Log Insight vRealize vRealize Operations Insight

What’s new in vRealize Log Insight v3.6 ?

We’re pleased to announce the release of vRealize Log Insight 3.6. You can download the new release here.


Read on to learn more!

Let’s begin with some …

vRealize Operations Manager Integration Enhancements

Enhanced Alerting – Alerts sent to vRealize Operations Manager now contain the same metadata as email alerts.

So when an alert is escalated to vROps, it will include: (Note: Will be available in vROps 6.3+)

  • Name
  • Description (to replace existing notes section in LI UI)
  • Recommendation (this is new and will be exposed in VLCP only initially then to UI)
  • URL
  • Criticality
  • User can choose between Info, Warning, Immediate, Critical, Symptom Based
  • Impact = Health (Options are Health, Risk, Efficiency)
Alert metadata in vRealize Operations Manager
Alert metadata in vRealize Operations Manager


Alert email from vRealize Log Insight v3.6
Alert email from vRealize Log Insight v3.6


Some other improvements are Auto Cancel of Alerts & Integration HA

User alerts to vRealize Operations Manager can be set to auto cancel in 10 minutes. This addresses the use case where a vROps/LI user, would like for some alerts that are escalated to vROps to clear automatically.

Also when integrating with vRealize Operations Manager, the Integrated Load Balancer VIP is used to ensure HA. The launch in context URL from vROps will now use the vRLI ILB IP. (Note: Will be available in vROps 6.3+)


Moving on to some …

General Enhancements

Lots of other general enhancements that have been much asked for from the user community have been addressed in Log Insight 3.6. Some of which are:

Event type and event trend queries can now be saved to the Dashboard page and included in Content Packs.

  • top 10 increasing/decreasing trends will be displayed on the dashboard widgets
  • top 10 Event Types will be displayed on the dashboard widgets
Event Trends and Event Types on Dashboards
Event Trends and Event Types on Dashboards


Another useful feature is that User alerts can now be created to alert based on new event types.

Alert based on new event types
Alert based on new event types


Some much asked for Syslog Event Forwarding Enhancements are included in vRLI 3.6 where Syslog Event Forwarding now supports sending tags as well as complementary tags.

  • What are complementary tags you ask? – Complementary tags are tags added by the cluster itself, such as ‘vc_username’ or ‘vc_vmname‘; alongside the tags coming directly from sources. Complementary tags are always forwarded when Ingestion API is used.
  • Forwarder tags will override agent tags, except _timestamp_
  • Override existing fields like (hostname, text, providername) is allowed but not event_type or source.
Event Forwarding using complementary tags
Event Forwarding using complementary tags


Enhancements have also been made to the Query API where the query API now supports duration, Content Pack extracted fields, group by field, order by function, and event trends.

Log Insight content packs are very popular in the user community and vRLI 3.6 we added the support for Content Pack Upgrade Instructions where Content Packs now support separate install and upgrade instructions.

  • As future versions of content packs e.g 2.0 , 3.0 are being developed and published , in addition to the feature updates in LI requiring the content packs to be upgraded for better performance and use of new features; use of this feature becomes important to ensure users are notified of the changes to content pack and setup to effectively use these changes.
  • This is also important because updated content packs may require changes to agent groups, which if the user did not know about would result in the content pack not working correctly post upgrade. Another example is the use of multi-VIP with tags.
Upgrade Instructions on content packs
Upgrade Instructions on content packs


vSphere content pack Upgrade Instructions
vSphere content pack Upgrade Instructions


Content pack authors have asked for this feature for a while now and with vRLI 3.6 we now have ability to bulk delete fields.

Bulk delete of extracted fields
Bulk delete of extracted fields


In vRLI 3.6 as part of troubleshooting improvements we have added the ability to detect “problematic” alerts (alerts running for a long time) and notify the user about it by sending system notification in case alerts are running behind schedule, allowing the user to kill the user alert queries from the active queries list and allow other alerts to run as per schedule.

Parser Enhancements

In our continuing quest to improve the functionality parser can support, we have made some improvements to the CLF parser and the much asked for global options in agent configuration

CLF (Common Log Format – Apache) parser now

  • Supports for time in seconds, microseconds and milliseconds for CLF parser :
    • %{sec}t
    • %{msec}t
    • %{usec}t
  • Supports ability to parse complex timestamp formats
    • “%{%d/%b/%Y %T}t.%{msec_frac}t %{%z}t”
    • %{msec_frac}t and %{usec_frac}t time tokens are supported as well.
    • Also, if time format starts with ‘begin:’ or ‘end:’ , this words will be ignored.
  • g. if such format is used:
  • %h %l %u %{begin:%d/%b/%Y %T}t.%{msec_frac}t \”%r\” %>s %b
  • It will generate the log:
    • 0.0.1 unknown – 03/Mar/2016 18:00:48.711 “GET /index.php?img=pngPlugin HTTP/1.1” 200 548
  • As shown in the example, ‘begin:’ doesn’t exist in the log.

Global common options in agent configuration allows user to simply their parser definitions

  • User wants the agent config to have a configuration section where he/she can specify parameters applicable to everything on the agent
    • The following parameters can be defined in common sections:  tagsincludeexcludeevent_markercharsetexclude_fieldsand parser.
  • To learn more, be sure to check out this blog post on Simplifying agent parser configuration using Common Options in vRealize Log Insight
Simplifying agent config with global common options
Simplifying agent config with global common options


And last but definitely not the least, as part of our continuing efforts to make the vSphere content pack better with every release we have made very many updates to the content pack

Some New Features in vSphere content pack v3.6

  • Queries for vm downtime, precopyBandwidth, precopyStunTime logs
  • Agent groups for vSphere logs (no longer collecting gc logs)
  • Widgets for Replicated VMs, Recovered VMs, Upgraded VMs
vSphere VM overview
vSphere VM overview
  • New Dashboards
    • vCenter Server – Overview : VPXD & SSO events, missed heartbeats, unhealthy monitor events


vCenter Server – Overview Dashboard


  • vCenter Server – Performance : CPU utilization by vCenter Server , VPXD query stats events by session ID
vCenter Server - Performance Dashboard
vCenter Server – Performance Dashboard


And that is not all we also have some unsupported Tech preview features that we’d like you to try …

Tech Preview Features

User Impersonation – This feature allows Super Admin users to now impersonate another user, allowing the ability to view, edit, and disable another user’s alerts.

  • Off by default on the Administration \ General Tab
  • In the previous versions — an Administrator did not have permissions to see or modify another user’s objects. (primarily alerts & queries)
  • With this feature a super admin user can impersonate another user to edit the other users content
  • All impersonation is logged explicitly, including both from/to user IDs
Impersonate user option
Impersonate user option


Impersonate a user
Impersonate a user


Agent Auto-Upgrade – Agents can be upgraded to the 3.6 release and be configured to automatically upgrade to future releases.

Simplifying agent config with global common options


VMware Identity Manager (vIDM) Integration – Authentication via vIDM can be configured allowing for Single Sign-On.

Some Useful links:



One comment has been added so far

Leave a Reply

Your email address will not be published. Required fields are marked *