Log Insight vCenter Operations vRealize vRealize Operations Insight

What’s new in vRealize Log Insight 4.0: An in-depth review

We’re pleased to announce the new release of vRealize Log Insight 4.0. You can download the new release here.


vRealize Log Insight


Read on to learn more about vRealize Log Insight 4.0 !

Let’s begin with some …

New overall User Interface based on the VMware Clarity standard

  • LI attempts to leverage the VMware Clarity theme.
  • This new UI give Log Insight a cleaner and leaner look and feel.
  • Do not panic everything is still in its place only with a make over …

Clarity is an open source design that combines UX guidelines, an HTML/CSS framework components. Clarity is meant for use by both designers and developers. For more information on the Clarity standard refer here.

Clarity UI


Clarity UI

Moving on to some …

General Enhancements

Lots of other general enhancements that have been much asked for from the user community have been addressed in Log Insight 4.0 … we are listening. Some of which are:

In vRealize Log Insight v 4.0 you will also see a Blur on session timeout –



System Notifications:

  • Normal upgrade operation system notifications are now suppressed.
  • New system notifications for duplicated alerts.
  • New system notification for when Event Forwarder drops are detected

Duplicate alert notification


Event forwarder events dropped notification


We already told you about User alerts that can now be created to alert based on new event types in vRLI 3.6, but in vRealize Log Insight v4.0 we take it step further.

  • You can now select a time range with Event Type alert queries.

Time based event type based alert

In vRealize Log Insght 4.0 Users can subscribe to content pack alerts that allow automated updates inline with the associated content pack.

Content pack alert vs alerts in user space

Another interesting feature introduced is the ability to Selectively disable system notifications with regular expressions.

  • <alerts>
    • <disabled-notifications>
    • <notification pattern=”Repository Retention Time .*” />
    • </disabled-notifications>
  • </alerts>

There will be no system notifications during upgrade in vRLI 4.0 , so no need to use above feature to disable notifications during upgrade!

In vRLI v4.0 we have added a New filter called Does Not Exist to find events that do not contain some specified field.

Field does not exist filter

Some of the new agent features available in vRLI v4.0 are :

Another interesting feature is vRLI v4.0 compatibility with vSphere v6.5

  • vSphere 6.5 supports old interface that LI uses which means Log Insight version 3.0 and newer is compatible with vSphere 6.5
  • Although vRLI 3.0 & newer will work with vSphere 6.5 ; the content pack has not yet been updated for vSphere 6.5 specific logs and hence all of the new logging in 6.5 has not been added to the content pack YET!
  • Existing vSphere content pack widgets will continue to work with vSphere 6.5

vSphere content pack v4.0

vSphere Content pack updates include

  • New Widget for VMs Unregistered
  • No new dashboards added this release
  • Bug fixes
  • NOTE:
    • Content pack & Agent group has not thoroughly tested for vSphere 6.5 as you cannot install the agent on VC 6.5 as it is on the Photon OS so we officially do no support it yet although they will work
    • vSphere 6.5 specific widgets and dashboards are not in the content pack v4.0 yet and will be separately released.

And now for some of the most asked for features from the user community –

New admin alerts management UI

  • Ability for a user with admin permissions to Edit and Delete user alerts from administration UI
  • Filter by alert name , owner name , content pack or show only enabled alerts.
  • Table can be sorted by columns and hover over shows additional information.

Admin alert management UI

Admin alert management UI

Additional little tidbits of information about alert management:

  • Older functionality for a user to manage their own alerts will continue to work as before from Interactive Analytics.
  • All user alerts can be suspended from alert management UI – this is same as old functionality the checkbox has been moved from the previous Administration \ General page to the Alert management UI page.
  • Suspend alerts functionality – All user alerts are now suspended. No alerts (even for admin user) will run until the suspension is lifted.
  • When suspend alerts is ON – system notifications are unaffected, including those related to node connectivity.
  • Avg run x Frequency = Daily Run ; when table is sorted by Daily run it allows administrator to find out the most expensive alerts and take corrective action.
  • User Alerts auditing information is available in both runtime.log (for backend actions) and ui_runtime.log (for UI instrumentation)

Syslog octet-framing over TCP:

  • Octet counting is defined in RFC 6587 and required by RFC 5425, which RFC 5424 requires as well and is used by RFC 5425 -compliant Syslog relays.  Unfortunately, prior to LI v4.0 when Log Insight is used in conjunction with these relays it tended to mishandle a octet count framed message.
  • Solution: You can install syslog-ng, this can be used to generate a octet count framed message:
    • /opt/syslog-ng/bin/loggen –inet –stream –syslog-proto –number=1 –sdata “[mdc@16700 category=\”Log\” component=\”loggen\” logType=\”Log\” sourceType=\”Platform\” tag=\”test123\”]” loginsight-qa 514
  • In versions prior to vRLI v4.0 users will see this in Log Insight:

256 <38>1 2016-09-07T09:02:50+02:00 localhost prg00000 1234 – [mdc@16700 category=”Log” component=”loggen” logType=”Log” sourceType=”Platform” tag=”test123″] seq: 0000000000, thread: 0000, runid: 1473256970, stamp: 2016-09-07T09:02:50 PADDPADDPADDPADDPADDP

  • In vRLI 4.0, user should see this:

2016-09-07T09:02:50+02:00 localhost prg00000 1234 – [mdc@16700 category=”Log” component=”loggen” logType=”Log” sourceType=”Platform” tag=”test123″] seq: 0000000000, thread: 0000, runid: 1473256970, stamp: 2016-09-07T09:02:50 PADDPADDPADDPADDPADDP


Supported deployment APIs

  • With every release of vRLI we are looking to add more supported APIs for use.
  • You can find the list of supported deployment APIs here:
  • Note:
    • It is a requirement to use port 9543 (not 443).
    • API for deployment/new does not require authorization since admin password is blank by default

And last but definitely not the least, as part of our continuing efforts to make the user community excited about using vRealize Log Insight …

We have added an attractive visualization for single values, where the user can decide what is “green”, “yellow” or “red”.

Typical application would be representation of  CPU utilization, memory utilization on charts …

The user can change the ranges, however

  • the ranges stay contiguous
  • the values are increasing from green to red
  • there are always only 3 color ranges
  • a new query resets the ranges

The chart can be saved to the dashboard and the user can change the ranges and the chart type there as well …Gauge Charts

Unsupported use cases

  • No more than 3 ranges are allowed (we don’t support the case, for example where the “green” range would be in the middle, and yellow then red would be at lower and higher values)
  • The 3 ranges cannot be discontinuous.
  • The green always cover the lower values and the red, the larger values. We do not support the “decreasing case” where the good values are the highest (negative values are OK: -50 for the min for example and 0 for the max, but decreasing values, e.g. -50 for the max and 0 for the min, are not OK)
  • As a result of the first 2 conditions, the max of the green range is equal to the min of the yellow range, and the max of the yellow range is equal to the min of the red range.

And that is not all we also have some unsupported Tech preview features that we’d like you to try …

Tech Preview Features

Note: Tech Preview features are disabled by default, come with no support, and may be changed or removed in a future release.

Agent auto-update –

Some Use Cases we try to address are:

  • As a user, I do not want to manually upgrade agent on each node.
  • As a user, I want the upgrade to be as silent as possible (e.g. no user interaction should be needed).
  • As a user, I want the auto-update to have same effects as manual one.


Agent auto update

Agent Scripted Input –

Agents can be configured to run script and collect output allowing for addition collection sources as well as data massaging.

  • Create an object of ScriptedInput class.
  • Call Configure() and Start() methods.
  • After Start() the thread context will return, the real work will be continued in other threads.
  • When needed call Stop() to interrupt the ScriptedInput’s threads.
  • In case of errors in ScriptedInput’s background threads the error messages will be logged, error during Start/Stop will be thrown and should be handled by client code.

Configuration details to make scripted input work:

  • To make Scripted Input work one should have a [scriptlog] section in configuration file, each section should contain “script” option(mandatory) and can contain other options described bellow:
  • [scriptlog|job1]
  • ; “hello_World.bat” is the script to be run, it script should be located in “scripts” directory alongside with agent binary… i.e. for linux in /usr/lib/loginsight-agent/bin/scripts and in “C:\Program Files (x86)\VMware\Loginsight Agent\scripts
  • script=hello_World.bat
  • charset=utf16 ; job’s stdout encoding, default is utf8
  • event_marker=\t ; the separator events, default is \n

VMware Identity Manager (vIDM) Integration

Authentication via vIDM can be configured allowing for Single Sign-On.

Enable vIDM integration from Administration \General page UI  and save.

Enable vIDM

Then go to https://li /admin/auth or access it from UI’s top right corner – Administration -> Authentication. There you’ll see AD and vIDM configuration page, so you can input your AD and/or vIDM related info and save.

To be able to login via vIDM user you should import group or user from Administration -> Access Control page.


  • Requires vIDM 2.6 or newer.

Some Useful links:

Got questions? Leave a comment below.


One comment has been added so far

Leave a Reply

Your email address will not be published. Required fields are marked *