Log Insight takes customer experience seriously. The number two request on the Log Insight community was to improve alerts. I am happy to announce this feature is available in Log Insight 4.0. Read on to learn more!
The Problems
Many problems were highlighted regarding alerts, but the top concern by far was that super admins did not have the right to manipulate other user’s alerts. Now arguably there is a good security reason not to enable this feature, but there are compelling arguments on the other side as well. The primary usability issue was that if a user misconfigured an alert, only they were able to fix it. This often lead to mass email spamming, Log Insight query performance issues, and other problems.
The Interim Solution
In Log Insight 3.6, an interim solution was provided in the form of the experimental user impersonation feature. While this experimental feature still exists in Log Insight 4.0, a fully supported solution is now also available.
The Solution
The solution was to introduce a user alert administration page:
This page lists all defined user alerts on a Log Insight instance. In addition, it provides information about which alerts are enabled, run time, search interval and more. Most importantly, it allows super admins the ability to disable, edit, or even delete any user’s alerts.
The “i”, pencil, and “x” icons should all look similar as they function exactly the same as on other parts of Log Insight. The only new icon is the toggle under the Enabled column. If the toggle is to the right and green then that means it is enabled. If the toggle is to the left and gray then that means it is disabled.
Some other features to be aware of on the page:
- Columns can be sorted by selecting the column name
- You can filter by alert name, owner name, or content pack
- You can choose to only view enabled alerts
- The “Suspend all user alerts” toggle has been moved from the /admin/general page to this page (/admin/alerts)
- You can export the user alert table by scrolling all the way to the bottom of the page
What about Security
Even with this new administration page, security is a concern. This is mitigated through audit logging. If a super admin makes it change, that change is logged to UI.log:
[2016-12-11 17:43:58.583+0000] ["https-jsse-nio-443-exec-5"/192.168.1.31 INFO] [com.vmware.loginsight.web.actions.InstrumentationActionBean] [[ClusterID: a6c2714c-ab5f-4dba-8106-ce216b07954d] [LI Version: 4.0.0] [UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36] [UserID: e55e019e-f1c7-4226-8dac-31f1e199c792] [RBAC Capabilities: DASHBOARD,EDIT_SHARED,ANALYTICS,EDIT_ADMIN,VIEW_ADMIN] [RBAC Group: Admin No LI] {"name":"DisableAlert","where":"admin.alerts"}]
To confirm which alert was changed, you can search for “Updated alert” in runtime.log:
[2016-12-11 17:43:58.580+0000] ["https-jsse-nio-443-exec-7"/192.168.1.31 INFO] [com.vmware.loginsight.database.dao.AlertDAO] [Updated alert: Alert [id=c78d6b6e-2441-48ca-a102-55119a9b4b2e, enabled=true, emailEnabled=true, vcopsEnabled=false, alertType=RATE_BASED_WITH_GROUPS, name=LI Restarted!, chartQuery={"query":"","startTimeMillis":1457961912465,"endTimeMillis":1457983512464,"piqlFunctionGroups":[{"functions":[{"label":"Unique count","value":"UCOUNT","requiresField":true,"numericOnly":false}],"field":{"internalName":"session_guid","displayName":"session_guid","displayNamespace":null}}],"dateFilterPreset":"CUSTOM","shouldGroupByTime":true,"eventSortOrder":"DESC","summarySortOrder":"DESC","compareQueryOrderBy":"TREND","compareQuerySortOrder":"DESC","compareQueryOptions":null,"messageViewType":"EVENTS","constraintToggle":"ALL","piqlFunction":{"label":"Unique count","value":"UCOUNT","requiresField":true,"numericOnly":false},"piqlFunctionField":"session_guid","fieldConstraints":[{"internalName":"cluster_guid","operator":"EXISTS"}],"supplementalConstraints":[],"groupByFields":[{"displayName":"hostname","internalName":"hostname","displayNamespace":null,"numericGroupByType":"EACH_VALUE","numericGroupByValue":null}],"extractedFields":[]}, messageQuery=null, hitCount=1.0, hitOperator=GREATER_THAN, searchPeriod=3600000, searchInterval=600000, [email protected], info=null, recommendation=null, vcopsResourceName=, vcopsResourceKindKey=, vcopsCriticality=none, lastRanAt=1481477787270, nextRunAt=1481478387270, runCount=37780, lastRunTime=66, totalRunTime=17809926, lastHitTimestamp=1457983552306, owner=Local User: Name=admin, vropsAdapterKindKey=null, vropsResourceKindKey=null, vropsCombiner=null, vropsPropertyMaps=null, webhookEnabled=false, webhookURLs=null, autoClearAlertAfterTimeout=false, contentPackNamespace=null], to: Alert [id=c78d6b6e-2441-48ca-a102-55119a9b4b2e, enabled=false, emailEnabled=false, vcopsEnabled=false, alertType=RATE_BASED_WITH_GROUPS, name=LI Restarted!, chartQuery={"query":"","startTimeMillis":1457961912465,"endTimeMillis":1457983512464,"piqlFunctionGroups":[{"functions":[{"label":"Unique count","value":"UCOUNT","requiresField":true,"numericOnly":false}],"field":{"internalName":"session_guid","displayName":"session_guid","displayNamespace":null}}],"dateFilterPreset":"CUSTOM","shouldGroupByTime":true,"eventSortOrder":"DESC","summarySortOrder":"DESC","compareQueryOrderBy":"TREND","compareQuerySortOrder":"DESC","compareQueryOptions":null,"messageViewType":"EVENTS","constraintToggle":"ALL","piqlFunction":{"label":"Unique count","value":"UCOUNT","requiresField":true,"numericOnly":false},"piqlFunctionField":"session_guid","fieldConstraints":[{"internalName":"cluster_guid","operator":"EXISTS"}],"supplementalConstraints":[],"groupByFields":[{"displayName":"hostname","internalName":"hostname","displayNamespace":null,"numericGroupByType":"EACH_VALUE","numericGroupByValue":null}],"extractedFields":[]}, messageQuery=null, hitCount=1.0, hitOperator=GREATER_THAN, searchPeriod=3600000, searchInterval=600000, [email protected], info=null, recommendation=null, vcopsResourceName=, vcopsResourceKindKey=, vcopsCriticality=none, lastRanAt=1481477787270, nextRunAt=1481478387270, runCount=37780, lastRunTime=66, totalRunTime=17809926, lastHitTimestamp=1457983552306, owner=Local User: Name=admin, vropsAdapterKindKey=null, vropsResourceKindKey=null, vropsCombiner=null, vropsPropertyMaps=null, webhookEnabled=false, webhookURLs=null, autoClearAlertAfterTimeout=false, contentPackNamespace=null]]
© 2017, Steve Flanders. All rights reserved.
