In this post, we are going to discuss Event logging in Horizon View environment. In Horizon View environment, by default, events are not logged as it requires you to perform event configuration prior to generating event logs.
As in screenshot below, when you login for the first time into horizon console and check the dashboard status, you can see warning status on Event Database which represents that event configuration is not done yet.
Horizon event logging configuration is done under View Configuration –> Event Configuration in Horizon Console.
As you can see in above image, Horizon view can be configured to log events data using following methods,
- Event Database
- Syslog Server
- Flat file
You can configure any of these method or combination of these methods or all of them can be configured at once. So let’s look at each of these methods and understand how to set them and use.
The event database stores View events information as records in Microsoft SQL Server or Oracle database rather than in a log file.
Supported databases for Event Logging in Horizon 7.10 and other releases can be checked here at database interoperability.
Horizon View records events like end-user actions, administrator actions, system failures alerts, and errors.
- End-user actions include logging and starting desktop and application sessions.
- Administrator actions include adding entitlements and creating desktop and application pools.
Event database is configured post installing a View Connection Server instance. We need to configure event database only on one host in a View Connection Server group (POD). The remaining hosts in the group are updated automatically.
Configuring Event Database in View:
- Login to Horizon View administrator portal URL with administrative credentials at, https://<Connection Server FQDN>/admin and navigate to Event configuration under View Configuration.
- Click Edit button on Event Database section.
- Enter Database details that are prompted and click OK. In my case I am using SQL Server, you can use Oracle database as well by selecting appropriate option in dropdown.
Note: Ensure that Database is created in advance, this process does not create database instance automatically.
- For more info on how to setup database for Horizon, check VMware Docs.
- Verify database details to ensure it is configured correctly.
- Once Horizon view event database is configured, events are logged under events in monitoring.
What is inside Event Database
Horizon View uses database tables to implement the event database. The event database prepends the names of these tables with a prefix that we define when we set up the event database (In my case, “VE_”).
Below are the tables used to record events data in database.
- This table stores metadata and search optimization data for recent events.
- This table stores data values for recent events.
- This table stores data values for all events.
- This table stores metadata and search optimization data for all events.
Events are written in full to both the Current tables (i.e. Event & Event_Data) and Historical tables. When events in the current table reach a certain age, they are deleted. However, events are never deleted from the Historical tables.
We can use View Administrator to configure the time period for which the database keeps a record in the event and event_data tables as shown in image below.
Despite setting to “show events in admin for” value to larger interval, as in above image it is 3 months, View admin portal can display only recent 2000 objects. This is because the events that are shown in the Horizon administrator console are loaded from current tables and not from Historical tables.
We cannot use Horizon Administrator console to view the logs that are stored in Historical tables. However, we can use BI reporting engines like Crystal Reports and Oracle Enterprise Performance Management System to access and analyze the event database.
Setting Up syslog
Horizon View events can be generated in Syslog format so that the event data can be accessible to third-party analytics software over the network. The default UDP port number used is 514. Configure only one host in a Connection Server POD. The remaining hosts in the group are configured automatically.
Syslog data is sent across the network without software-based encryption, and might contain sensitive data, such as user names. It is recommended to use link-layer security, such as IPSEC, to avoid the possibility of this data being monitored on the network.
- To configure Syslog server details, navigate to View Configuration –> Event configuration and click Add.
- Enter the Syslog details such as server FQDN and UDP port number, then click OK
- Verify the details.
Logging to flat file (Local and File Share)
Horizon View events are accumulated in a local log file when configured with default option as shown in image below.
The maximum size of the local directory for event logs, including closed log files is 300MB. The default destination of the output is %PROGRAMDATA%\VMware\VDM\events\. Once it reaches the max size limit, then oldest log files are deleted.
Instead of using local file, we can specify a file share where these log files are stored centrally. With this approach, size limit is not applicable.
If planning to collect logs in a flat-file format on network share, we must have the UNC path to the file share and folder along with user name, domain name, and password. This account must have permission to write to the file share.
Verify the details once added.
- It is not mandatory to use all of these methods.
- As discussed earlier, these methods can be used in combinations.
- Event database is primary means of storing the event data.
- Use Syslog for analysis purpose if you have Syslog collector such as vRealize Log Insight.
- Flat file logging can be used in troubleshooting scenarios for quick access to logs.
That is all in this post.
!!! Cheers !!!
6 thoughts on “Horizon View 7.10 Event logging: Events Database, Syslog Server and Flat File”
Perfect. Thanks everyone!
You can see the Client IP address in the debug file(c:\\programdata\\vmware\\vdm\\logs) in the View Connection server. Look for the variable ClientIpAddress. It will be somenthing like this: Sucessful connection:140534 2013-02-15T13:34:33.483-08:00 DEBUG (080C-0DB8) [EventLogger] (SESSION:c187_***_c545) Info_Event:[BROKER_USERLOGGEDIN] \”User PERFLAB\\emello has logged in\”: ClientIpAddress=192.168.52.21, TotalUsers=1, BrokerSessionId=c187_***_c545, Module=Broker, UserDisplayName=PERFLAB\\emello, Source=net.propero.modules.properOps.UserSessionTracker, Severity=AUDIT_SUCCESS, Time=Fri Feb 15 13:34:33 PST 2013, Node=vcs.perflab.local, UserSID=S-1-5-21-3248529586-1416739443-480672615-1107, Acknowledged=true NOT Successful – bad password:141746 2013-02-15T13:40:15.956-08:00 DEBUG (080C-0DA0) [EventLogger] (SESSION:87d4_***_04be emello) Error_Event:[BROKER_USER_AUTHFAILED_BAD_USER_PASSWORD] \”User PERFLAB\\emello failed to authenticate because of a bad username or password\”: Source=net.propero.portal.filters.WinAuthFilter, Time=Fri Feb 15 13:40:15 PST 2013, Severity=AUDIT_FAIL, ClientIpAddress=192.168.52.21, Node=vcs.perflab.local, Module=Broker, UserDisplayName=PERFLAB\\emello, Acknowledged=true I hope it helps you.
Could someone tell me where I can find client source up address information?
I have not tried this however it should work. As per VMware Docs SQL AO/AG is not required for event DB and composer DB. However you should certainly use availability group for Identity Manager.
can we use SQL server availability groups while configuring event DB