Moogsoft Docs

vRealize Log lnsight delivers heterogeneous and highly scalable log management. It provides deep operational visibility and faster troubleshooting across physical, virtual and cloud environments. The vRealize Log Insight LAM connects with the vRealize Log Insight server and fetches events from it. The LAM after fetching the events, forwards it to Moogsoft AIOps.

1. LAM reads the configuration from the  vrealize_loginsight_lam.conf  file.
2. LAM will connect with the vRealize Log Insight Server using the given host name or IP Address.
3. The response is received with event data in JSON format.
4. The events are parsed and converted into normalized Moogsoft AIOps events.
5. The normalized events are then published to MooMS bus.

The events received from vRealize Log Insight are processed according to the configurations in the    vrealize_loginsight_lam.conf  file. The processed alarms are published to Moogsoft AIOps.

The configuration file contains a JSON object. At the first layer of the object, LAM has a parameter called  config  , and the object that follows config has all the necessary information to control the LAM.

Monitor

The vRealize Log Insight LAM takes the connection information from the Monitor section of the config file. You can configure the parameters here to establish a connection with vRealize Log Insight Client.

General

Field
Type
Description
Example
 name and class  String

Reserved fields: do not change. Default values are  LogInsight Lam Monitor  and  CVrealizeLogInsightMonitor. 

 host_name  Integer The host name or IP address of the vRealize Log Insight server. Default address is  localhost. 
 user_name  and  password  String Enter the username and password for vRealize Log Insight console login.
 encrypted_password  String If the password is encrypted, then enter the encrypted password in this field and comment out the  password  field. At a time, either  password  or the  encrypted_password  field is used. If both the fields are not commented, then the field  encrypted_password  will be used by the vRealize Log Insight LAM.
 server_cert_filename  String Enter the server certificate name here. Use the certificate "server.crt" here. The cert file should be present in the directory given in  path_to_ssl_files  field.
 use_client_authentication  Boolean If you want client authentication, set it to true, else you can set it to false. By default, it is set to false. If it is set to true, then the values will be entered in the  client_key_filename  and the  client_cert_filename  fields.
 client_key_filename  String Enter the name of the key file here. The key file should be present in the directory given in  path_to_ssl_files  field. "client.key"
 client_cert_filename  String Enter the name of the certificate file here. The cert file should be present in the directory given in  path_to_ssl_files  field. "client.crt"
 polling_interval  Integer

The polling time interval, in seconds, between the requests after which the event data is fetched from vRealize Log Insight LAM.

Default = 10 seconds. If 0 is entered, the time interval will set to 10 seconds.

 max_retries  Integer

The maximum number of retry attempts to reconnect with vRealize Log Insight Server in case of a connection failure.

Default = -1, if no value is specified, then there will be infinite retry attempts.

If the specified value is greater than 0, then the LAM will try that many times to reconnect; in case of 0 or any other value less than 0, max retries will set to default.

 retry_interval  Integer The time interval between two successive retry attempts.
Default = 60 seconds, if 0 is entered, the time interval will set to default.

 timeout  Integer

This is the timeout value in seconds, which will be used to timeout a connection, socket and request. If no value is specified, then the time interval will set to to 120 seconds.

Default: 120 seconds, if no value is specified, then  timeout  will set to default.

Filter

Field Type Description
filter Object
The following filters can be used to fetch events form the vRealize Log Insight LAM:
• hostnames : Enter the hostname of the machine, this filter criteria will fetch events containing the listed hostnames e.g.:

hostnames  :  ["localhost","dellserver","moogsoftserver"]
• Sources : Enter the source of the machine, this filter criteria will fetch events containing the listed sources e.g.:

Note

sources   :  ["10.24.56.78", "10.54.87.35"]

Note

If you are using all the filter, then events having all the values listed in all the filters will be fetched.

Note

The hostname and sources are joined using the "AND" condition while the fields within the filters are joined using the "OR" condition. If you have mentioned the following filter, hostnames : ["localhost","dellserver","moogsoftserver"] , then all the events having the hostname "localhost" or "dellserver" or "moogsoftserver will be fetched. Same is the case with filter sources, if you have applied the filter sources : ["10.24.56.78", "10.54.87.35"] , then all the events having the source "10.24.56.78" or "10.54.87.35" will be fetched.

In case where you have applied both the filters i.e. hostnames and sources, then those events which have both the hostname and the source as given in the filters will be fetched. For example, if you have applied the filters hostnames : ["localhost","dellserver","moogsoftserver"] AND sources : ["10.24.56.78", "10.54.87.35"] , then the events which have both the hostname and source from any of the entered filtered values will be fetched. The event coming from the dellserver source 10.24.56.78 will be fetched, but from any other source say 10.24.58.96 will not be fetched.

The following table provides the hostname and their respective sources information, and the whether the events will be fetched or not for the filter hostnames : ["localhost","dellserver","moogsoftserver"] and sources : ["10.24.56.78", "10.54.87.35"] :

hostname source Events fetched
localhost 10.24.56.78 Y
10.24.59.96 N
dellserver 10.54.87.35 Y
10.58.64.28 N
moogsoftserver 10.57.64.87 N
10.24.56.78 Y

Secure Sockets Layer

Field
Type
Description

 use_ssl 

Boolean

Set to  true,  to enable SSL Communication:

•  path_to_ssl_files:  Enter the path of the directory where all the certificates are stored. If the path begins with ‘.’ or ‘/’ then, the path will be used as specified. Otherwise,  MOOGSOFT_HOME  is prepended to the path. For example, if  MOOGSOFT_HOME  is  /opt/moogsoft/  and  path_to_ssl  is set to  config  , then the location will be defined as  /opt/moogsoft/confi g. 

•  ssl_protocols  : Only applicable if  use_ssl = true  . This configuration dictates which SSL protocols are enforced by the vRealize Log Insight LAM; the following protocols are allowed to be specified:
SSLv3
TLSv1
TLSv1.1
TLSv1.2
If SSL is in use and no value is specified for this configuration then only TLSv1.2 is allowed by default.

Example

Config File
   config :
{
monitor:
{

host_name                 : "localhost",

user_name                 : "user",

use_ssl                   : false,

path_to_ssl_files         : "config",

server_cert_filename      : "server.crt",

use_client_authentication : false,

client_key_filename       : "client.key",

client_cert_filename      : "client.crt",

polling_interval 		  : 10,

max_retries 			  : -1,

retry_interval 			  : 60,

timeout					  : 120,

filter 					 :	{
hostnames :  [],
sources   :  []
}
}, 

Agent

Agent allows you to define two parameters:

Field
 name  This is the agent name, the events sent to MooMS by the vRealize Log Insight LAM are identified by the agent name in the log. In this LAM, the agent name is vRealize Log Insight LAM.
 log  REST Client LAM will write its ingress contents in the file  vrealize_loginsight_lam.log  located at /var/log/moogsoft/.

HA Configuration

Refer to the document Integrations HA Configuration

Mapping

For events received in JSON format, you can directly map the event fields of vRealize Log Insight LAM with Moogsoft fields. The parameters of the received events are displayed in Moogsoft AIOps according to the mapping done here:

 mapping :
{
catchAll: "overflow",
rules:
[
{ name: "signature", rule:      "$hostname::$event_type" },
{ name: "source_id", rule:      "$source" }, { name: "external_id", rule: "$appname" },
{ name: "source", rule:         "$hostname" }, { name: "class", rule: "$event_type" },
{ name: "agent", rule:          "$LamInstanceName" }, { name: "agent_location", rule: "$LamInstanceName" },
{ name: "type", rule:           "$event_type" }, { name: "severity", rule: "0",conversion: "stringToInt" }, { name: "description", rule: "$description" },
{ name: "agent_time", rule:     "\$time_changed"}
]
},
filter:
{
modules: [
"SeverityUtil.js",
"LamUtility.js"
],
}



The above example specifies the mapping of the vRealize Log Insight event fields with the Moogsoft AIOps fields. Data not mapped to Moogsoft AIOps Fields goes into "Custom Info".

Note

The signature field is used by the LAM to identify correlated events.

Constants and Conversions

Constants and Conversions allows you to convert format of the received data.

Field
Description
Example
 Severity and sevConverter  has a conversion defined as sevConverter in the Conversions section, this looks up the value of severity defined in the severity section of constants and returns back the mapped integer corresponding to the severity.
severity:
{
 "Clear" : 0, 
 "Info" : 1, 
 "Warning" : 2, 
 "Minor" : 3, 
 "Major" : 4 
 "Critical" : 5 
},

 sevConverter: 
 { 
 lookup: "severity", 
 input : "STRING", 
 output: "INTEGER" 
 }, 

 stringToInt  used in a conversion, which forces the system to turn a string token into an integer value
stringToInt:
{
input  : "STRING",
output : "INTEGER"
},
 timeConverter  Used in conversion which forces the system to convert time. If epoc time is to be used, then timeFormat mentioned in timeConverter should be commented. Otherwise, the user should provide the timeFormat.
timeConverter:
{
timeFormat : "%Y-%m-%dT%H:%M:%S",
input      : "STRING",
output     : "INTEGER"
}

Example

Example Constants and Conversions
constants:
{
severity:
{
"clear"			: 0,
"info"          : 1,
"warning"       : 2,
"minor"         : 3,
"major"         : 4,
"critical"      : 5
}

},
conversions:
{
sevConverter:
{
lookup: "severity",
input:  "STRING",
output: "INTEGER"
},

stringToInt:
{
input:      "STRING",
output:     "INTEGER"
},

timeConverter:
{
timeFormat: "yyyy-MM-dd'T'HH:mm:ss.SSS",
input:      "STRING",
output:     "INTEGER"
}
},

Severity Reference

Moogsoft Severity Levels
severity:
{
"clear"			: 0,
"info"           : 1,
"warning"        : 2,
"minor"          : 3,
"major"          : 4,
"critical"       : 5

}
Level Description
0 Clear
1 Info
2 Warning
3 Minor
4 Major
5 Critical

Service Operation Reference

Process Name Service Name
vrealizeloginsight_lam
vrealizeloginsightlamd

Start the LAM Service:

service vrealizeloginsightlamd start

Stop the LAM Service:

service vrealizeloginsightlamd stop

Check the LAM Service status:

service vrealizeloginsightlamd status

Command Line Reference

To see the available optional attributes of the  vrealizeloginsight_lam  , run the following command:

vrealizeloginsight_lam --help

The  vrealizeloginsight_lam  is a command line executable, and has the following optional attributes:

Option Description

 --config 

Points to a pathname to find the configuration file for the LAM. This is where the entire configuration for the LAM is specified.
 --help  Displays all the command line options.
 --version 

Displays the component’s version number.

 --loglevel 

Specifies the level of debugging. By default, user gets everything. In common with all executables in MOOG, having it set at that level can result in a lot of output (many messages per event message processed).In all production implementations, it is recommended that log level is set to WARN. This ensures only warning, error and fatal messages are recorded.

Performance Information

Minimum requirement
Component Value
CPU 2 core
RAM 4 GB
Operating System CentOS Linux release 6.7

Version

LAM Version Tool Version Verified By