• Brock Peterson

Capture Certificate Expirations with vRLI

Updated: Apr 18

vRLI is up and running, you're collecting vCenter events, tasks and alarms, as well as ESXi Host logs. In addition, vRLI is receiving logs from F5 BIG-IP, Citrix NetScaler, NetApp FAS, and more. Let's use it to capture Certificates that have expired and Certificates that will be expiring.

A quick look at my environment shows the following entries, in this case coming from F5 BIG-IP.

Remember that the vRLI query language uses the logical "and" operator for phrases, in this case it looks for all logs with the string "certificate" and "expired". The search for "certificate will expire" looks like this:

Most often I will start with one word searches and narrow it down from there, so as not to miss anything, but explore what works best for you. vRLI also supports REGEX, so if you're more comfortable using REGEX, explore those options. REGEX can be used via the ADD FILTER option. A search for all Certificates containing the word "Entrust" and matching certain REGEX might look something like this.

Now that you've found what you're looking for, it's important that you be notified of it. You can create an Alert for these by clicking the Create Alert icon top right.

The vRLI Alert definition as configured here will generate an email and send an Alert to vROps. You can customize the email payload as documented here. I've adjusted mine to contain this as part of the Description: Entrust Certificate Expiring on ${hostname}. Renew immediately! You can include only one variable in your Description. The subsequent email will look something like this:

To insure the ${hostname} field is populated in your email, you could require it in the log entry. Your query would look something like this.

The Alert sent to vROps will look something like this:

Next, let's generate a Dashboard we can use to quickly see our expired and expiring Certificates. Go to Interactive Analytics, run your query, then click the Add current query to dashboard top right.

Adjust the name, select the Dashboard you'd like to add it to or create a new one, choose the Widget Type, then click ADD. I've done this for both expired and expiring certificates to get the following.

You now have a go-to Dashboard for Certificates, Alerts going to vROps for them, as well as notifications via email. You'll probably notice some F5 related fields in the dashboard, these are extracted fields, we'll explore them more in the next blog. For more information on vRLI and a trial, go here!

657 views0 comments

Recent Posts

See All