Upgrading Log Insight to 8.12

I use vRealize Log Insight in my homelab for collecting logs from my vCenter and ESXi hosts, and as a syslog server. Unfortunately it hasn't gotten that much love for some time and it's been stuck on version 8.6 which is over a year old.

Existing vRLI version

That, and of course this KB article explaining an issue with the internal certs expiring on April 30th 2023, had me prioritizing the upgrade.

I have replaced the web server certificate with my own custom certificate issued by my own CA, but still wanted to expedite the upgrade to be on the safe side.

A quick check of the internal cert shows that it expires on the given date

1openssl x509 -noout -in /storage/core/loginsight/cidata/cassandra/config/cacert.pem -enddate

Expiring certificate

The cert issue is present in all versions prior to 8.12.

When checking the release notes of version 8.12, the supported upgrade path is from 8.10.x

This hade me check the release notes for version 8.10.2 which shows that the supported upgrade path is from 8.8.x

Digging down to the release notes for version 8.8.2 shows finally a supported way to upgrade from my 8.6.0 installation.

So, for me this means, 8.6.0->8.8.2->8.10.2->8.12

After taking a snapshot of the VM and downloading the bits needed from Customer connect I started my upgrade process.

Current Cluster status (8.6.0)

8.6.0 to 8.8.2 upgrade

My first upgrade failed

Upgrade failed

I did some quick troubleshooting and suspected that the custom cert might be the reason

Upgrade log

I noticed that the cert in the log message was the internal self-signed certificate and not my own custom one. Digging further I tried to curl the url from the vRLI VM itself and found that it didn't trust the cert

Check certificate

With that I tried to add the Root CA to the VMs trust store. However when trying to save the Root CA cert I got a message stating that it couldn't be saved due to a full disk.

So after cleaning out some space on the root partition and adding the Root CA cert I retried the upgrade

Full disk

Again it failed without giving anything more exciting stuff in the upgrade log so I decided to give it a try from the command line.

During that upgrade the script complained about missing 16KB on the root filesystem!

CLI upgrade failed

So after cleaning up a bit more I reran the upgrade from the CLI and it finally went through

CLI upgrade succeeded

And the Cluster status page shows the updated version. Note also the new UI layout

Cluster status updated

8.8.2 to 8.10.2 upgrade

After the successful upgrade to 8.8.2 the next step was upgrading to 8.10.2.

I tried the upgrade through the UI once more, and this time I had no issues

Upgrade to 8.10.2 succeeded

8.10.2 to 8.12.0 upgrade

After letting the instance rest for about an hour I continued with the final step, upgrade to 8.12

Unfortunately this did not succeed on the first try

Upgrade to 8.12 failed

When checking the update log I found a message with an error on the SSL certificate

Upgrade log SSL error

I also checked the disk space since that had been the cause on previous upgrades, but this time that seemed fine.

I decided to remove my custom SSL cert by reverting the SSL config to the default as the Release notes mentions some considerations around custom certs

Reset SSL config

SSL config reset to default

After restarting my browser session I confirmed that the SSL cert was now using the VMware self-signed so I tried the upgrade again, this time through the CLI to fetch any error messages

CLI upgrade to 8.12

And score! The vRLI is now Aria Operations for Logs and we are running on version 8.12

Upgrade succeeded, new name in use

Account locked after upgrade

When trying to log in as the admin user I got an error stating that the credentials was invalid or that the account was locked. I waited for about one hour before trying again, but I still got the same message

Admin account locked

I confirmed this by checking the admin account status with the CLI and could also reset it

1#Check status
2/usr/lib/loginsight/application/sbin/li-reset-admin-passwd.sh --checkAdminStatus
3
4#Unlock account
5/usr/lib/loginsight/application/sbin/li-reset-admin-passwd.sh --unlockAdmin

Reset admin account

And finally I could log in with my admin account and verify the operation of the vRLI Aria Operations for Logs status

Verify 8.12 status

Addin a new SSL certificate

Final step in the upgrade process was to change the default SSL certificate to my own custom CA signed cert.

Since the upgrade log mentioned some field not found on the existing one I decided to create a new one by following the steps found in the VMware documentation

I got an issue with getting the server to accept the certificate because of "No SSL client purpose set", which is the same kind of error that blocked the upgrade in the first place.

After digging around a bit I found a way to update the certificate, and since this might occur also outside of upgrades I decided to write a blog post on that specifically. In short the issue was that the Certificate template I had used was missing the "Client Authentication" policy which at the time of this writing is not listed as a requirement to the certificate.

After adding this my custom cert could be uploaded.

This page was modified on April 28, 2023: update thumbnail