What’s new in vRealize Log Insight v3.6 ?

We’re pleased to announce the release of vRealize Log Insight 3.6. You can download the new release here.

Read on to learn more!

Let’s begin with some …

vRealize Operations Manager Integration Enhancements

Enhanced Alerting – Alerts sent to vRealize Operations Manager now contain the same metadata as email alerts.

So when an alert is escalated to vROps, it will include: (Note: Will be available in vROps 6.3+)

• Name
• Description (to replace existing notes section in LI UI)
• Recommendation (this is new and will be exposed in VLCP only initially then to UI)
• URL
• Criticality
• User can choose between Info, Warning, Immediate, Critical, Symptom Based
• Impact = Health (Options are Health, Risk, Efficiency)

Some other improvements are Auto Cancel of Alerts & Integration HA

User alerts to vRealize Operations Manager can be set to auto cancel in 10 minutes. This addresses the use case where a vROps/LI user, would like for some alerts that are escalated to vROps to clear automatically.

Also when integrating with vRealize Operations Manager, the Integrated Load Balancer VIP is used to ensure HA. The launch in context URL from vROps will now use the vRLI ILB IP. (Note: Will be available in vROps 6.3+)

Moving on to some …

General Enhancements

Lots of other general enhancements that have been much asked for from the user community have been addressed in Log Insight 3.6. Some of which are:

Event type and event trend queries can now be saved to the Dashboard page and included in Content Packs.

• top 10 increasing/decreasing trends will be displayed on the dashboard widgets
• top 10 Event Types will be displayed on the dashboard widgets

Another useful feature is that User alerts can now be created to alert based on new event types.

Some much asked for Syslog Event Forwarding Enhancements are included in vRLI 3.6 where Syslog Event Forwarding now supports sending tags as well as complementary tags.

• What are complementary tags you ask? – Complementary tags are tags added by the cluster itself, such as ‘vc_username’ or ‘vc_vmname‘; alongside the tags coming directly from sources. Complementary tags are always forwarded when Ingestion API is used.
• Forwarder tags will override agent tags, except _timestamp_
• Override existing fields like (hostname, text, providername) is allowed but not event_type or source.

Enhancements have also been made to the Query API where the query API now supports duration, Content Pack extracted fields, group by field, order by function, and event trends.

Log Insight content packs are very popular in the user community and vRLI 3.6 we added the support for Content Pack Upgrade Instructions where Content Packs now support separate install and upgrade instructions.

• As future versions of content packs e.g 2.0 , 3.0 are being developed and published , in addition to the feature updates in LI requiring the content packs to be upgraded for better performance and use of new features; use of this feature becomes important to ensure users are notified of the changes to content pack and setup to effectively use these changes.
• This is also important because updated content packs may require changes to agent groups, which if the user did not know about would result in the content pack not working correctly post upgrade. Another example is the use of multi-VIP with tags.

Content pack authors have asked for this feature for a while now and with vRLI 3.6 we now have ability to bulk delete fields.

In vRLI 3.6 as part of troubleshooting improvements we have added the ability to detect “problematic” alerts (alerts running for a long time) and notify the user about it by sending system notification in case alerts are running behind schedule, allowing the user to kill the user alert queries from the active queries list and allow other alerts to run as per schedule.

Parser Enhancements

In our continuing quest to improve the functionality parser can support, we have made some improvements to the CLF parser and the much asked for global options in agent configuration

CLF (Common Log Format – Apache) parser now

• Supports for time in seconds, microseconds and milliseconds for CLF parser :
  • %{sec}t
  • %{msec}t
  • %{usec}t
• Supports ability to parse complex timestamp formats
  • “%{%d/%b/%Y %T}t.%{msec_frac}t %{%z}t”
  • %{msec_frac}t and %{usec_frac}t time tokens are supported as well.
  • Also, if time format starts with ‘begin:’ or ‘end:’ , this words will be ignored.
• g. if such format is used:
• %h %l %u %{begin:%d/%b/%Y %T}t.%{msec_frac}t \”%r\” %>s %b
• It will generate the log:
  • 0.0.1 unknown – 03/Mar/2016 18:00:48.711 “GET /index.php?img=pngPlugin HTTP/1.1” 200 548
• As shown in the example, ‘begin:’ doesn’t exist in the log.

Global common options in agent configuration allows user to simply their parser definitions

• User wants the agent config to have a configuration section where he/she can specify parameters applicable to everything on the agent
  • The following parameters can be defined in common sections:  tags, include, exclude, event_marker, charset, exclude_fieldsand parser.
• To learn more, be sure to check out this blog post on Simplifying agent parser configuration using Common Options in vRealize Log Insight

And last but definitely not the least, as part of our continuing efforts to make the vSphere content pack better with every release we have made very many updates to the content pack

Some New Features in vSphere content pack v3.6

• Queries for vm downtime, precopyBandwidth, precopyStunTime logs
• Agent groups for vSphere logs (no longer collecting gc logs)
• Widgets for Replicated VMs, Recovered VMs, Upgraded VMs

• New Dashboards
  • vCenter Server – Overview : VPXD & SSO events, missed heartbeats, unhealthy monitor events

• vCenter Server – Performance : CPU utilization by vCenter Server , VPXD query stats events by session ID

And that is not all we also have some unsupported Tech preview features that we’d like you to try …

Tech Preview Features

User Impersonation – This feature allows Super Admin users to now impersonate another user, allowing the ability to view, edit, and disable another user’s alerts.

• Off by default on the Administration \ General Tab
• In the previous versions — an Administrator did not have permissions to see or modify another user’s objects. (primarily alerts & queries)
• With this feature a super admin user can impersonate another user to edit the other users content
• All impersonation is logged explicitly, including both from/to user IDs

Agent Auto-Upgrade – Agents can be upgraded to the 3.6 release and be configured to automatically upgrade to future releases.

VMware Identity Manager (vIDM) Integration – Authentication via vIDM can be configured allowing for Single Sign-On.

Some Useful links:

• Product documentation: https://vmware.com/support/pubs/log-insight-pubs.html
• Release notes: 3.6 release notes
• Log Insight community: http://loginsight.vmware.com/