Data center analytics is an increasingly important part of enterprise IT operations. We have moved far past the...
scale of data that can be managed and reported by hand. The first generation of analytics products is centered on performance and availability. They work primarily with metrics to tell us what is happening. But on their own, metrics aren't really enough -- often, they only identify the result of an action. Additional insight can be derived from knowing which actions were taken, as well as other event-based information. This is where log analytics adds to the performance analytics to provide a more extensive picture.
Introducing vRealize Log Insight
VMware has had a log analytics product, Log Insight, for a few years. The product deploys as one or more virtual appliances and gathers log information from various types of systems. The obvious systems are VMware hypervisors and management services. These work immediately and are configured as part of the deployment process. Additional systems can be monitored using agents or syslog forwarding. Agents for Windows and Linux allow monitoring of arbitrary logs on these systems.
Content packs need to be added to the vRealize Log Insight appliance to allow different logs to be collected from agents and analyzed in the dashboard. An example is the Active Directory (AD) pack, which adds a dashboard with views of different categories of AD events. These views cover the AD services and information about related services, like the domain name system, as well as AD security information. There are over 60 content packs available for download from VMware. The majority of these cover third-party components -- storage arrays, network fabrics or applications inside guest VMs. One thing to be clear on is that vRealize Log Insight does not have to work with VMs. The agent can be deployed to physical devices and to logs forwarded to the appliance. The greatest value comes from sending all your logs to vRealize Log Insight. This way, multiple log messages can be correlated and root causes can become easier to identify.
Room for improvement
As always, there is room for improvement. In vRealize Log Insight, for starters, there should be more content packs. Without a content pack to identify application files, there is no way for vRealize Log Insight to know which logs to watch and what the log entries mean. Right now, the content packs are very focused on infrastructure. There are packs for managing the physical infrastructure, like storage arrays and network fabrics. There are also packs for the software side, most notably for the Microsoft server range, but also for programs like OpenStack and the NGINX Web Server.
It would be good to see more content packs for application frameworks, as well as more infrastructure. A content pack for Oracle might aid admins with a large legacy infrastructure. Packs for other platforms, like MySQL, would help a lot, as would packs for more recent architectures, such as Docker containers. Content packs for modern data center schedulers, like Kubernetes and Mesos, would be great, too. This last type would likely extend the footprint of Log Insight past vSphere in the data center.
Integration is essential
The next improvement is tighter integration into the rest of the VMware management suite. Right now, vRealize Operations (vROps) is the VMware tool for monitoring performance and time series data, while vRealize Log Insight is the VMware tool for analyzing log data. The challenge is that the two do not provide a unified view; a single screen with both the event and the performance data overlaid onto it.
Currently, the sole integration between the two is that they can agree on which object you are managing. From there, the two consoles can launch each other's web console with the right object context. This is a start, but clearly not the endpoint. VRealize Log Insight can easily replace and improve the event information that is currently provided in vROps. I personally prefer tools that close the loop, resolving issues that they discover. I would love to see VMware build a proactive tool that takes corrective actions and fixes issues without requiring an administrator to be actively involved.
The endpoint for these operational management products must be a faster time to problem resolution. An integrated view of the state of applications in the data center is critical to this rapid resolution. The infrastructure layers are evolving to be simpler to manage. It is important to provide visibility into the application layers. Log Insight needs to integrate into the suite of VMware management products to deliver a unified view of performance and event data from the hardware all the way to the applications.
What's the difference between Log Insight and vCOPs?
Test your vRealize Suite knowledge with this quiz
What features are included in EVO:RAIL?