter Server instances can result in slow collection of vCenter Server events, tasks, and alarms
    To collect events, tasks, and alarms data, Log Insight polls all connected vCenter Server instances sequentially. Collecting events from an individual server can take over 30 seconds and the collector always waits for two minutes after completion. For example, if there are 10 vCenter Server instances configured, the collector iterates through each of them taking up to 300 seconds. Combined with the additional two minutes of wait, this example would collect events from each server every 7 minutes.
    Workaround: Do not connect more than two vCenter Server instances to a Log Insight instance.
  • Running parallel configuration tasks might result in incorrect settings
    For example, if two administrator users try to run configuration tasks simultaneously on a target ESXi host, it may result in incorrect syslog settings.
    Workaround: Verify that no other administrator user is configuring the settings that you intend to configure.

  • Log Insight cluster does not handle network or power outages when using DHCP
    If you use DHCP to set up the network configuration of a Log Insight cluster and a network or power outage occurs, the cluster will stop operating. This happens because of the change of the IP addresses of the master and worker nodes.
    Workaround: Always configure the master node with a fully qualified domain name (FQDN) or a static IP address. If the master experiences an outage while a worker node continues to operate, the worker node will send out an alert to the administrator of the cluster.
  • After upgrading to Log Insight 2.0 the virtual appliance details in the vSphere Client do not show the correct EULA and product version
    If have an older version of Log Insight and upgrade to version 2.0, the EULA and product version that the vSphere Client shows refer to the older version.
    Workaround: None.

Top of Page

Log Insight Windows Agent

  • Log Insight Windows Agent may collect duplicate log events from log files upon restart
    You configure the Log Insight Windows Agent to monitor two separate files in the same directory and the beginning of the content of the larger file is exactly identical to the entire content of the smaller file. In this scenario, the Log Insight Windows Agent may upon restart incorrectly recollect events from the larger file creating duplicates.
    Workaround: None.

Top of Page

General

  • Importing a content pack that has a duplicate namespace with an already existing content pack overrides the existing content pack
    If you import a content pack into a Log Insight instance, and the content pack has a namespace that is already used by a different content pack, Log Insight displays a warning message. If you select the override option, the old content pack will be removed. The newer content pack may or may not have the same name as the old content pack.
    Workaround: None. This is expected behavior.

  • Additional unexpected fields may show up when exporting a content pack
    When you export a content pack, a dialog pops up showing what will be exported, including a list of fields. In that list of fields, you may unexpectedly see additional fields listed that are not part of your saved fields. For example, extra fields like my field (2) may show up. This may be triggered in certain cases if you have a field name that is a prefix of another field name, for example vmw_msg and vmw_msg_err.
    Workaround: Rename the fields that are showing up as duplicates so that their names are not prefixes of any other fields.

  • Log Insight might not be able to distinguish between content packs with duplicate namespaces
    If you import a content pack into a Log Insight instance, and the content pack has a namespace that is already used by a different content pack, Log Insight displays a warning message. The warning message states that a duplicate namespace was detected, but it does not state what the name of the conflicting content pack is. If the content pack names are not the same between the conflicting namespaces, you cannot determine which content pack is conflicting.
    Workaround: None. Ensure content pack names are consistent between versions for easier identification.

  • Importing a content pack fails with error "This Content Pack is from a newer version of Log Insight and is not currently supported"
    Content packs created in Log Insight 1.5 include a version parameter. The above error message is observed if the version parameter is not equal to 1.0. The version parameter is separate from the contentVersion parameter. While the contentVersion parameter can be modified from the web UI of Log Insight, the version parameter cannot. The version parameter can only be changed by manually editing the VLCP file.
    Workaround: Do not edit VLCP files manually.

  • Wildcard following a dot and a number is sometimes not correctly parsed in queries
    If you use wildcard to search for numbers immediately following a dot, the query might not return the correct results.
    Workaround: Replace dot with a space in your query expression, and enclose it in quotes. For example, to find messages containing naa.6034018, use "naa 603*" instead of naa.603*.

  • Content packs might not be fully backwards compatible
    Content packs created with a newer version of Log Insight might have new functionality that will be ignored in older versions of Log Insight. For example:
    • All new metadata added to a content pack, such as author, website, icon, and notes, will not be shown in Log Insight 1.0.
    • Any queries saved using the Save Current Query option will not be seen in Log Insight 1.0. If you want to save queries in a content pack that can be viewed in Log Insight 1.0, use the Add Current Query to Dashboard menu item, choose a Widget Type of "query" to add the query to a query list in a dashboard, similar to the Relevant Queries widget in the vSphere content pack.
    • Unique count function queries will be ignored in Log Insight 1.0 as the unique count function did not exist in Log Insight 1.0.

  • You cannot check the status of an import operation if your user session ends before the end of the import
    To start the data import process, you connect to a Log Insight instance through a SSH session or through the virtual appliance console. The data import process may take a long time. In the case of SSH, if the SSH session gets dropped or you close the SSH session before the import process completes you are not able to check whether the import completed successfully.
    Workaround: Install a "screen" package on the Log Insight virtual appliance. This package allows you to run the Linux processes in the background without interruption, even when you disconnect from the SSH session.

  • The import of archived log data might fail if Log Insight cannot access the NFS server where data is stored
    If, during the data import process, the NFS server becomes inaccessible due to network failure or errors on the NFS server, the import of archived data might fail.
    Workaround: None

  • The import of archived data might fail if the Log Insight virtual appliance runs out of disk space
    The Log Insight repository import utility does not check for available disk space on the Log Insight virtual appliance. Therefore, the import of archived logs might fail if the virtual appliance runs out of disk space.
    Workaround: None

  • Log Insight does not display progress information during log imports
    As the import of archived data is in progress, you are unable to infer from the console output how much time is left before the import finishes or how much data is already imported.
    Workaround: None

  • Log Insight might run out of disk space even though data archiving is enabled
    If the network connection to the NFS storage is slow, and the rate of the incoming data is higher than the data archiving rate, Log Insight might run out of disk space.
    Workaround: None

  • You can see messages related to launch in context even if launch in context is not enabled or not supported in the vCenter Operations Manager version that you use
    The details of Log Insight notification events that appear in vCenter Operations Manager UI contain the following message that suggests using the launch in context feature:
    Log Insight found <Number> messages matching the criteria for alert "<Name of the Alert>": Use the context menu item to review the matches in Log Insight.
    This message is displayed even if you have not enabled launch in context, or if you are using vCenter Operations Manager versions earlier than 5.7.1 that do not support launch in context.
    Workaround: Ignore the message if launch in context is not enabled in your instance of vCenter Operations Manager. Open a browser and type the IP address of the Log Insight virtual appliance to search for matching messages related to the notification event.

  • Email notifications might be dropped if you use the default SMTP settings of Log Insight
    If, in the Log Insight administration interface, you leave the default SMTP settings of localhost:25, the email notifications that Log Insight sends might be dropped by the receiving email server, such as Yahoo or Gmail.
    Workaround: Use the Send Test Email option and ensure you receive an email to validate that email notifications are not being dropped.

  • You cannot change the network properties of the Log Insight virtual appliance at run time
    Log Insight does not support changing the IP address, network mask, gateway, DNS, or hostname of the virtual appliance at run time.
    Workaround: Network configuration changes are only supported from the vApp options of the Log Insight virtual appliance.
    1. Open a vSphere Client and locate the Log Insight virtual appliance.
    2. Shut down the virtual appliance.
    3. Right-click the virtual appliance, select Edit Settings, and under vApp options apply the changes to the network configuration.
    4. Power on the virtual appliance.
      Note: You must re-enable launch in context each time you change the network properties of the Log Insight virtual appliance.

  • Accessing the HTTPS-based secure web interface at https://<loginsight-host>/generates an invalid SSL certificate warning
    By default, Log Insight installs a self-signed SSL certificate. The self-signed certificate generates security warnings when you connect to the Log Insight Web user interface.
    Workaround: You can ignore these security warnings.
    If you do not want to use a self-signed security certificate, an admin user can install a custom SSL certificate. For procedure on uploading a custom SSL certificate, see the Log Insight documentation center. The use of a custom SSL certificate is optional and does not affect the features of Log Insight.

  • Active Directory (AD) binding user disallows valid special character '@'
    When integrating with Active Directory, Log Insight disallows the valid special character '@' that should be allowed in Active Directory.
    Workaround: Choose a binding username that does not contain the '@' character.

  • Log Insight cannot send alert against a resource in vCenter Operations Manager when the name of the resource has changed
    When you set up notifications in Log Insight against a resource in vCenter Operations Manager and then the name of the resource is changed, Log Insight can no longer alert against that resource.
    Workaround: Update alert to point to the renamed resource.

  • Log Insight Active Directory (AD) users are unable to login when the binding credentials for the AD domain have expired
    Log Insight uses a binding user to control integration with Active Directory in a number of scenarios. For example, when a user specifies a UPN suffix that has not been seen by Log Insight, it uses the binding credentials to see if that suffix is an alias for a domain that has users or groups with access. If the binding credentials are invalid then Log Insight cannot perform this query and authentication will fail.
    Workaround: Make sure that AD credentials of the binding user are up to date. Navigate to Administration > Authentication, enter the credentials and click Test Connection.

  • One or more nodes in a Log Insight cluster restart when the DNS server is unreachable
    If the master node of your Log Insight cluster is configured with a with a fully qualified domain name (FQDN) and the DNS server becomes unreachable the watchdog on the node will restart the node. If the DNS server comes back up, the restart will succeed. Otherwise, the watchdog makes 12 restart attempts and then the node is marked as disconnected from the cluster.
    Workaround: Configure the Log Insight master node with a static IP address.

  • Interactive Analytics chart indicates it has more data to load even though the backend has finished searching
    Rarely the interactive analytics chart indicates it is still loading but the progress bar stops moving for several minutes. Although the search may have finished in the backend, the chart does not show the full results. This behavior is triggered more frequently by choosing smaller time window grouping from the 1 bar = toggle in the upper right of a time series chart.
    Workaround: None.

  • Interactive Analytics page does not show dynamically extracted fields inline
    If a search query lasts longer than one progress iteration (3-5 seconds), the list of events under the Events tab on the Interactive Analytics page does not show dynamically extracted fields inline.
    Workaround: None.

  • Worker node in maintenance mode sends notification when the Log Insight master node is down
    When the Log Insight master node is down, each worker node sends an alert email notification to the admin that the master is down. If one of the worker nodes is in maintenance mode, it is not expected to send such a notification, but it does.
    Workaround: Ignore the alert email.

  • Worker node in maintenance mode automatically reconnects to the Log Insight master node
    If you put a Log Insight worker in maintenance mode and restart it, the worker automatically reconnects to the Log Insight master node.
    Workaround:Manually put the worker node back in maintenance mode immediately after it restarts.

  • In charts containing group-by values other than time, if there is a large range on the Y-axis, smaller valued bars might not be visible
    As an example, if you create a chart grouped by hostname and one host has 100,000 events, and another host has 5 events, the bar for the smaller host might be too small to be visible.
    Workaround: Hover over the bottom of the chart to view the tooltips for the small bar.

  • Chart queries may not look as expected when nodes in a cluster are running different versions of Log Insight software
    Full compatibility between different versions of Log Insight is not guaranteed. Upgrading nodes one at a time is fully supported, but running queries on a partially upgraded cluster may result in time series based chart queries displaying unexpected results.
    Workaround: Make sure nodes are running the same version before running time series based chart queries.

  • A chart warning appears with a message like "Partial results are being returned as 2 out of 4 nodes failed to respond. Please contact an admin user for more information."
    Full compatibility between different versions of Log Insight is not guaranteed. Upgrading nodes one at a time is fully supported, but running queries on a partially upgraded cluster may only return results for nodes running the same version as the master node.
    Workaround: Make sure nodes are running the same version before running time series based chart queries.

  • Log Insight does not concatenate multiline messages
    Log Insight supports multiline messages. However, if Log Insight receives multiline messages where each line of the multiline message contains a PRI prefix, then Log Insight treats each line as a new event.
    Workaround: Configure syslog agents so that they do not add a PRI prefix to every new line a multiline message.

  • The Log Insight UI may become unavailable under rare circumstances and Log Insight cannot be started from the command line
    Certain error conditions, like running out of memory, might cause Log Insight to crash. Usually the system will automatically recover by restarting and resume normal operations. It is possible that recovery might fail and the system will not automatically restart. In this case, manual restart might also fail and you need to restart the virtual appliance.
    Workaround: Restart the Log Insight virtual appliance.

  • Importing and exporting the same content pack multiple times may result in temporary fields
    Sometimes when exporting a content pack that has been imported and exported multiple times, you might see temporary fields.
    Workaround: None.

Top of Page