Creating Alert Notifications in vRealize Operations for Log Insight Alerts

Creating Alert Notifications in vRealize Operations for Log Insight Alerts

VMware vRealize has some great integrations between it’s products, but recently I came to find out that it does have some shortfalls. Specifically, it has a shortfall in being able to get alert notifications from vRealize Operations (vROps) on an alert triggered from vRealize Log Insight (vRLI). This came as a surprise to me, as I wanted to create a very specific and targeted alert notifications based on the context of the vRLI alert. This took me quite some time, as the documentation of the integration between vROps and vRLI is a little lacking when it comes to setting up granular alert notifications. And, when I say lacking, I literally could not find anything. So, I decided to take what I have learned, and put it here for the rest of the world to benefit.

In this article, I am going to make the following assumptions:

• You have vRealize Operations setup
• You have vRealize Log Insight setup
• Your versions of vRealize products are at least 8.x
• You have them integrated together
• You know how to setup an alert in vRLI
• You know how to send configured vRLI Alerts to vROps

In my particular situation, I was collecting logs from a Linux server that I needed to monitor for the failed logins of a service account. I created my Interactive Analytics query in vRLI, and began to create my alert. I won’t go into the specifics of this part, because I assumed (see my assumptions section) that you already know how to do this. But, I am going to show you a screenshot of my alert definition, because there is a key piece of information that we will need.

The key piece of information that we need, is the Name of the Alert. We will need to use this when we setup our Symptom in vROps.

Now, let’s go over to vROps, and get ready to setup our alert symptom. You will need to go to the Message Event Symptom Definitions tab. To do that, you will navigate to Alerts -> Symptom Definitions -> Message Event.

Let’s go ahead and add our Symptom Definition. When you click the ADD button, you will get the standard popup, but you don’t get to choose your Symptom Type; it will be set as a Message Event. My notification is for Virtual Machines, but you can create it for any Base Object Type you need. The key is that we need a Notification Message Event, as that is what vROps classifies the alerts from vRLI. You can double-click on Notification, or drag it over to the symptom definition workspace.

Here, we will setup our criteria for the Symptom. I like to use descriptive names, but the name is not relevant. The part that we need to focus on, is the Value of the condition we are setting up.

It does not matter if you use a regular expression or a static condition, the key is that the Value of the message is not actually the content of the log, but actually the name of the Alert as you set it in vRLI (See figure 1). When vROps receives the message event from the vRLI Alert, it shows up as “Log Insight: <Alert Name>”. This is the key that took me a little time to figure out. Once the light bulb came on, and I figured out that the “Message Value” was the Alert Name from vRLI, and didn’t have anything to do with any of the logs or anything else that came from vRLI, it came together quite nicely.

At this point, you should have a Symptom Definition that you can use in a custom alert, that you can then setup targeted notifications based on that alert. Don’t forget to edit your vROps policy to enable your new Symptom Definition and Alert Definition. Without those being enabled in the policy, you will not get the results you need.

Anyway, I hope this helps out someone, because I spent 3 days on this, before I figured it out. Hopefully you have found this article BEFORE you got to the 3 day mark, and I have saved you some time and heartache.

HAPPY MONITORING!!