If you need to pull log events programmatically from VMware Aria Operations for Logs (formerly vRealize Log Insight), filtering by a specific hostname, this guide walks you through the entire process — from authentication to querying the powerful internal API endpoint.
This approach is inspired by Brock Peterson’s excellent series on the Aria Operations for Logs API, expanded here with full session authentication steps and hostname-specific query examples.
Prerequisites
Before we begin, you’ll need:
- Aria Operations for Logs deployed and accessible (FQDN or IP)
- A local admin account or Active Directory / vIDM credentials
- curl installed on your workstation
- Access to port 9543 on the Aria Operations for Logs appliance
Note: All examples use the
-kflag to skip SSL certificate verification. In production, you should use proper certificate trust chains instead.
Step 1: Authenticate and Retrieve a Session Token
Every API interaction starts with obtaining a Bearer token. You do this by posting your credentials to the /api/v2/sessions endpoint.
Local Authentication
curl -k -X POST "https://YOUR_LOG_INSIGHT_FQDN:9543/api/v2/sessions" \
-H "Content-Type: application/json" \
-d '{
"username": "admin",
"password": "YourPasswordHere",
"provider": "Local"
}'
```yaml
### Active Directory Authentication
If your environment uses Active Directory, change the `provider` value:
```bash
curl -k -X POST "https://YOUR_LOG_INSIGHT_FQDN:9543/api/v2/sessions" \
-H "Content-Type: application/json" \
-d '{
"username": "your_ad_user",
"password": "YourPasswordHere",
"provider": "ActiveDirectory"
}'
```yaml
### vIDM (Workspace ONE Access) Authentication
For federated identity via vIDM:
```bash
curl -k -X POST "https://YOUR_LOG_INSIGHT_FQDN:9543/api/v2/sessions" \
-H "Content-Type: application/json" \
-d '{
"username": "user@domain.com",
"password": "YourPasswordHere",
"provider": "vIDM"
}'
```yaml
### Understanding the Response
All three methods return the same JSON structure:
```json
{
"userId": "3c1b81cc-418e-44c0-b91a-54e10a87b1d3",
"sessionId": "1a2b3c4d-your-session-token-here==",
"ttl": 1800
}
```text
| Field | Description |
|---|---|
| `userId` | Unique identifier for the authenticated user |
| `sessionId` | **This is your Bearer token** — save it for all subsequent API calls |
| `ttl` | Token time-to-live in seconds (default: 1800 = 30 minutes) |
Copy the `sessionId` value — this is the Bearer token you'll use in every subsequent request.
## Step 2: Verify Your Session (Optional)
Before running queries, you can verify your token is valid:
```bash
curl -k "https://YOUR_LOG_INSIGHT_FQDN:9543/api/v2/sessions/current" \
-H "Authorization: Bearer YOUR_SESSION_ID_HERE"
```text
A successful response confirms your session is active and returns your user details.
## Step 3: Discover the Internal API
The standard `/api/v2/events` endpoint works but is unintuitive and poorly documented. The **internal API** is far more powerful and flexible.
You can browse the internal API documentation at:
https://YOUR_LOG_INSIGHT_FQDN/rest-api/internal
Scroll down to the **events** section and you'll find `POST /events/query` — this is the endpoint we'll use for all our hostname queries.
## Step 4: Query Events by Hostname
Now for the main event. The internal `POST /events/query` endpoint accepts a JSON body with a `constraints` field that uses the same query language as the Explore Logs UI.
### Basic Hostname Query (Last 5 Minutes)
```bash
curl -k -X POST "https://YOUR_LOG_INSIGHT_FQDN/api/v1/events/query" \
-H "Authorization: Bearer YOUR_SESSION_ID_HERE" \
-H "Content-Type: application/json" \
-d '{
"constraints": "hostname:\"esxi01.lab.local\" & LastFiveMinutes",
"aggregations": "",
"groups": "",
"order": "",
"resultsFrom": 1,
"resultsTo": 500,
"timeout": 30000
}'
```text
### Hostname Query (Last 24 Hours)
```bash
curl -k -X POST "https://YOUR_LOG_INSIGHT_FQDN/api/v1/events/query" \
-H "Authorization: Bearer YOUR_SESSION_ID_HERE" \
-H "Content-Type: application/json" \
-d '{
"constraints": "hostname:\"esxi01.lab.local\" & LastDay",
"aggregations": "",
"groups": "",
"order": "",
"resultsFrom": 1,
"resultsTo": 500,
"timeout": 30000
}'
```yaml
### Hostname + Text Search
Search for the word "error" on a specific host:
```bash
curl -k -X POST "https://YOUR_LOG_INSIGHT_FQDN/api/v1/events/query" \
-H "Authorization: Bearer YOUR_SESSION_ID_HERE" \
-H "Content-Type: application/json" \
-d '{
"constraints": "hostname:\"esxi01.lab.local\" & '\''error'\'' & LastDay",
"aggregations": "",
"groups": "",
"order": "",
"resultsFrom": 1,
"resultsTo": 500,
"timeout": 30000
}'
```yaml
### Multiple Hostnames with OR
Query logs from two different hosts simultaneously:
```bash
curl -k -X POST "https://YOUR_LOG_INSIGHT_FQDN/api/v1/events/query" \
-H "Authorization: Bearer YOUR_SESSION_ID_HERE" \
-H "Content-Type: application/json" \
-d '{
"constraints": "(hostname:\"esxi01.lab.local\" | hostname:\"esxi02.lab.local\") & LastDay",
"aggregations": "",
"groups": "",
"order": "",
"resultsFrom": 1,
"resultsTo": 500,
"timeout": 30000
}'
```yaml
### Hostname + Specific Field Exists
Find vCenter events logged from a specific host:
```bash
curl -k -X POST "https://YOUR_LOG_INSIGHT_FQDN/api/v1/events/query" \
-H "Authorization: Bearer YOUR_SESSION_ID_HERE" \
-H "Content-Type: application/json" \
-d '{
"constraints": "hostname:\"vcsa01.lab.local\" & EXISTS(vc_event_type) & LastDay",
"aggregations": "",
"groups": "",
"order": "",
"resultsFrom": 1,
"resultsTo": 500,
"timeout": 30000
}'
```yaml
### Hostname + Specific Field Value
Filter a host for specific vCenter event types (e.g., user login events):
```bash
curl -k -X POST "https://YOUR_LOG_INSIGHT_FQDN/api/v1/events/query" \
-H "Authorization: Bearer YOUR_SESSION_ID_HERE" \
-H "Content-Type: application/json" \
-d '{
"constraints": "hostname:\"vcsa01.lab.local\" & vc_event_type:\"com.vmware.vim25.userloginsessionevent\" & Last48",
"aggregations": "",
"groups": "",
"order": "",
"resultsFrom": 1,
"resultsTo": 20000,
"timeout": 30000
}'
```yaml
### Hostname + Epoch Timestamp Range
For precise time ranges, use seconds-since-epoch timestamps:
```bash
curl -k -X POST "https://YOUR_LOG_INSIGHT_FQDN/api/v1/events/query" \
-H "Authorization: Bearer YOUR_SESSION_ID_HERE" \
-H "Content-Type: application/json" \
-d '{
"constraints": "hostname:\"esxi01.lab.local\" & (timestamp > 1743552000 & timestamp < 1743638400)",
"aggregations": "",
"groups": "",
"order": "",
"resultsFrom": 1,
"resultsTo": 500,
"timeout": 30000
}'
```text
> **Tip:** Use a tool like [epochconverter.com](https://www.epochconverter.com/) to convert human-readable dates to epoch timestamps.
### Hostname with Aggregation (Event Count by Type)
Get a count of events grouped by type for a specific host:
```bash
curl -k -X POST "https://YOUR_LOG_INSIGHT_FQDN/api/v1/events/query" \
-H "Authorization: Bearer YOUR_SESSION_ID_HERE" \
-H "Content-Type: application/json" \
-d '{
"constraints": "hostname:\"esxi01.lab.local\" & LastDay",
"aggregations": "COUNT(event)",
"groups": "event_type",
"order": "event ASC",
"resultsFrom": 1,
"resultsTo": 20000,
"timeout": 30000
}'
```text
## Quick Reference: Constraint Syntax
| Syntax | Description |
|---|---|
| `hostname:\"value\"` | Filter by exact hostname |
| `'text string'` | Search for text in log messages |
| `&` | AND operator |
| `\|` | OR operator |
| `EXISTS(field)` | Check if a field exists in the log entry |
| `field:\"value\"` | Filter by field value |
| `LastFiveMinutes` | Last 5 minutes of logs |
| `LastDay` | Last 24 hours |
| `Last48` | Last 48 hours |
| `timestamp > epoch` | Custom epoch-based time range |
## Quick Reference: Request Body Fields
| Field | Description | Notes |
|---|---|---|
| `constraints` | Your query (filters, time range) | Required |
| `aggregations` | Aggregate function (e.g., `COUNT(event)`) | Leave empty for raw logs |
| `groups` | Group-by field | Leave empty for raw logs |
| `order` | Sort order for aggregations | Leave empty for raw logs |
| `resultsFrom` | Starting result index | Starts at 1 |
| `resultsTo` | Ending result index | Maximum is 20,000 |
| `timeout` | Query timeout in milliseconds | 30000 = 30 seconds |
## Putting It All Together: A Complete Script
Here's a one-liner that authenticates and queries in a single pipeline:
```bash
# Authenticate and store the token
TOKEN=$(curl -sk -X POST "https://YOUR_LOG_INSIGHT_FQDN:9543/api/v2/sessions" \
-H "Content-Type: application/json" \
-d '{"username":"admin","password":"YourPasswordHere","provider":"Local"}' \
| python3 -c "import sys,json; print(json.load(sys.stdin)['sessionId'])")
# Query events for a specific hostname
curl -sk -X POST "https://YOUR_LOG_INSIGHT_FQDN/api/v1/events/query" \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{
"constraints": "hostname:\"esxi01.lab.local\" & LastDay",
"aggregations": "",
"groups": "",
"order": "",
"resultsFrom": 1,
"resultsTo": 500,
"timeout": 30000
}' | python3 -m json.tool
Important Notes
- Field name verification: The
hostnamefield is the standard syslog source field in Aria Operations for Logs. However, depending on your ingestion method and content packs, the field could be namedsource,vmw_esxi_hostname, or something custom. Check the field list in the Explore Logs UI sidebar to confirm. - Token expiration: The default TTL is 30 minutes (1800 seconds). For longer-running scripts, re-authenticate periodically.
- Result limits: The maximum value for
resultsTois 20,000. For larger result sets, use the UI export-to-NFS feature as described in Brock Peterson’s export guide. - Internal API caveat: The
POST /events/queryendpoint is part of the internal API surface. While it’s far more powerful than the public/api/v2/eventsendpoint, internal APIs may change between versions without notice.