VMware Cloud Community
Foyman1973
Enthusiast
Enthusiast
Jump to solution

PowerCLI+LogInsight API Filtering

So I have this issue with ESXi hosts where they randomly seem to stop sending SysLog to Loginsight in such a way that no alerts trigger anywhere, I just end up with no data until syslog service on the host is restarted.  In the past when I was leveraging vCenter syslog, since it dropped everything into a folder on the Windows server I could just check last modified timestamp on the folder contents, then based on a certain delta indicating its been too long since any activity was written I could reach out via PowerCLI and restart the host syslog service.  With LogInsight I don't have any folders to check, yet I do have the API so I thought it would be fairly simple to get a list of hosts and latest event time stamp.  It turns out it's harder than I thought since I don't really understand how to leverage the API effectively.  Does anyone have any URI examples of how I might get a list of 'source' with a latest event timestamp?  I would even settle for just getting a list of unique 'source' names and ID's that I could then run through an array.

Reply
0 Kudos
1 Solution

Accepted Solutions
LucD
Leadership
Leadership
Jump to solution

Did you already have a look at the cmdlets in my LogInsight Module?


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

View solution in original post

Reply
0 Kudos
3 Replies
LucD
Leadership
Leadership
Jump to solution

Did you already have a look at the cmdlets in my LogInsight Module?


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos
Foyman1973
Enthusiast
Enthusiast
Jump to solution

Unfortunately no, I had not seen this reply. Thanks for that though as I had missed the commands up until today so this will be handy for future projects.  I did learn a few things about leveraging the API via trial and error though so not a total loss. Smiley Happy

What I ended up doing is rather the long road it would seem but using a couple functions I directly went to the API and doing a date comparison against a latest event:

Function for getting the API bearer token

function Get-BearerToken{

[OutputType([string])]

param([Parameter(Mandatory = $true)][string]$myURI,

[Parameter(Mandatory = $true)][hashtable]$myHeader,

[Parameter(Mandatory = $true)][string]$myUserName,

[Parameter(Mandatory = $true)][securestring]$myHash,

[Parameter(Mandatory = $true)][string]$myProvider)

Write-Host "Retrieving bearer token from API..."

$sessionData = Invoke-RestMethod -Method Post -Uri $myURI -Headers $jsonHeader -Body $(ConvertTo-Json(@{"username"=$myUserName;"password"=$([Runtime.InteropServices.Marshal]::PtrToStringAuto(([Runtime.InteropServices.Marshal]::SecureStringToBSTR($myHash))));"provider"=$myProvider}))

$bearerString = "Bearer $($sessionData.sessionId)"

return $bearerString

}

Base steps I used to pull the most recent log event for a given ESXi host for comparison:

$rootAPI = "https://loginsight.your.domain/api/v1/"

$thisURL = $rootAPI+"events/source/CONTAINS%20$($vmHost.Name)/appname/CONTAINS%20hostd?limit=1&order-by-direction=DESC&view=SIMPLE"

$sessionURI = "$($rootAPI)sessions"

$jsonHeader = @{"Content-Type"="application/json"}

$authHeader = @{"Authorization"=$(Get-BearerToken -myURI $sessionURI -myHeader $jsonHeader -myUserName $vRLIuser -myHash $vRLIpass -myProvider $vRLIprovider)}

$thisLogSet = Invoke-RestMethod -Method GET -Uri $thisURL -Headers $authHeader -ErrorAction SilentlyContinue

$baseDate = get-date -date "1/1/1970 00:00:00"

$newDate = $basedate.AddMinutes((($thisLogSet.results.timestamp)/1000)/60)

$eventSpan = (New-TimeSpan -Start $newDate -End ((Get-Date).ToUniversalTime())).TotalMinutes

Thanks for responding @LucD!

Reply
0 Kudos
LucD
Leadership
Leadership
Jump to solution

Thanks for sharing that Jason, useful info!


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos