So I have this issue with ESXi hosts where they randomly seem to stop sending SysLog to Loginsight in such a way that no alerts trigger anywhere, I just end up with no data until syslog service on the host is restarted. In the past when I was leveraging vCenter syslog, since it dropped everything into a folder on the Windows server I could just check last modified timestamp on the folder contents, then based on a certain delta indicating its been too long since any activity was written I could reach out via PowerCLI and restart the host syslog service. With LogInsight I don't have any folders to check, yet I do have the API so I thought it would be fairly simple to get a list of hosts and latest event time stamp. It turns out it's harder than I thought since I don't really understand how to leverage the API effectively. Does anyone have any URI examples of how I might get a list of 'source' with a latest event timestamp? I would even settle for just getting a list of unique 'source' names and ID's that I could then run through an array.
Did you already have a look at the cmdlets in my LogInsight Module?
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Did you already have a look at the cmdlets in my LogInsight Module?
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Unfortunately no, I had not seen this reply. Thanks for that though as I had missed the commands up until today so this will be handy for future projects. I did learn a few things about leveraging the API via trial and error though so not a total loss.
What I ended up doing is rather the long road it would seem but using a couple functions I directly went to the API and doing a date comparison against a latest event:
Function for getting the API bearer token
function Get-BearerToken{
[OutputType([string])]
param([Parameter(Mandatory = $true)][string]$myURI,
[Parameter(Mandatory = $true)][hashtable]$myHeader,
[Parameter(Mandatory = $true)][string]$myUserName,
[Parameter(Mandatory = $true)][securestring]$myHash,
[Parameter(Mandatory = $true)][string]$myProvider)
Write-Host "Retrieving bearer token from API..."
$sessionData = Invoke-RestMethod -Method Post -Uri $myURI -Headers $jsonHeader -Body $(ConvertTo-Json(@{"username"=$myUserName;"password"=$([Runtime.InteropServices.Marshal]::PtrToStringAuto(([Runtime.InteropServices.Marshal]::SecureStringToBSTR($myHash))));"provider"=$myProvider}))
$bearerString = "Bearer $($sessionData.sessionId)"
return $bearerString
}
Base steps I used to pull the most recent log event for a given ESXi host for comparison:
$rootAPI = "https://loginsight.your.domain/api/v1/"
$thisURL = $rootAPI+"events/source/CONTAINS%20$($vmHost.Name)/appname/CONTAINS%20hostd?limit=1&order-by-direction=DESC&view=SIMPLE"
$sessionURI = "$($rootAPI)sessions"
$jsonHeader = @{"Content-Type"="application/json"}
$authHeader = @{"Authorization"=$(Get-BearerToken -myURI $sessionURI -myHeader $jsonHeader -myUserName $vRLIuser -myHash $vRLIpass -myProvider $vRLIprovider)}
$thisLogSet = Invoke-RestMethod -Method GET -Uri $thisURL -Headers $authHeader -ErrorAction SilentlyContinue
$baseDate = get-date -date "1/1/1970 00:00:00"
$newDate = $basedate.AddMinutes((($thisLogSet.results.timestamp)/1000)/60)
$eventSpan = (New-TimeSpan -Start $newDate -End ((Get-Date).ToUniversalTime())).TotalMinutes
Thanks for responding @LucD!
Thanks for sharing that Jason, useful info!
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference