There are several known issues and limitations in the log Collection framework. The issues discussed in this KB apply when Log Management is directly ingesting logs from the mentioned components or when a Unified Cloud Proxy Log Forwarder is used.

Limitations:

• Log collection should be managed only by 1 VCF Operations per component. The behavior is undefined otherwise.
• This restriction applies to 9.1 VC and NSX.  When log collection is enabled, VCF Operations overwrites any existing log-collection configuration for these components
• The restriction does not apply to ESX. VCF Operations does not overwrite the ESX log destinations but rather adds to it. 
• The restriction does not apply to VC and NSX of versions below 9.1
• Operations for Networks log collection isn’t supported in VVF even if there’s a vRNI adapter instance configured.

VCF 9.1

Issue: Log Collection status reported in the Log Management Log Collection page is Failed for NSX, HCX, VC, and Supervisor components after certificate rotation

• Possible Causes: The certificate has been rotated, but the log collection framework still has not received the updated certificates.
• Resolution: The issue is only cosmetic; since these components are configured, the agent will continue to forward the logs. Within one hour, the configuration will sync between Log Management and the VCF Operations, and the status will be recovered.

VCF Component logs are not being received because of connectivity issues

Issue: Log collection is failing due to a connectivity issue between the VCF component and the log collector.

• Possible Causes: Firewall issues, closed ports
• Resolution: Environment specific, has to be fixed by the customer

Issue: Log collection status is Failed for NSX, HCX, VC, and Supervisor components

• Possible Causes: If the corresponding cloud account is created manually, the credentials might not have sufficient permissions to configure log collection
• Resolution: update the credentials on the cloud account

Issue: VC log collection configuration is lost when upgrading a VC to version 9.1

• Cause: Starting in VC 9.1, VC ships with the Log Insight Agent. If a VC has the agent already installed and is then upgraded to VC 9.1., the previously installed agent and any agent configuration is deleted. Further, if VC was configured to forward logs using syslog, the syslog targets are deleted. 
• Resolution: use the Log Management → configure collection page to enable and customize VC log collection. Enable log collection using the cloud account page for the corresponding VC adapter.

Issue: Field annotations defined for FQDNs/VIPs in the configuration → Log Management → Log Collection → Internal load balancer page are not applied to logs sent using syslog

• Possible causes: Known issue

Resolution: There is no work around. Field  tagging only applies to logs sent using HTTP/HTTPS.

For VC, NSX, and ESX, Log collection is enabled but doesn’t start unless the corresponding adapter is started.