venerdì 21 aprile 2023

vRealize Log Insight Internal Certificate issue

Issue


A KB91441 was recently published that affects vRLI internal certificate that will expire on April 30th. The expiration on the certificate will leading to a comunication failures in internode comunication in a vRLI cluster. However, this problem affects both cluster and single instance installation of a vRLI, so I invite you to read carefully the KB and act as soon as possible.

Before to act on the customer's production cluster environment I prefer to do some tests on the safe VMware HOL environment, using this LAB "Getting Started with Aria Operations for Logs (HOL-2201-03-CMP)".

Let's see below the tasks, following the KB "Updating the vRealize Log Insight Internal Certificate (91441)" step by step.

Solution


As the KB says:

This is a known issue affecting vRealize Log Insight 8.x.
The official resolution will be in the next vRealize Log Insight due out before April 30th 2023.


In my case the vRLI is a single instance version 8.4.


Below the verification steps before the fix:
  1. Let's check the external certificates, also because the problem may not arise with the expiration of the external certificate, but it is actually the internal certificate that expires:

    Open a web browser and open the vRLI URL and verify the certificate

  2. Get access to the vRealize Log Insight with user admin (Default built-in) > Administration > SSL.

    Click on “VIEW DETAILS…” of Existing Certificate

    As you can see here, the external certificates don't seems to expire imminently

  3. Connect via SSH to the vRealize Log Insight appliance with root user and run the following command:

    # openssl x509 -in /storage/core/loginsight/cidata/cassandra/config/cacert.pem -enddate -noout
    If the result is as indicated in the figure above, it must be updated, even if in points 1. and 2. the certificate is not expired. If the result is different and expires beyond April 30, 2023, no certificate reconfiguration activities are required.



Below the workaround:
  1. Take a cold snapshot of the vRealize Log Insight VM
  2. Generating the new self-signed certificate:
    openssl req -newkey rsa:2048 -keyout domain.key -x509 -days 3650 -out domain.crt -nodes 
    When prompted by openssl, provide the required values for your company.

    Then run the following command to concatenate the key and cert into a pem file
    cat domain.key domain.crt > /tmp/cert.pem
  3. Download the cert.pem file and upload it to vRealize Log Insight:
    Navigate to Configuration > SSL, click Choose File, browse to the cert.pem file previusly downloaded and click Open.
    Click Save. This will automatically distribute the new cert across all nodes in the vRealize Log Insight cluster. Wait for the SSL certificate to be updated.
  4. Run the "update_default_cert.sh" script downloaded from VMware KB:
    # ./update_default_cert.sh --all
    Once completed, stop the loginsight service on the node by running the following command:
    # systemctl stop loginsight
    Start the loginsight service by running the following command:
    # systemctl start loginsight
    Execute the script with the verify option:
    # ./update_default_cert.sh --verify
  5. Run the following command to validate that the new certificate is in place:
    # openssl x509 -in /storage/core/loginsight/cidata/cassandra/config/cacert.pem -enddate -noout
    Verify the certificate by UI as well:
  6. If everything seems to be OK, remove the snapshot.

Another way to address the criticality is to upgrade vRealize Log Insight to new version before the April 30 deadline because the new 8.12 version is not affected by this issue.
At the time I'm posting this article (April 20th, 2023), the new release 8.12 has just been released, and is available for download.
VMware Aria Operations for Logs 8.12 release notes are available here.

That's it.

giovedì 6 aprile 2023

Log Forwarding - vRealize Log Insight

Issue


I need to forward log from vRealize Log Insight to an external syslog server

Solution


A quick post on how it is simple to configure a log forwarding from vRealize Log Insight to an external syslog server.
The official documentation is available at this link
Below the steps:
  1. Get access to the vRealize Log Insight

  2. When logged, click on Administration (1) > Event Forwarding (2) > + NEW DESTINATION (3)
  3. Fill in the forms, with the proper information like Name, Destination Host. Select the protocol (Ingestion API, syslog, or RAW) to use to send the logs and so on.
    It is also possible to Filter which logs to send adding a filter. In my case I forward everything.
  4. Click on SAVE

  5. And result should be an entry like the one below:

That's it.