vmware-aria-logs 0.1.0__tar.gz

vmware_aria_logs-0.1.0/.env.example

@@ -0,0 +1,17 @@
+# VMware Aria Operations for Logs MCP Server
+# Copy to .env and fill in your values
+
+# Required: Log Insight connection
+LI_BASE_URL=https://loginsight.example.com
+LI_USERNAME=admin
+LI_PASSWORD=your-password
+LI_PROVIDER=Local
+LI_VERIFY_TLS=false
+LI_TIMEOUT_SEC=30
+
+# Optional: VMware Aria Operations (vROps) correlation
+# VROPS_BASE_URL=https://vrops.example.com
+# VROPS_USERNAME=admin
+# VROPS_PASSWORD=your-password
+# VROPS_AUTH_SOURCE=local
+# VROPS_VERIFY_TLS=false

vmware_aria_logs-0.1.0/.gitignore

@@ -0,0 +1,21 @@
+# Virtual environment
+.venv/
+
+# Python
+__pycache__/
+*.py[cod]
+*.egg-info/
+dist/
+build/
+
+# Environment
+.env
+
+# IDE
+.idea/
+.vscode/
+
+# pytest
+.pytest_cache/
+htmlcov/
+.coverage

vmware_aria_logs-0.1.0/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 apollion69
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

vmware_aria_logs-0.1.0/PKG-INFO

@@ -0,0 +1,131 @@
+Metadata-Version: 2.4
+Name: vmware-aria-logs
+Version: 0.1.0
+Summary: MCP server for VMware Aria Operations for Logs (formerly vRealize Log Insight)
+Project-URL: Homepage, https://github.com/apollion69/vmware-aria-logs
+Project-URL: Repository, https://github.com/apollion69/vmware-aria-logs
+Project-URL: Issues, https://github.com/apollion69/vmware-aria-logs/issues
+Author: apollion69
+License-Expression: MIT
+License-File: LICENSE
+Keywords: aria,log-insight,mcp,observability,vmware,vrli
+Classifier: Development Status :: 4 - Beta
+Classifier: License :: OSI Approved :: MIT License
+Classifier: Programming Language :: Python :: 3
+Classifier: Topic :: System :: Monitoring
+Requires-Python: >=3.11
+Requires-Dist: mcp[cli]>=1.0.0
+Description-Content-Type: text/markdown
+
+# VMware Aria Operations for Logs — MCP Server
+
+[![PyPI version](https://img.shields.io/pypi/v/vmware-aria-logs)](https://pypi.org/project/vmware-aria-logs/)
+[![Python 3.11+](https://img.shields.io/pypi/pyversions/vmware-aria-logs)](https://pypi.org/project/vmware-aria-logs/)
+[![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](LICENSE)
+[![Smithery](https://smithery.ai/badge/vmware-aria-logs)](https://smithery.ai/server/vmware-aria-logs)
+
+MCP server for querying and analyzing logs from **VMware Aria Operations for Logs** (formerly vRealize Log Insight). Provides log search, mass incident detection, and optional VMware Aria Operations (vROps) correlation.
+
+Built for use with [Claude Code](https://claude.ai/code), [Claude Desktop](https://claude.ai/download), [LobeChat](https://github.com/lobehub/lobe-chat), and any MCP-compatible client.
+
+## Features
+
+- **Log Search** — Query events with time range, text filters, and field constraints via Log Insight API v2
+- **Incident Detection** — Signature-based clustering to identify mass log incidents (Stormbreaker engine)
+- **API Surface Probe** — Detect appliance version and available API endpoints
+- **Dashboard Listing** — Enumerate saved dashboards (legacy vRLIC API, deprecated on 8.18+)
+- **vROps Correlation** — Cross-reference log entities with Aria Operations resources and alerts
+
+## Quick Start
+
+### Install via uvx (recommended)
+
+```bash
+uvx vmware-aria-logs
+```
+
+### Install via pip
+
+```bash
+pip install vmware-aria-logs
+```
+
+### Run with environment variables
+
+```bash
+export LI_BASE_URL=https://loginsight.example.com
+export LI_USERNAME=admin
+export LI_PASSWORD=your-password
+export LI_PROVIDER=Local
+
+vmware-aria-logs
+```
+
+## MCP Tools
+
+| Tool | Description |
+|------|-------------|
+| `query_events` | Search log events with time range, text filter, field constraints |
+| `get_version` | Get appliance version and probe API surface |
+| `list_dashboards` | List saved dashboards (legacy vRLIC API, deprecated on 8.18+) |
+| `detect_incidents` | Mass incident detection via signature clustering |
+| `find_vrops_resources` | Find entities in Aria Operations by name |
+| `get_vrops_alerts` | Get alerts for specific vROps resources |
+
+## Configuration
+
+### Required Environment Variables
+
+| Variable | Description | Default |
+|----------|-------------|---------|
+| `LI_BASE_URL` | Log Insight appliance URL | — |
+| `LI_USERNAME` | API username | `admin` |
+| `LI_PASSWORD` | API password | — |
+| `LI_PROVIDER` | Auth provider (Local, ActiveDirectory) | `Local` |
+| `LI_VERIFY_TLS` | Verify TLS certificates | `false` |
+
+### Optional (vROps Correlation)
+
+| Variable | Description | Default |
+|----------|-------------|---------|
+| `VROPS_BASE_URL` | Aria Operations URL | — |
+| `VROPS_USERNAME` | vROps username | `admin` |
+| `VROPS_PASSWORD` | vROps password | — |
+| `VROPS_AUTH_SOURCE` | Auth source | `local` |
+
+## Claude Code / MCP Client Configuration
+
+```json
+{
+  "mcpServers": {
+    "aria-logs": {
+      "command": "uvx",
+      "args": ["vmware-aria-logs"],
+      "env": {
+        "LI_BASE_URL": "https://loginsight.example.com",
+        "LI_USERNAME": "admin",
+        "LI_PASSWORD": "your-password"
+      }
+    }
+  }
+}
+```
+
+## Why This Server?
+
+VMware Aria Operations for Logs (Log Insight) is widely deployed in enterprise VMware environments, but lacks modern AI-assisted log analysis tooling. This MCP server bridges that gap:
+
+- **Zero dependencies** beyond the MCP SDK — uses Python stdlib `urllib` for HTTP
+- **Stormbreaker engine** — unique signature-based clustering that finds mass incidents humans miss
+- **vROps correlation** — cross-reference log events with infrastructure health in a single conversation
+- **Works on v8.x+** — tested on Aria Operations for Logs 8.18.3, gracefully degrades deprecated APIs
+
+## Also Available On
+
+- [Smithery](https://smithery.ai/server/vmware-aria-logs)
+- [Glama](https://glama.ai/mcp/servers/apollion69/vmware-aria-logs)
+- [PyPI](https://pypi.org/project/vmware-aria-logs/)
+
+## License
+
+MIT

vmware_aria_logs-0.1.0/README.md

@@ -0,0 +1,112 @@
+# VMware Aria Operations for Logs — MCP Server
+
+[![PyPI version](https://img.shields.io/pypi/v/vmware-aria-logs)](https://pypi.org/project/vmware-aria-logs/)
+[![Python 3.11+](https://img.shields.io/pypi/pyversions/vmware-aria-logs)](https://pypi.org/project/vmware-aria-logs/)
+[![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](LICENSE)
+[![Smithery](https://smithery.ai/badge/vmware-aria-logs)](https://smithery.ai/server/vmware-aria-logs)
+
+MCP server for querying and analyzing logs from **VMware Aria Operations for Logs** (formerly vRealize Log Insight). Provides log search, mass incident detection, and optional VMware Aria Operations (vROps) correlation.
+
+Built for use with [Claude Code](https://claude.ai/code), [Claude Desktop](https://claude.ai/download), [LobeChat](https://github.com/lobehub/lobe-chat), and any MCP-compatible client.
+
+## Features
+
+- **Log Search** — Query events with time range, text filters, and field constraints via Log Insight API v2
+- **Incident Detection** — Signature-based clustering to identify mass log incidents (Stormbreaker engine)
+- **API Surface Probe** — Detect appliance version and available API endpoints
+- **Dashboard Listing** — Enumerate saved dashboards (legacy vRLIC API, deprecated on 8.18+)
+- **vROps Correlation** — Cross-reference log entities with Aria Operations resources and alerts
+
+## Quick Start
+
+### Install via uvx (recommended)
+
+```bash
+uvx vmware-aria-logs
+```
+
+### Install via pip
+
+```bash
+pip install vmware-aria-logs
+```
+
+### Run with environment variables
+
+```bash
+export LI_BASE_URL=https://loginsight.example.com
+export LI_USERNAME=admin
+export LI_PASSWORD=your-password
+export LI_PROVIDER=Local
+
+vmware-aria-logs
+```
+
+## MCP Tools
+
+| Tool | Description |
+|------|-------------|
+| `query_events` | Search log events with time range, text filter, field constraints |
+| `get_version` | Get appliance version and probe API surface |
+| `list_dashboards` | List saved dashboards (legacy vRLIC API, deprecated on 8.18+) |
+| `detect_incidents` | Mass incident detection via signature clustering |
+| `find_vrops_resources` | Find entities in Aria Operations by name |
+| `get_vrops_alerts` | Get alerts for specific vROps resources |
+
+## Configuration
+
+### Required Environment Variables
+
+| Variable | Description | Default |
+|----------|-------------|---------|
+| `LI_BASE_URL` | Log Insight appliance URL | — |
+| `LI_USERNAME` | API username | `admin` |
+| `LI_PASSWORD` | API password | — |
+| `LI_PROVIDER` | Auth provider (Local, ActiveDirectory) | `Local` |
+| `LI_VERIFY_TLS` | Verify TLS certificates | `false` |
+
+### Optional (vROps Correlation)
+
+| Variable | Description | Default |
+|----------|-------------|---------|
+| `VROPS_BASE_URL` | Aria Operations URL | — |
+| `VROPS_USERNAME` | vROps username | `admin` |
+| `VROPS_PASSWORD` | vROps password | — |
+| `VROPS_AUTH_SOURCE` | Auth source | `local` |
+
+## Claude Code / MCP Client Configuration
+
+```json
+{
+  "mcpServers": {
+    "aria-logs": {
+      "command": "uvx",
+      "args": ["vmware-aria-logs"],
+      "env": {
+        "LI_BASE_URL": "https://loginsight.example.com",
+        "LI_USERNAME": "admin",
+        "LI_PASSWORD": "your-password"
+      }
+    }
+  }
+}
+```
+
+## Why This Server?
+
+VMware Aria Operations for Logs (Log Insight) is widely deployed in enterprise VMware environments, but lacks modern AI-assisted log analysis tooling. This MCP server bridges that gap:
+
+- **Zero dependencies** beyond the MCP SDK — uses Python stdlib `urllib` for HTTP
+- **Stormbreaker engine** — unique signature-based clustering that finds mass incidents humans miss
+- **vROps correlation** — cross-reference log events with infrastructure health in a single conversation
+- **Works on v8.x+** — tested on Aria Operations for Logs 8.18.3, gracefully degrades deprecated APIs
+
+## Also Available On
+
+- [Smithery](https://smithery.ai/server/vmware-aria-logs)
+- [Glama](https://glama.ai/mcp/servers/apollion69/vmware-aria-logs)
+- [PyPI](https://pypi.org/project/vmware-aria-logs/)
+
+## License
+
+MIT

vmware_aria_logs-0.1.0/glama.json

@@ -0,0 +1,6 @@
+{
+  "$schema": "https://glama.ai/mcp/schemas/server.json",
+  "maintainers": [
+    "apollion69"
+  ]
+}

vmware_aria_logs-0.1.0/pyproject.toml

@@ -0,0 +1,39 @@
+[project]
+name = "vmware-aria-logs"
+version = "0.1.0"
+description = "MCP server for VMware Aria Operations for Logs (formerly vRealize Log Insight)"
+readme = "README.md"
+license = "MIT"
+requires-python = ">=3.11"
+authors = [{ name = "apollion69" }]
+keywords = ["mcp", "vmware", "aria", "log-insight", "vrli", "observability"]
+classifiers = [
+    "Development Status :: 4 - Beta",
+    "License :: OSI Approved :: MIT License",
+    "Programming Language :: Python :: 3",
+    "Topic :: System :: Monitoring",
+]
+dependencies = [
+    "mcp[cli]>=1.0.0",
+]
+
+[project.urls]
+Homepage = "https://github.com/apollion69/vmware-aria-logs"
+Repository = "https://github.com/apollion69/vmware-aria-logs"
+Issues = "https://github.com/apollion69/vmware-aria-logs/issues"
+
+[project.scripts]
+vmware-aria-logs = "vmware_aria_logs.server:main"
+
+[build-system]
+requires = ["hatchling"]
+build-backend = "hatchling.build"
+
+[tool.hatch.build.targets.wheel]
+packages = ["src/vmware_aria_logs"]
+
+[dependency-groups]
+dev = [
+    "pytest>=9.0.2",
+    "pytest-cov>=7.1.0",
+]

vmware_aria_logs-0.1.0/smithery.yaml

@@ -0,0 +1,49 @@
+# Smithery configuration file: https://smithery.ai/docs/config#smitheryyaml
+startCommand:
+  type: stdio
+  configSchema:
+    type: object
+    required:
+      - liBaseUrl
+      - liPassword
+    properties:
+      liBaseUrl:
+        type: string
+        description: "VMware Aria Operations for Logs URL (e.g. https://loginsight.example.com)"
+      liUsername:
+        type: string
+        default: "admin"
+        description: "API username"
+      liPassword:
+        type: string
+        description: "API password"
+      liProvider:
+        type: string
+        default: "Local"
+        description: "Auth provider (Local, ActiveDirectory)"
+      vropsBaseUrl:
+        type: string
+        description: "Aria Operations URL for cross-correlation (optional)"
+      vropsUsername:
+        type: string
+        default: "admin"
+        description: "vROps username"
+      vropsPassword:
+        type: string
+        description: "vROps password"
+  commandFunction: |-
+    (config) => ({
+      command: 'uvx',
+      args: ['vmware-aria-logs'],
+      env: {
+        LI_BASE_URL: config.liBaseUrl,
+        LI_USERNAME: config.liUsername || 'admin',
+        LI_PASSWORD: config.liPassword,
+        LI_PROVIDER: config.liProvider || 'Local',
+        ...(config.vropsBaseUrl ? {
+          VROPS_BASE_URL: config.vropsBaseUrl,
+          VROPS_USERNAME: config.vropsUsername || 'admin',
+          VROPS_PASSWORD: config.vropsPassword || ''
+        } : {})
+      }
+    })

vmware_aria_logs-0.1.0/src/vmware_aria_logs/__init__.py

@@ -0,0 +1,3 @@
+"""VMware Aria Operations for Logs MCP Server."""
+
+__version__ = "0.1.0"

vmware_aria_logs-0.1.0/src/vmware_aria_logs/analysis/events.py

@@ -0,0 +1,95 @@
+"""Event extraction, normalization, and deduplication."""
+
+from __future__ import annotations
+
+import hashlib
+import re
+from typing import Any
+
+_UUID_RE = re.compile(r"\b[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}\b")
+_HEX_LONG_RE = re.compile(r"\b[0-9a-fA-F]{16,}\b")
+_NUMBER_RE = re.compile(r"\b\d{4,}\b")
+_IP_RE = re.compile(r"\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b")
+_PATH_RE = re.compile(r"/[\w./-]{20,}")
+
+
+def normalize_text(text: str) -> str:
+    """Normalize log text to a signature by replacing variable parts."""
+    result = _UUID_RE.sub("<UUID>", text)
+    result = _HEX_LONG_RE.sub("<HEX>", result)
+    result = _IP_RE.sub("<IP>", result)
+    result = _PATH_RE.sub("<PATH>", result)
+    result = _NUMBER_RE.sub("<N>", result)
+    return result
+
+
+def event_signature(event: dict[str, Any], *, include_source: bool = False) -> str:
+    """Compute a stable signature hash for an event.
+
+    Args:
+        event: Event dict with text/source fields.
+        include_source: If True, signature includes source hostname.
+            Use False (default) for mass incident detection across hosts.
+            Use True for per-host deduplication.
+    """
+    text = str(event.get("text") or "")
+    normalized = normalize_text(text)
+    if include_source:
+        source = str(event.get("source") or event.get("hostname") or "")
+        key = f"{source}::{normalized}"
+    else:
+        key = normalized
+    return hashlib.sha256(key.encode("utf-8")).hexdigest()[:16]
+
+
+def extract_text(event: dict[str, Any]) -> str:
+    """Extract the primary text content from an event."""
+    text = event.get("text")
+    if isinstance(text, str) and text:
+        return text
+    for field_key in ("message", "msg", "log", "raw"):
+        value = event.get(field_key)
+        if isinstance(value, str) and value:
+            return value
+    fields = event.get("fields") or []
+    if isinstance(fields, list):
+        for field_item in fields:
+            if isinstance(field_item, dict):
+                name = str(field_item.get("name") or "")
+                content = str(field_item.get("content") or "")
+                if name.lower() in ("text", "message", "msg") and content:
+                    return content
+    return ""
+
+
+def extract_source(event: dict[str, Any]) -> str:
+    """Extract the source hostname from an event."""
+    for key in ("source", "hostname", "host", "agent"):
+        value = event.get(key)
+        if isinstance(value, str) and value:
+            return value
+    fields = event.get("fields") or []
+    if isinstance(fields, list):
+        for field_item in fields:
+            if isinstance(field_item, dict):
+                name = str(field_item.get("name") or "").lower()
+                content = str(field_item.get("content") or "")
+                if name in ("source", "hostname", "host") and content:
+                    return content
+    return ""
+
+
+def dedupe_events(events: list[dict[str, Any]]) -> list[dict[str, Any]]:
+    """Remove duplicate events based on text + source + timestamp."""
+    seen: set[str] = set()
+    result: list[dict[str, Any]] = []
+    for event in events:
+        text = extract_text(event)
+        source = extract_source(event)
+        ts = str(event.get("timestamp") or "")
+        key = f"{source}:{ts}:{text[:200]}"
+        digest = hashlib.md5(key.encode("utf-8")).hexdigest()
+        if digest not in seen:
+            seen.add(digest)
+            result.append(event)
+    return result

vmware_aria_logs-0.1.0/src/vmware_aria_logs/analysis/incidents.py

@@ -0,0 +1,81 @@
+"""Mass incident detection via signature clustering."""
+
+from __future__ import annotations
+
+from collections import Counter, defaultdict
+from dataclasses import dataclass
+from typing import Any
+
+from .events import event_signature, extract_source, extract_text, normalize_text
+
+
+@dataclass(frozen=True)
+class MassIncident:
+    """A cluster of events sharing the same normalized signature."""
+
+    signature: str
+    normalized_text: str
+    event_count: int
+    affected_sources: list[str]
+    sample_text: str
+    blast_radius: int  # number of unique sources
+
+
+def detect_mass_incidents(
+    events: list[dict[str, Any]],
+    *,
+    mass_threshold: int = 5,
+    max_incidents: int = 50,
+) -> list[MassIncident]:
+    """Group events by signature and return those exceeding the mass threshold.
+
+    Args:
+        events: Raw event dicts from Log Insight API.
+        mass_threshold: Minimum event count to qualify as a mass incident.
+        max_incidents: Maximum number of incidents to return (ranked by count).
+
+    Returns:
+        List of MassIncident objects, sorted by event_count descending.
+    """
+    sig_events: dict[str, list[dict[str, Any]]] = defaultdict(list)
+    sig_normalized: dict[str, str] = {}
+
+    for event in events:
+        sig = event_signature(event)
+        sig_events[sig].append(event)
+        if sig not in sig_normalized:
+            text = extract_text(event)
+            sig_normalized[sig] = normalize_text(text)
+
+    incidents: list[MassIncident] = []
+    for sig, group in sig_events.items():
+        if len(group) < mass_threshold:
+            continue
+        sources = list({extract_source(e) for e in group if extract_source(e)})
+        sample = extract_text(group[0])
+        incidents.append(MassIncident(
+            signature=sig,
+            normalized_text=sig_normalized.get(sig, ""),
+            event_count=len(group),
+            affected_sources=sorted(sources),
+            sample_text=sample[:500],
+            blast_radius=len(sources),
+        ))
+
+    incidents.sort(key=lambda i: i.event_count, reverse=True)
+    return incidents[:max_incidents]
+
+
+def incidents_to_dicts(incidents: list[MassIncident]) -> list[dict[str, Any]]:
+    """Convert incidents to serializable dicts."""
+    return [
+        {
+            "signature": inc.signature,
+            "normalized_text": inc.normalized_text,
+            "event_count": inc.event_count,
+            "blast_radius": inc.blast_radius,
+            "affected_sources": inc.affected_sources,
+            "sample_text": inc.sample_text,
+        }
+        for inc in incidents
+    ]