Alert notifications are not triggering in Aria Operations for Logs.

Products

VMware Aria Suite

Issue/Introduction

Alert notifications are not triggered even though the alert conditions are met. Sending test alert is successful and the test alert notifications are received by the endpoints as well, but not the alert notification.

com.vmware.loginsight.rbac.RBACException errors are seen in /storage/core/loginsight/var/runtime.log:

[YYYY-MM-DD TT:TT:TT.TTT+0000] ["ScheduledQueryServiceScheduler-thread-3"/X.X.X.X ERROR] [com.vmware.loginsight.scheduled.ScheduledQueryService] [Could not run query for alert]
com.vmware.loginsight.rbac.RBACException: User [username] not found in domain <domain_name>.
        at com.vmware.loginsight.aaa.krb5.ActiveDirectoryQueryHelper.queryUserGroups(ActiveDirectoryQueryHelper.java:1042) ~[auth-lib.jar:?]
        at com.vmware.loginsight.database.dao.RBACUserDO.loadDirectoryGroups(RBACUserDO.java:172) ~[database-lib-li.jar:?]
        at com.vmware.loginsight.database.dao.RBACUserDO.loadDirectoryGroups(RBACUserDO.java:146) ~[database-lib-li.jar:?]
        at com.vmware.loginsight.rbac.RBACUser.getDirectoryGroups(RBACUser.java:198) ~[commons-lib.jar:?]
        at com.vmware.loginsight.rbac.RBACUser.getGroups(RBACUser.java:182) ~[commons-lib.jar:?]
        at com.vmware.loginsight.rbac.RBACUser.getEffectiveDataSets(RBACUser.java:389) ~[commons-lib.jar:?]
        at com.vmware.loginsight.scheduled.ScheduledQuerySearch.constrainSearchToUser(ScheduledQuerySearch.java:625) ~[scheduled-services.jar:?]
        at com.vmware.loginsight.scheduled.ScheduledQuerySearch.doSearch(ScheduledQuerySearch.java:577) ~[scheduled-services.jar:?]
        at com.vmware.loginsight.scheduled.ScheduledQuerySearch.searchGroupByQuery(ScheduledQuerySearch.java:400) ~[scheduled-services.jar:?]
        at com.vmware.loginsight.scheduled.ScheduledQuerySearch.alertSearch(ScheduledQuerySearch.java:173) ~[scheduled-services.jar:?]
        at com.vmware.loginsight.scheduled.ScheduledQuerySearch.alertSearch(ScheduledQuerySearch.java:132) ~[scheduled-services.jar:?]
        at com.vmware.loginsight.scheduled.ScheduledQueryService.searchAndRaiseAlertIfNeeded(ScheduledQueryService.java:211) [scheduled-services.jar:?]
        at com.vmware.loginsight.scheduled.ScheduledQueryService$ScheduledQueryServiceImpl$1.run(ScheduledQueryService.java:650) [scheduled-services.jar:?]
        at java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source) [?:?]
        at java.util.concurrent.FutureTask.run(Unknown Source) [?:?]
        at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(Unknown Source) [?:?]
        at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source) [?:?]
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) [?:?]
        at java.lang.Thread.run(Unknown Source) [?:?]
Caused by: com.vmware.loginsight.aaa.AuthenticationFailedException: User [username] not found in domain msc.internal.
        at com.vmware.loginsight.aaa.krb5.ActiveDirectoryQueryHelper.getUser(ActiveDirectoryQueryHelper.java:142) ~[auth-lib.jar:?]
        at com.vmware.loginsight.aaa.krb5.ActiveDirectoryQueryHelper.getUser(ActiveDirectoryQueryHelper.java:126) ~[auth-lib.jar:?]
        at com.vmware.loginsight.aaa.krb5.ActiveDirectoryQueryHelper.queryUserGroups(ActiveDirectoryQueryHelper.java:1040) ~[auth-lib.jar:?]
        ... 18 more

[YYYY-MM-DD TT:TT:TT.TTT+0000] ["ScheduledQueryServiceScheduler-thread-2"/X.X.X.X ERROR] [com.vmware.loginsight.scheduled.ScheduledQueryService] [Could not run query for alert]
com.vmware.loginsight.rbac.RBACException: Cannot load Directory groups without configuration.
    at com.vmware.loginsight.database.dao.RBACUserDO.loadDirectoryGroups(RBACUserDO.java:179) ~[database-lib-li.jar:?]

Environment

Aria Operations for Logs 8.18.x

Cause

This issue is encountered if the alerts were created via users imported from Active Directory and if the users were deleted or if the Active Directory configuration was removed.

Resolution

Duplicate the alerts using local admin or any valid user and the alert notifications will trigger as expected.

Refer Define an Alert documentation to create the alert as required.