VMware vRealize Log Insight 2.5 Release Notes
vRealize Log Insight 2.5
Last Document Update: 12 MARCH 2015 | Build 2347850
Check frequently for additions and updates to these release notes.
What's in the Release Notes
These release notes include the following topics:
- Introduction to vRealize Log Insight
- Before You Begin
- Upgrading from a Previous Product Version
- Compatibility Notes
- Product Documentation
- Resolved Issues
- Known Issues
VMware vRealize Log Insight delivers the best real-time log management for VMware environments. Machine learning-based Intelligent Grouping and high performance search enables faster troubleshooting across physical, virtual, and cloud environments. vRealize Log Insight can analyze terabytes of logs, discover structure in unstructured data, and deliver enterprise-wide visibility using a modern Web interface. This release introduces the following enhancements.
- Event Trends Analyzer
Watch events that are trending with the new Event Trends Analyzer. View trends over a specified time interval and easily detect events that are potentially affecting the health of your systems. View event trends from the new Event Trends tab within Interactive Analytics.
- Role-Based Access Control
This release introduces role-based access control and Active Directory integration. You can create different roles in vRealize Log Insight to control which users have to access data sets, dashboards, interactive analytics, and administration tasks. For more information, see Managing User Accounts in Log Insight in the Documentation Center.
- Integration with vRealize Operations Manager 6.0
"Launch in context" to vRealize Operations Manager from Log Insight or launch to Log Insight from vRealize Operations Manager. Analyze logs from particular virtual machines, hosts, or any other object without having to remember particular names or IP addresses. Log Insight sends alerts to vRealize Operations Manager. An alert provides the full context of an issue of any inventory object, including virtual machines, hosts, datacenters, clusters, and other objects.
- Log Insight Forwarder
Configure the vRealize Log Insight Server to forward ingested events to multiple remote servers. Filters can be applied to forward only certain types of events.
- Highly Available Integrated Load Balancer
The new high availability service enhances the availability of the vRealize Log Insight Cluster. An integrated load balancer works in conjunction with this service to balance network traffic. With this release, there is no need to use external load balancers and their complex configurations.
- Built-In Content Packs
Access content packs without having to leave the vRealize Log Insight UI. vRealize Log Insight now sends notifications to admin users of new content packs when they visit the Content Pack page. Content packs can be updated from the Content Pack Marketplace using a single click upgrade option. For more information, see Install a Content Pack from the Content Pack Marketplace in the Documentation Center.
The vRealize Log Insight user interface is available in Traditional Chinese, Simplified Chinese, German, French, Japanese, and Korean and supports Unicode data. The vRealize Log Insight 2.5 documentation set is also available in these languages. vRealize Log Insight is interoperable with localized version of vCenter Server and vRealize Operations Manager.
The vRealize Log Insight Agent is supported on non-English native Windows Operating Systems.
See Internationalization Support for the limitations of localization support.
- New vRealize Log Insight Linux Agents
The Linux agent is now available as a standalone package (.rpm and .deb) that can be installed on multiple Linux installation options including RHEL, SLES, and Ubuntu packages. For more information, see the Log Insight Linux Agent documentation.
- Other Agent Updates
- Create and generate support bundles for both vRealize Log Insight Windows and Linux Agents. You can send the support bundles to VMware with your support request.
- A restart is no longer required for Windows or Linux Agents services after configuration changes are applied.
- SSL communication support is available for vRealize Log Insight Agents. If upgrading from a previous version of Log Insight, make sure that port 9543 is open.
- Contextual Log Browsing for Events
Browse logs in context of an event you are interested in. View events that precede or follow a particular event and apply filters around events to quickly narrow down issues.
- User Interface Improvements
- Modify the chart type from within the dashboard.
- Directly update the queries for widgets.
- A new administrative view of every device that sends log data. See Hosts overview table: Monitor Hosts That Send Log Events in the Documentation Center.
- A presentation mode within the dashboard that includes real-time charts
- Performance Improvements
Faster query response times, plus improvements with ingestion rates and machine learning.
- Security Enhancements
- This release includes a patch to fix the vulnerable versions of bash to address the Shellshock security issues.
- SSL v3 is removed to address the POODLE vulnerability and ciphers used in vRealize Log Insight are adjusted to enhance security.
Before You Begin
Review this section before you begin installing and configuring vRealize Log Insight.
Ports Used by vRealize Log Insight
- The following ports need to be opened to ensure proper communication between the Log Insight cluster nodes: 7000 and 9042.
- The following port is required to leverage the new ingestion API SSL support: 9543.
- It is highly recommended that you configure a minimum of three nodes in a Log Insight cluster to provide ingestion, configuration, and user space High Availability.
- Log Insight does not support removing worker nodes from a Log Insight cluster.
For a list of all ports required for proper communication, see Ports and External Interfaces that the vRealize Log Insight Virtual Appliance Uses.
Virtual Appliance Deployment
- Use the instructions provided in the VMware vRealize Log Insight Getting Started Guide to install and configure the Log Insight virtual appliance.
- Always configure the master node in a cluster setup of Log Insight with a fully qualified domain name (FQDN) or a static IP address.
This paragraph contains licensing information for vRealize Log Insight 2.5
- After you deploy the Log Insight virtual appliance, you must assign a valid license key.
- All license management tasks are performed in the Administration Web interface of Log Insight. The URL is http://<log-insight-ip>/admin/license, where <log-insight-ip> is the IP address of the Log Insight vApp. To assign a license key, follow the instructions from the vRealize Log Insight Administration Guide.
vRealize Log Insight 2.5 supports the following VMware products and versions:
- Log insight can pull events, tasks, and alarms data from VMware vCenter Server versions 5.0, 5.1, and 5.5.
- ESXi hosts of the following versions can be configured to push syslog data to Log Insight: ESXi 5.0, 5.1, and 5.5.
- You can integrate Log Insight with vRealize Operations Manager as follows.
- The vRealize Operations Manager edition should be Standard or higher.
- In vRealize Operations Manager 5.7.0, you need to install the Log Insight adapter manually.
- You can view Log Insight alerts in vCenter Operations vSphere UI 5.7.1 or later.
- Log Insight can send notification events to vRealize Operations Manager 5.6 or later.
- You can view Log Insight alerts in vCenter Operations Custom UI 5.6 or later.
Note: You cannot view the details of Log Insight alerts in vRealize Operations Manager 5.6.
- You can enable launch in context for Log Insight in vRealize Operations Manager 5.7.1 or later.
- You can remove the Log Insight adapter that enables launch in context:
- From Administration > Solutions in vRealize Operations Manager 6.0.
- From the Administration UI in vRealize Operations Manager 5.8.x.
- From vRealize Log Insight 2.5
This vRealize Log Insight release supports the following browser versions.
- Mozilla Firefox 10.x, 19.x, 20.x, 21.0, 23 and 29.0.1
- Google Chrome 25.x, 26.x, 27.x, 29 and 34
- Safari 6.0 , 7.0.2
- Internet Explorer 10.x and 11.x
Note: Internet Explorer Document mode must be used in Standards Mode. Other modes are not supported. Browser Mode: Compatibility View is not supported.
The minimum supported browser resolution is 1024 by 768 pixels.
Important: Cookies must be enabled in your browser.
Log Insight Linux Agent Support
In his vRealize Log Insight release, the Linux Agent supports the following distributions and versions.
- RHEL 5 Update 10, RHEL 6 Update 5
- SLES 11 SP3
- Ubuntu 10.04 LTS, 12.04 LTS and 14.04 LTS
vRealize Log Insight 2.5 includes the following limitations.
- Due to an OS limitation, the vRealize Log Insight Linux Agent does not detect network outages when configured to send events over syslog.
- vRealize Log Insight does not support multiple domains for active directory login when they are not trusted domains.
- vRealize Log Insight does not handle non-printable ASCII characters properly.
- vRealize Log Insight does not support printing, however you can use the Print options of your browser. The printed results might vary depending on the browser that you use. We recommend Internet Explorer 10 or Firefox for printing vRealize Log Insight user interface.
- Hosts table might display devices more than once.
The hosts table might list the same device in multiple different formats including some combination of IP address, hostname, and FQDN. For example, a device named foo.bar.com may show up as both foo and foo.bar.com.
The hosts table uses the hostname field defined in the syslog RFC. If an event sent by a device over the syslog protocol does not have a hostname, then vRealize Log Insight uses the source as the hostname. This might result in the device being listed more than once because vRealize Log Insight cannot determine if the two formats point to the same device.
vRealize Log Insight Windows and Linux Agents
- Non-ASCII characters in hostname/source fields are not delivered properly when the vRealize Log Insight Windows and Linux Agents are running in syslog mode.
vRealize Log Insight Windows Agent
- The vRealize Log Insight Windows Agent is a 32-bit application and all its requests for opening files from C:\Windows\System32 sub-directories are redirected by WOW64 to C:\Windows\SysWOW64. However, you can configure the vRealize Log Insight Windows Agent to collect from C:\Windows\System32 by using the special alias C:\Windows\Sysnative. For example, to collect logs from their default location for the MS DHCP Server, add the following line to the corresponding section of the vRealize Log Insight Windows Agent configuration file: directory=C:\Windows\Sysnative\dhcp
vRealize Log Insight Linux Agent
- The vRealize Log Insight Linux Agent does not support non-English (UTF-8) symbols in tag-names.
- The Linux agent collects hidden files and directories by default, to prevent this you must add an exclude=^.* option to every configuration section.
- When standard output redirection to a file is used to produce logs the vRealize Log Insight Agent may not correctly recognize event boundaries in such log files.
IT decision makers, architects, administrators, and others who must be aware of the security components of vRealize Log Insight must familiarize themselves with the VMware vRealize Log Insight Security Guide.
Note: vRealize Log Insight runs its processes as root user of the virtual appliance. This might cause security risks to your environment. Always deploy vRealize Log Insight in trusted secure environments.
Virtual Appliance RequirementsThe following section lists the computing requirements and assumptions for the vRealize Log Insight virtual appliance.
- Memory: 8GB RAM
- vCPU: 4 vCPUs, 2GHz each
- Storage space: approximately 140GB
- To pull events, tasks, and alarms data from a vCenter Server, you must provide a set of user credentials for that vCenter Server. The minimum role required to register and unregister vRealize Log Insight with a vCenter Server is Read-only, set at the vCenter Server level, and propagated to child objects. To configure ESXi hosts that a vCenter Server manages, vRealize Log Insight requires more privileges. See the Known Issues section.
- The hosting vCenter Server credentials are needed to deploy the vRealize Log Insight virtual appliance.
- The default credentials for the vRealize Log Insight Admin user are admin/<blank>. To improve security, vRealize Log Insight requires you to change these credentials when you first access the vRealize Log Insight Web user interface.
- Unless you specify a root password or use guest customization during the deployment of the OVA, the default credentials for the root user on the vRealize Log Insight virtual appliance are root/<blank>. You are prompted to change the root account password when you first access the vRealize Log Insight virtual appliance console. Note that SSH is disabled until you set the root password.
- To enable notification events and the launch in context functionality in a vRealize Operations Manager instance, you must provide user credentials for that vRealize Operations Manager instance.
- User accounts that you create in vRealize Log Insight 2.5 require a strong password. The password must be at least 8 characters long and contain one uppercase character, one lowercase character, one number and one special character. Strong password requirements apply only to new user accounts that you create in vRealize Log Insight 2.5.
Upgrading from a Previous Version of vRealize Log Insight
vRealize Log Insight 2.5 supports upgrading from vRealize Log Insight 2.0 GA and Log Insight 2.0.5. See Upgrading from a Previous Version of vRealize Log Insight in the vRealize Log Insight 2.5 documentation center.
- Workers must only be upgraded one at a time, upgrading multiple workers at the same time will likely lead to an upgrade failure.
- Upgrading of the vRealize Log Insight Windows Agent is fully supported.
- Upgrading from Log Insight 1.x to vRealize Log Insight 2.5 GA directly is not supported. You must first upgrade to Log Insight 2.0 GA before you can upgrade to a vRealize Log Insight 2.5 release.
- vRealize Log Insight 2.5 GA or TP releases do not support using clusters configured with two nodes.
Upgrading from a Tech Preview Release to a Generally Available Release
vRealize Log Insight 2.5 supports upgrading from vRealize Log Insight TP1, Log Insight TP2 and Log Insight TP3. See Upgrading from a Previous Version of vRealize Log Insight in the vRealize Log Insight 2.5 documentation center.
vRealize Log Insight 2.5 is available in the following languages:
- vRealize Log Insight server web UI is localized to 6 languages: Japanese, French, German, Simplified Chinese, Traditional Chinese and Korean.
- vRealize Log Insight is interoperable with localized version of vCenter Server and vRealize Operations Manager.
- vRealize Log Insight server Web UI supports Unicode data, including machine learning features.
- vRealize Log Insight agent works on non-English native Windows.
- The vRealize Log Insight Agent installer and content pack are not localized. Part of the product might display English strings and have minor layout issues.
- vRealize Log Insight server Web UI could show garbage characters in IE 10 if the language setting is switched from English to any of the four supported Asian Languages. The workaround is to close and relaunch the browser.
- On an English locale other than en-US, entered DBCS strings in some fields display as question marks. The workaround is to configure the Web browser in en-US, or select the "Use English only" option from the "General" page.
- Integration with Active Directory, vSphere and vRealize Operations Manager for usernames with non-ASCII characters is not supported.
- The date/time,calendar format shown on the server Web UI is English only and does not honor language/locale settings.
- Localization of event logs is not supported. Event logs only support UTF-8 and UTF-16 character encoding.
Product DocumentationIn addition to the current Release Notes, you can use the documentation set for vRealize Log Insight 2.5 that includes the following deliverables.
- VMware vRealize Log Insight Getting Started Guide
- VMware vRealize Log Insight User's Guide
- VMware vRealize Log Insight Security Guide
- VMware vRealize Log Insight Administration Guide
- VMware vRealize Log Insight Developer's Guide
This section contains resolved issues since vRealize Log Insight 2.0 GA release.
You are unable to login to vRealize Log Insight using your Active Directory credentials
Issues with vRealize Log Insight Active Directory integration prevented users were from logging in when one of these scenarios occurred for an AD user:
- User's SAM is different than their UPN prefix
- User's NetBIOS domain is different than the AD domain
- User's account uses an alternate UPN suffix
vRealize Log Insight Windows Agent may collect duplicate log events from log files upon restart
You configure the vRealize Log Insight Windows Agent to monitor two separate files in the same directory and the beginning of the content of the larger file is exactly identical to the entire content of the smaller file. In this scenario, the vRealize Log Insight Windows Agent may upon restart incorrectly recollect events from the larger file creating duplicates.
This problem is fixed.
Deleting a folder under collection makes the folder inaccessible
If you delete a folder which contains files that the vRealize Log Insight Windows Agent currently monitors and refresh the parent folder, the deleted folder reappears but is not accessible.
This problem is fixed.
This section contains known issues for this release.
Deployment and Configuration
- New vRealize Log Insight deployment fails to start
On rare occasions when you first deploy a vRealize Log Insight virtual appliance you may see an error message "Failed to start new deployment".
Workaround: Restart the newly deployed vRealize Log Insight virtual appliance to fix the problem.
- New vRealize Log Insight deployment fails to bootstrap
If you deploy a vRealize Log Insight appliance and do not bootstrap it shortly after deployment, you may see an error message "Failed to start new deployment" when you try to bootstrap it later.
Workaround: Restart the newly deployed vRealize Log Insight virtual appliance to fix the problem.
- Connecting to too many vCenter Server instances can result in slow collection of vCenter Server events, tasks, and alarms
To collect events, tasks, and alarms data, vRealize Log Insight polls all connected vCenter Server instances sequentially. Collecting events from an individual server can take over 30 seconds and the collector always waits for two minutes after completion. For example, if there are 10 vCenter Server instances configured, the collector iterates through each of them taking up to 300 seconds. Combined with the additional two minutes of wait, this example would collect events from each server every 7 minutes.
Workaround: Do not connect more than two vCenter Server instances to a vRealize Log Insight instance.
- Running parallel configuration tasks might result in incorrect settings
For example, if two administrator users try to run configuration tasks simultaneously on a target ESXi host, it may result in incorrect syslog settings.
Workaround: Verify that no other administrator user is configuring the settings that you intend to configure.
- vRealize Log Insight cluster does not handle network or power outages when using DHCP
If you use DHCP to set up the network configuration of a vRealize Log Insight cluster and a network or power outage occurs, the cluster will stop operating. This happens because of the change of the IP addresses of the master and worker nodes.
Workaround: Always configure the master node with a fully qualified domain name (FQDN) or a static IP address. If the master experiences an outage while a worker node continues to operate, the worker node will send out an alert to the administrator of the cluster.
- During a vRealize Log Insight cluster upgrade you might see HTTP Error 401: Unauthorized
During or immediately after you upgrade a vRealize Log Insight cluster you might see HTTP Error 401: Unauthorized when you try to access the Web UI.
Workaround:The error is transitory and will go away in a minute or so.
- Administration UI shows multiple agents with the same IP address
In some rare cases, multiple agents with the same IP address can appear in the Administration UI. Only one of the agents displayed is active and is the valid running agent. The other invalid agents display with the state "disconnected."
Workaround: Restart vRealize Log Insight.
- You cannot name a smart field in the Event Types tab, if you do not have the Edit Shared permission
When you visits the Event Types tab and click on one of the automatically detected fields (smart fields), a context menu appears. If you have the Edit Shared permission, you can give the field a friendly name that can then be used for regular queries. If you do not have the Edit Shared permission, you cannot name the field and can only refer to it using the app-generated name like smart field host (2) [v2_3cb0181].
Workaround: If you need to name a smart field, make sure that you have the Edit Shared permission.
- SSLv3 for syslog cannot be disabled
This version of vRealize Log Insight does not include the option to disable SSLv3 for syslog.
Workaround: Consult the documentation for your syslog client to enable TLS-only mode.
- Importing a content pack that has a duplicate namespace with an already existing content pack overrides the existing content pack
If you import a content pack into a vRealize Log Insight instance, and the content pack has a namespace that is already used by a different content pack, vRealize Log Insight displays a warning message. If you select the override option, the old content pack will be removed. The newer content pack may or may not have the same name as the old content pack.
Workaround: None. This is expected behavior.
- Importing a content pack fails with error "This Content Pack is from a newer version of vRealize Log Insight and is not currently supported"
Content packs created in vRealize Log Insight 1.5 include a version parameter. The above error message is observed if the version parameter is not equal to 1.0. The version parameter is separate from the contentVersion parameter. While the contentVersion parameter can be modified from the Web UI of vRealize Log Insight, the version parameter cannot. The version parameter can only be changed by manually editing the VLCP file.
Workaround: Do not edit VLCP files manually.
Wildcard following a dot and a number is sometimes not correctly parsed in queries
If you use wildcard to search for numbers immediately following a dot, the query might not return the correct results.
Workaround: Replace dot with a space in your query expression, and enclose it in quotes. For example, to find messages containing naa.6034018, use "naa 603*" instead of naa.603*.
Content packs might not be partially or fully backwards compatible
Content packs created with a newer version of vRealize Log Insight might have new functionality that will be ignored in disallowed in older versions of Log Insight. For example:
- Content packs developed on vRealize Log Insight 2.5 are not backwards compatible with older versions of Log Insight.
- Metadata added to a content pack, such as author, website, icon, and notes, will not be shown in Log Insight 1.0.
- Any queries saved using the Save Current Query option will not be seen in Log Insight 1.0. If you want to save queries in a content pack that can be viewed in Log Insight 1.0, use the Add Current Query to Dashboard menu item, choose a Widget Type of "query" to add the query to a query list in a dashboard, similar to the Relevant Queries widget in the vSphere content pack.
- Unique count function queries will be ignored in Log Insight 1.0 as the unique count function did not exist in Log Insight 1.0.
You cannot check the status of an import operation if your user session ends before the end of the import
To start the data import process, you connect to a vRealize Log Insight instance through a SSH session or through the virtual appliance console. The data import process may take a long time. In the case of SSH, if the SSH session gets dropped or you close the SSH session before the import process completes you are not able to check whether the import completed successfully.
Workaround: Install a "screen" package on the vRealize Log Insight virtual appliance. This package allows you to run the Linux processes in the background without interruption, even when you disconnect from the SSH session.
The import of archived log data might fail if vRealize Log Insight cannot access the NFS server where data is stored
If, during the data import process, the NFS server becomes inaccessible due to network failure or errors on the NFS server, the import of archived data might fail.
The import of archived data might fail if the vRealize Log Insight virtual appliance runs out of disk space
The vRealize Log Insight repository import utility does not check for available disk space on the vRealize Log Insight virtual appliance. Therefore, the import of archived logs might fail if the virtual appliance runs out of disk space.
vRealize Log Insight does not display progress information during log imports
As the import of archived data is in progress, you are unable to infer from the console output how much time is left before the import finishes or how much data is already imported.
vRealize Log Insight might run out of disk space even though data archiving is enabled
If the network connection to the NFS storage is slow, and the rate of the incoming data is higher than the data archiving rate, vRealize Log Insight might run out of disk space.
Active Directory integration with vRealize Operations 6.x is not supported
Authenticattion with vRealize Operations Manager 6.x from the Log Insight Admin UI using Active Directory/LDAP credentials is not supported.
Workaround: Integration is supported using vCenter Operations Manager version 5.x. If using vRealize Operations Manager 6.x, use a non-AD account (local user) to authenticate against vRealize Operations from Log Insight Administration > vRealize Operations Manager UI.
- You can view messages related to launch in context even if launch in context is not enabled or not supported in the vRealize Operations Manager version that you use
The details of vRealize Log Insight notification events that appear in vRealize Operations Manager UI contain the following message that suggests using the launch in context feature:
vRealize Log Insight found <Number> messages matching the criteria for alert "<Name of the Alert>": Use the context menu item to review the matches in vRealize Log Insight.
This message is displayed even if you have not enabled launch in context, or if you are using vRealize Operations Manager versions earlier than 5.7.1 that do not support launch in context.
Workaround: Ignore the message if launch in context is not enabled in your instance of vRealize Operations Manager. Open a browser and type the IP address of the vRealize Log Insight virtual appliance to search for matching messages related to the notification event.
- Email notifications might be dropped if you use the default SMTP settings of vRealize Log Insight
If, in the vRealize Log Insight administration interface, you leave the default SMTP settings of localhost:25, the email notifications that vRealize Log Insight sends might be dropped by the receiving email server, such as Yahoo or Gmail.
Workaround: Use the Send Test Email option and ensure you receive an email to validate that email notifications are not being dropped.
- You cannot change the network properties of the vRealize Log Insight virtual appliance at run time
vRealize Log Insight does not support changing the IP address, network mask, gateway, DNS, or hostname of the virtual appliance at run time.
Workaround: Network configuration changes are only supported from the vApp options of the vRealize Log Insight virtual appliance.
- Open a vSphere Client and locate the vRealize Log Insight virtual appliance.
- Shut down the virtual appliance.
- Right-click the virtual appliance, select Edit Settings, and under vApp options apply the changes to the network configuration.
- Power on the virtual appliance.
Note: You must re-enable launch in context each time you change the network properties of the vRealize Log Insight virtual appliance.
- Accessing the HTTPS-based secure web interface at https://<loginsight-host>/generates an invalid SSL certificate warning
By default, vRealize Log Insight installs a self-signed SSL certificate. The self-signed certificate generates security warnings when you connect to the vRealize Log Insight Web user interface.
Workaround: You can ignore these security warnings.
If you do not want to use a self-signed security certificate, an admin user can install a custom SSL certificate. For procedure on uploading a custom SSL certificate, see the vRealize Log Insight documentation center. The use of a custom SSL certificate is optional and does not affect the features of vRealize Log Insight.
- Active Directory (AD) binding user disallows valid special character '@'
When integrating with Active Directory, vRealize Log Insight disallows the valid special character '@' that should be allowed in Active Directory.
Workaround: Choose a binding username that does not contain the '@' character.
- vRealize Log Insight cannot send alert against a resource in vRealize Operations Manager when the name of the resource has changed
When you set up notifications in vRealize Log Insight against a resource in vRealize Operations Manager and then the name of the resource is changed, vRealize Log Insight can no longer alert against that resource.
Workaround: Update alert to point to the renamed resource.
- vRealize Log Insight Active Directory (AD) users are unable to login when the binding credentials for the AD domain have expired
vRealize Log Insight uses a binding user to control integration with Active Directory in a number of scenarios. For example, when a user specifies a UPN suffix that has not been seen by vRealize Log Insight, it uses the binding credentials to see if that suffix is an alias for a domain that has users or groups with access. If the binding credentials are invalid then vRealize Log Insight cannot perform this query and authentication will fail.
Workaround: Make sure that AD credentials of the binding user are up to date. Navigate to Administration > Authentication, enter the credentials and click Test Connection.
- One or more nodes in a vRealize Log Insight cluster restart when the DNS server is unreachable
If the master node of your vRealize Log Insight cluster is configured with a with a fully qualified domain name (FQDN) and the DNS server becomes unreachable the watchdog on the node will restart the node. If the DNS server comes back up, the restart will succeed. Otherwise, the watchdog makes 12 restart attempts and then the node is marked as disconnected from the cluster.
Workaround: Configure the vRealize Log Insight master node with a static IP address.
- Interactive Analytics chart indicates it has more data to load even though the backend has finished searching
Rarely the interactive analytics chart indicates it is still loading but the progress bar stops moving for several minutes. Although the search may have finished in the backend, the chart does not show the full results. This behavior is triggered more frequently by choosing smaller time window grouping from the 1 bar = toggle in the upper right of a time series chart.
- Interactive Analytics page does not show dynamically extracted fields inline
If a search query lasts longer than one progress iteration (3-5 seconds), the list of events under the Events tab on the Interactive Analytics page does not show dynamically extracted fields inline.
- Worker node in maintenance mode sends notification when the vRealize Log Insight master node is down
When the vRealize Log Insight master node is down, each worker node sends an alert email notification to the admin that the master is down. If one of the worker nodes is in maintenance mode, it is not expected to send such a notification, but it does.
Workaround: Ignore the alert email.
- Worker node in maintenance mode automatically reconnects to the vRealize Log Insight master node
If you put a vRealize Log Insight worker in maintenance mode and restart it, the worker automatically reconnects to the vRealize Log Insight master node.
Workaround:Manually put the worker node back in maintenance mode immediately after it restarts.
- In charts containing group-by values other than time, if there is a large range on the Y-axis, smaller valued bars might not be visible
As an example, if you create a chart grouped by hostname and one host has 100,000 events, and another host has 5 events, the bar for the smaller host might be too small to be visible.
Workaround: Hover over the bottom of the chart to view the tooltips for the small bar.
- vRealize Log Insight does not concatenate multiline messages
vRealize Log Insight supports multiline messages. However, if vRealize Log Insight receives multiline messages where each line of the multiline message contains a PRI prefix, then vRealize Log Insight treats each line as a new event.
Workaround: Configure syslog agents so that they do not add a PRI prefix to every new line a multiline message.