VMware Aria Operations for Logs not receiving logs from Aria Suite Lifecycle after VMware Aria Suite Lifecycle Upgrade to 8.18
search cancel

VMware Aria Operations for Logs not receiving logs from Aria Suite Lifecycle after VMware Aria Suite Lifecycle Upgrade to 8.18

book

Article ID: 380947

calendar_today

Updated On:

Products

VMware Aria Suite

Issue/Introduction

After upgrading VMware Aria Suite Lifecycle to version 8.18, log entries to written to /var/log/vrlcm/vmware_vrlcm.log stopped being sent to VMware Aria Operations for Logs.

Environment

VMware Aria Suite Lifecycle 8.18

VMware Aria Operations for Logs 8.18

Cause

VMware Aria Suite Lifecycle changed the format of a log timestamp without a corresponding change in the event_marker definition for the VMware Aria Operations for Logs VMware Aria Suite Lifecycle Content Pack.

The change the format of a log timestamp without a corresponding change in the event_marker definition prevented the liagent from recognizing any of the log entries to written to /var/log/vrlcm/vmware_vrlcm.log from being recognized as events to be sent by the Log Insight Agent to VMware Aria Operations for Logs.

Resolution

Workaround:
In the VMware Aria Operations for Logs Agent Group being used for VMware Aria Suite Lifecycle,
in the [filelog|vrslcm-server] section,

change the entry 

event_marker=^\d+-\d+-\d+\s+\d+:\d+:\d+\.\d+

to 

event_marker=^\d+-\d+-\d+T\d+:\d+:\d+\.\d+

The timesstamps logged to /var/log/vrlcm/vmware_vrlcm.log changed from using a space character between the date and the time to the letter T.  Changing the event_marker definition restores recognition of the timestamp as the beginning of an event to be sent by the Log Insight Agent.