Archive | vRLI RSS feed for this section

Forward specific logs from VMware vRealize Log Insight (vRLI) to Splunk

26 Aug

If you are not using SIEM (Security Information & Event Management) solution within your environment, you should seriously consider one. Considering the modern cyber security threat landscape, it a handy tool for all teams.

I had a bunch of VMware Workspace ONE Access (WS1) appliances already performing the Syslog action within vRealize Log Insight. However, the partner team was using a different solution Splunk. The objective here was to forward a specific log Greenbox_web.log (It holds all the user interface interactions for WS1 – This is your main log to see all internet facing activities on the appliance) to Splunk.

Luckily the Log Forwarding capability already exists within the vRLI. However, the creation of filters was a bit time consuming as it will convert the input into regex.

Configure the log forwarding in vRLI to Splunk

Go to your vRLI instance and click on Administration –> Log Management –> Log Forwarding and select New Destination

vRLI Log Management
vRLI Log Management

Configuration Details

  • Name – The Log Forwarder Destination freindly name – VDI-WS1-Logs-Splunk
  • Host – Enter the Splunk load balancing VIP address
  • Protocol – RAW
  • Transport – TCP
  • Filter
    • Hostname – starts with – WS1ManagerAppPrimary* WS1ManagerAppSecondary*
    • text – matches – *GreenBox* (Note within the log its <GreenBox> however, if you put in the greater/less than symbol, the conversion of this string into regex doesn’t work within vRLI.)
    • Please Run in the interactive Analytics query to confirm your filters are working as expected
  • Enter the custom port provided to you by the Splunk team
  • Click on Save
Destination Details
Destination Details

After a while. you will start seeing the events forwarded to Splunk, and the state will be marked as Active. You can use the same logic above to forward other specific logs to 3rd party tools (Doesn’t have to be Splunk only). I hope you will find this helpful information on your SIEM journey. Please let me know if I have missed any steps, and I will be happy to update the post.

Thanks,
Aresh Sarkari

Error 1303 The installer has insufficient privileges to access this directory – Upgrade from App Volumes 2.12 to 2.12.1

12 Apr

With the latest version of App Volumes 2.12.1, you don’t have to uninstall the older version of App Volumes Manager. The latest App Volumes Manager 2.12.1 installer takes care of uninstalling, fresh-install and retain all the configuration details and settings automatically for you.

During the upgrade I encountered the following error:

“Error 1303. The installer has insufficient privileges to access this directory: C:\Program Files(x86)\CloudVolumes\Manager\log. The installation cannot continue. Log on as an administrator or contact your system administrator.”

App Volumes Upgrade Error

Resolution:
In our scenario we have VMware vRealize Log Insight Agent installed on the App Volumes Manager VM’s which is doing Syslog. The Log Insight agent captures the logs(production.log) inside the folder “C:\Program Files(x86)\CloudVolumes\Manager\log”. As the service is in the running state, it didn’t allow the folder to delete and left a ghost folder on the filesystem.

Log Insight Agent Service

After going into the services.msc and stopping the VMware vRealize Log Insight Agent service and click Retry, the setup manages to complete the upgrade successfully.

I hope this workaround helps you during your upgrade if you encounter a similar error message.

Thanks,
Aresh

Collect Horizon View Connection Server Logs in vRealize Log Insight

12 May

If you are using the VMware Horizon View Content Pack for Log Insight it will capture the Connection Server logs (Log-Date.txt and Debug-Date.txt etc.). However, it doesn’t work out of the box by deploying the Content Pack alone. You will have to enable the View GPO (vdm_common.adm) onto the Connection Servers in order to get the logs captured by Log Insight. In our scenario without the GPO it was only able to capture the Windows Events Application, System and Security only.

You need to perform the following steps:

  1. Download the Horizon 6 View GPO Bundle (VMware-Horizon-View-Extras-Bundle-3.5.0-2999900.zip) from https://my.vmware.com Downloads section. The Build number will depend on your version of Horizon View
  2. Extract the View Common Configuration Template (vdm_common.adm) from the zip bundle and copy it over to the domain controller
  3. Create a new OU and name it E.g. ViewServers and move all the Connection Server machine accounts into that OU
  4. Open gpmc.msc on the domain controller go to the newly created OU – ViewServers and “Create a new GPO and link it here” give a name to the GPO as ViewLoginsight and then click on Edit
  5. Go to Computer Configuration –> Policies –> Administrative Templates right click open “Add/Remove Templates” to import the vdm_common.adm file.
  6. Go to Computer Configuration –> Policies –> Administrative Templates –> Classic Administrative Templates (ADM) –> VMware View Common Configuration –> Log Configuration
  7. Select “Send Logs to Syslog server” choose Enabled under the Send logs to Syslog Server type – Debug|LogInsightIPAddress (E.g. Debug|10.10.10.1, Info|10.10.10.1, Trace|10.10.10.1)
  8. On the Connection Server VM make sure you have the following entry added. Navigate to %ProgramData%\VMware\Log Insight Agent\
  9. Open the liagent.ini file in any text Editor (Notepad, Notepad ++ etc.)
  10. Add the following configuration parameters to the file
    [filelog|ViewMain]
    
    directory="C:\ProgramData\VMware\VDM\logs"
    include=log-*.txt;debug-*.txt
    exclude=wsnm_starts.txt
    Note: We are only capturing the logs from Connection Server and not from the View Agent (deployed on the desktops). We have removed the pcoip_server and pcoip_agent from the default string as mentioned under Tech Specs in Solution Exchange portal page.
  11. Save and Restart the VMware Log Insight Agent service.

You will be able to see the Horizon View Connection Server logs getting captured to the Log Insight Manager: (Example below)

CSLoginsight

There is also a detailed blog post on this topic by one of my colleague Sivaprasad click on this link – http://incloudnet.com/2015/01/08/view-loginsight-support/

Thanks,
Aresh

Collect Horizon View Composer Logs in vRealize Log Insight

4 Nov

If you are using the VMware Horizon View Content Pack for Log Insight it doesn’t capture the View Composer logs. As you are using the Log Insight instance to centralized all your logs, you may want to capture the Horizon View Composer logs please follow these steps:

  1. Install the log Insight Agent on the Horizon View Composer server VM within your environment
  2. Navigate to %ProgramData%\VMware\Log Insight Agent\
  3. Open the liagent.ini file in any text Editor (Notepad, Notepad ++ etc.)
  4. Add the following configuration parameters to the file
    [filelog|ViewComposer]
    directory=”C:\ProgramData\VMware\View Composer\Logs”
    include=vmware*.log
    exclude=vmware-viewcomposer-audit.log;vmware-sviconfig.log

  5. Save and Restart the VMware Log Insight Agent service.

You will be able to see the Horizon View Composer logs getting captured to the Log Insight Manager: (Example below)

LogInsight

Thanks,
Aresh