vRealize Log Insight: Configuring agents

The vSphere content pack provides powerful insight into your vSphere logs, allowing you to make informed and proactive decisions within your environment.  For the exercise I am just reviewing some of the VMware products and providing notes I took during installation. Sorry if they seems a bit all over the place 🙂

Log Insight agent now gets pre-installed on some of the appliances which is great and means no need to install agents manually.  Some of the VMware products that has agent pre-installed:
vRealize Business
vRealize Operations Manager (beginning from 6.1)
vRealize Orchestrator (beginning from 7.0.1)
vRealize Automation (beginning from 7.0.1)

vRealize Log Insight

Here are some basic functions which will help a lot for instructions on content packs:

Install Content Packs:

  1. Login to vRealize Log insight.
  2. Select the stack menu button in top right hand corner
  3. Select Content Packs
  4. Installation has been simplified a lot since you do not have to go to VMware solution exchange anymore to download and manually install the content packs, it is available straight from Marketplace window.  Super awesome!
  5. Just click on Install for which ever content pack you want to install.

How to view setup instructions?

  1. Select the stack menu button in top right hand corner
  2. Select Content Packs 
  3. Select Installed content pack
  4. Click the cog wheel -> Setup instructions

To verify if agent configuration from Log Insight was pushed successful to server:

Check the affective file to see if the correct agent configuration file logs has been pushed to the liagentd.




C:\ProgramDATA\Vmware\Log insight agent\liagent-affective

View the agent configuration settings:


  1. Login to vRealize Log insight.
  2. Select the stack menu button in top right hand corner
  3. Select Content Packs 
  4. Select Installed content pack
  5. Select Agent Groups tab
  6. Find group name and review the Notes and Configuration

Agent Groups

Agent Groups comes as part of the content packs you installed. This is required for dashboard to work correctly. If you use syslog-ng, you will still receive the events but the vSphere content pack dashboards will not work.

  • I would always recommend making a copy of the original
  • Provide a new name
  • Save it
  • Provide a filtered list of hosts which could be by name, IP address or wildcards.  These hosts should already have been already registered to Log Insight via their Agent configuration.
  • Save the Agent Group.

The configuration is automatically pushed out to the selected hosts and log messages will begin flowing in.

Install agents on linux:

This is of course not part of VMware products but providing the steps to manually install the agent on a linux box which you still need to do sometimes.


  1. Make sure the hostname is set under /etc/hosts, /etc/HOSTNAMES, hostname   (otherwise server will show up with localhost hostname)
  2. Copy the bin file to appliance (this is SUSE so have to copy the bin)
  3. Chmod +x .bin
  4. ./.bin
  5. Vi /etc/liagent.ini
  6. http://pubs.vmware.com/log-insight-30/index.jsp?topic=%2Fcom.vmware.log-insight.agent.admin.doc%2FGUID-D245F706-BC99-46D0-87E3-584D9D250529.html
  7. (/etc/init.d/liagentd status/stop/restart)


In order to download the agent from server and install the agent I use following commands:

# curl -o /tmp/liagent-current.rpm http://LOGINSIGHT-SERVER:9000/api/v1/agent/packages/types/rpm ; rpm -Uvh /tmp/liagent-current.rpm


NSX Manager

Sends all audit logs and system events from NSX Manager to the syslog server.


  1. Log in to the NSX Manager virtual appliance.
  2. Under Appliance Management, click Manage Appliance Settings.
  3. From the Settings panel, click General.
  4. Click Edit next to Syslog Server.
  5. Type the IP address of the syslog server.
  6. Required Type the port and protocol for the syslog server.  If you do not specify a port, the default UDP port for the IP address/host name of the syslog server is used.
  7. Click OK.


NSX Edge

NSX Edge events and logs related to firewall events that flow from NSX Edge appliances are sent to the syslog servers.


  1. Log in to the vSphere Web Client.
  2. Click Networking & Security and then click NSX Edges.
  3. Double-click a NSX Edge.
  4. Click the Manage tab and then click the Settings tab.
  5. In the Details panel, click Change next to Syslog servers.
  6. Type the IP address of both remote syslog servers and select the protocol.
  7. Click OK to save the configuration.

NSX Controllers:

The only supported method on configuring the syslog server on the NSX controllers is through the NSX API which is described in the KB below:



I did however found another way to perform this through SSH but use at own risk and I still recommend using the NSX API!

  1. SSH into NSX controller:
  2. Change Controller cluster password
  3. vCenter server -> Networking & security -> Installation -> Management
  4. NSX controller select
  5. Actions -> Change controller cluster password
  6. 12 character min
  7. Login
  8. # show syslog-exporters
  9. add syslog-exporter
    1. This will add a syslog exporter
  10. add syslog-exporter-facility
    1. This will add a facility to a syslog exporter

Example:  # add syslog-exporter nsx-controller-syslog INFO kern,user,mail,deamon,auth,syslog,lpr,news,uucp,cron,security,ftp,ntp,logaudit,logalert,clock,local0,local1,local2,local3,local4,local5,local6,local7,api,api_request,api_request_content,api_request_header,logical_net,system,transport_net

  • 514 UDP


vRA 7:

  1. Install content packs:
    1. Vra7
    2. Vrealize orchestrator
    3. Apache
  2. Download windows agents from administration -> Management -> Agents -> Right at bottom of screen!
  3. Install agents on windows servers  (management, DEM, Web)
  4. From drop-down agents select vRealize 7 – Windows and create filter for only the windows server for instance hostname = wdvra*.domain.com


Vra-dem, vra-dem-metrics, vra-deo, vra-deo2

Under agent configuration update the paths where necessary like for instance vra-deo where the directory is normally -DEO after Distributed Execution Manager folder  “C:\Program Files (x86)\VMware\vCAC\Distributed Execution Manager\DEO\Logs\”  BUT SHOULD BE C:\Program Files (x86)\VMware\vCAC\Distributed Execution Manager\FQDN-DEO\Logs\

If you have multiple DEM servers or management servers then create  another file log called vra-dem2 to add the 2nd server file location.

For vRA appliances:

  1. Just update the \etc\liagent.ini with the hostname for vrealizeloginsight server.
  2. Restart service \etc\init.d\liagentd restart

vRealize Orchestrator:

Some good information from VMware blog on Orchestrator for vRealize Log insight.



  1. Login to vrealize orchestrator control center.
  3. Select Log -> Logging Integration
  4. Check box for “Enable logging to a remote log server”
  5. Currently only Log4j is supported but upcoming release after 7.0.1 should support Log Insight Agent
  6. Enter Host, Port and protocol.
  7. Test Connection
  8. Save


Problems experienced:

This did not work and got an error “HTTP Status 500 – Failed to edit Log Insight Agent configuration file!”

I create another blog to show how to fix this problem:


Agents group template does not show up and had to uninstall and reinstall the agent.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s