Some users will simply describe VMware vRealize Log Insight as a central logging host that collects log data in...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
your environment, but that would be an insult to the product because it's really so much more.
Yet so many administrators have never been introduced to this useful piece of software that VMware offers. Although it's not free -- you need to own a license for the product -- many customers have purchased a suite or bundle that contains vRealize Log Insight without ever actually installing it.
Beyond being a central logging host, it also analyzes the log entries that come in and allows you to set up intelligent actions based on the contents of what comes in. It doesn't rely on the ability by external systems to send their information to a logging host, but rather comes with agents for Windows and Linux that allow you to collect the log files themselves and forward them to your vRealize Log Insight deployment.
As of early July 2016, VMware vRealize Log Insight 3.3 is the latest version. To get started, download an appliance at VMware and deploy that in your environment on one of your ESXi hosts. If you are not yet ready to purchase a license, you can start and download a 60 day evaluation to see if it fits for you.
After deploying the appliance, follow the instructions on the console to access the configuration via the web interface to set it up. Two actions are required: adding a license -- also for evaluation -- and connecting your Log Insight to a vCenter server.
When setting up this connection, you can automatically configure all ESXi hosts to send their log files to vRealize Log Insight. After this initial setup, you have the basic setup in place that allows you to collect everything in a central location. But that's just for vSphere -- we'll investigate how to collect data from other types of servers later.
Depending on your environment, a next step could be to integrate the vRealize Log Insight offering with your vRealize Operations Manager server (vROps). This would allow you to send alerts from vRealize Log Insight to vROps so that vROps can remain as your central dashboard to process alerts. When you don't have this integration, vRealize Log Insight displays the alerts in its own web interface, but it also allows to you send out emails for alerts via Simple Mail Transfer Protocol. We'll discuss how to setup alerts for events later in this article.
Once your setup is complete, take a look at the main dashboard. Figure A shows you an idea of what the dashboards can offer. They allow you to quickly identity what hosts are sending the most alerts, how many events in total are being received and what type of events have the highest volume.
You can create a customized dashboard with filters to keep an eye on specific servers or types of events based on the events that come in. Figure A also shows that one ESXi host generates a significant higher number of events, which could be a reason to investigate the events from that server.
Users can create dashboards to allow them to see the information relevant for the part of the infrastructure they are managing. When the dashboards are created, they can also be shared. This way you can setup consistent dashboards that can be used by all of the necessary administrators.
When you share the dashboard, you can also set roles for the other admins. For example, you can choose to allow access only to dashboards, to use the interactive analysis or to be an administrator for the system.
Using Interactive Analytics
Most administrators don't want to spend their time looking at events in a dashboard all day. That's why it's important to be able to query the events with the interactive analysis feature and to set alerts based on your queries.
In Figure B, you can see a query for the keyword sshd combined with a second filter for all hostnames that contain esxi* -- the wildcard shows entries for all hosts where the name starts with esxi. You can also see that the interval is for the last 24 hours, but you can look at a shorter or longer interval if you prefer.
With the interactive analysis feature you can build queries to find events in your environment. These queries can be as complex as you want, so it's a useful feature to be able to mark them as favorite with the star icon -- your stored favorites will display in the drop down box. This allows you to store common queries for later use. And, like the dashboards, these can be shared with other users.
The interactive analysis page also makes it possible to build an alert based on your queries. This is one of the more powerful features of vRealize Log Insight. When an occurrence happens on a regular basis or when you expect something to happen that you want to be notified of, create a query and turn it into an alert. That alert can be sent to your email and also to vROps.
You can also track how often the event occurred in a certain time interval, as shown in Figure C. If an 'X' amount of occurrences have occurred in the given interval, an alert is raised. When sending an alert to vROps you can specify to which object in the inventory it should be assigned. Since some alerts don't belong to a specific object, in this example, the alerts would be attached to the data center object.
Extensibility with content packs
The features described so far can be used out of the box for any host that sends its log entries to your appliance. This is true by default for the ESXi hosts you have automatically configured.
Agents that you can install on Windows and Linux hosts are also included in the default deployment. These allow you to collect any log data from a system and send it to the appliance. Depending on the actual application running on your server, it might be necessary to collect specific log data. Or, for example, for Windows, you might want to hook into the event channels that you can inspect with the event viewer. This type of additional functionality comes with the content packs.
Some of the content packs that come with the product are created by VMware for many common use cases, such as the content pack for Windows. This allows you to connect into the event channels on a Windows host.
In order to collect the entries from your Windows hosts you need to install the content pack, create an agent configuration for each channel -- such as application, system and security -- and then install the Windows Log Insight Agent on each server from which you want to collect the log entries. During the installation of the agent you point to the appliance's address.
In the example shown in Figure D, you can see the entries from a Windows server coming in reporting that a service stopped.
When entering queries in the Interactive Analysis section, you can also create a snapshot of the events that were generated in a certain time periods. This feature allows you to save the state of the current listing of events from your query and inspect them later. This is convenient when there are a large number of events coming in and you want to investigate an issue later and be sure it isn't deleted by the vRealize Log Insight retention mechanism. The vRealize Log Insight retention mechanism only starts removing old entries when all the storage assigned to the appliance has been used.
How vCenter Log Insight is different from vCOPs
VRealize Log Insight is a part of EVO:RAIL offering
What are the differences between EVO:RAIL partners?