VMware has a lot of tools these days. From the tools for virtualization all kinds of workloads to managing all that in an automated manner. In that last category VMware also has a tool called vRealize Log Insight. vRealize Log Insight, together with vRealize Operations gives you everything you need to monitor and troubleshoot your environment. I think that Log Insight is one of the most undervalued tools in a VMware environment.

Every other week I am going to post something about Log Insight, from the installation to getting information out of your systems into Log Insight.

Why monitoring logfiles

The question “Why monitoring logfiles” is for me equivalent with “Why a warning light in your car”. The answer is: You want to know what’s going on before it is too late.

The reason for monitoring is universal. I found the following on a sport and development site (changed it a little bit) :

    • it provides the only consolidated source of information showcasing progress;
    • it allows actors to learn from each other’s experiences, building on expertise and knowledge;
    • it often generates (written) reports that contribute to transparency and accountability, and allows for lessons to be shared more easily;
    • it reveals mistakes and offers paths for learning and improvements;
    • it provides a basis for questioning and testing assumptions;
    • it provides a means to learn from their experiences and to incorporate them into policy and practice;
    • it provides a way to assess the crucial link between implementers and decision-makers;
    • it adds to the retention and development of corporation memory;

That means that monitoring of logs is good to learn from and to improve the overal uptime and performance. vRealize Log Insight is VMware’s answer to the monitoring question.

So, what is Log Insight?

According to the VMware site Log Insight has the following features and benefits

  • machine-learning based intelligent grouping
  • high performance search capabilities
  • faster troubleshooting
  • better operational analytics
  • discover structure in unstructured data

But that doesn’t say much about what it will do for you.

vRealize Log Insight is a log management tool that aggregates logs from various systems into one place. It makes it possible to do all sorts of queries and analytics on the data retrieved. And if you think that vRealize Log Insight is a tool for VMware products, you’ll be surprised. There are, as you would expect, the management packs for the VMware products, like vRealize Automation, vRealize Operations, vCenter, vCloud Director, NSX, Horizon View, but also for the Microsoft OS, SQL Server, IIS Server, Sharepoint, the .NET CLR, networking/storage products from Cisco (ASA, Nexus), Arista, Brocade, EMC (VNX), NetApp, Synology and even for compute products from VCE and Cisco (UCS).

Loginsight-ingress

There are many more. You can find the management packs on the online Solution Exchange and from the Market Place in vRealize Log Insight itself.

 

Log Insight is a perfect addition to vRealize Operations, where vRealize Operations gives you intel about the structured data and Log Insight gives you all the nitty gritty about the unstructured data. Operations and Log Insight gives you maximum insight into environment and helps you to quickly find the root cause of problems.

loginsight-vrops

Deploymentdeploy-ovf

Deployment is very easy. You download the virtual appliance from the VMware site and de
ploy it as a virtual appliance (OVA). After accepting the End User License and naming the virtual machine you can choose the configuration for the virtual machine. They vary in CPU resources, memory and diskspace. For the disks the recommendation is thick provisioned, eager zeroed. VM hardware version 7 or greater (vSphere 4.0 or later) are also requirements.

There are choices:

 

ConfigurationCPUMemoryDisk space
Extra small (20 ESXi hosts / 200 events/second)24 GB132GB
Small (200 ESXi hosts/ 2000 events/second)48 GB132GB
Medium (500 ESXi hosts / 5000 events/second)816 GB282 GB
Large (1500 ESXi hosts / 15000 events/second)1632 GB282 GB

Note: Extra small is not supported for production, just for PoC and testing.

After entering the hostname, IP address/mask, gateway, DNS and root password you’re good to go. If you prefer to use SSH keys you can enter it instead of the password.

If this is too much GUI for you, you can also do it with PowerCLI. Marcus Pucket wrote a very good article about it.

Basic configuration

After you deployed the virtual machine and powered it on you can configure it from its web interface, which you can find at https://<the ipaddress you gave it>

If you already have a Log Inishgt deployment you can join an existing deployment by entering the fully qualified domain name of the Log Insight master. Since this is your first deployment we choose Start New Deployment. After entering credentials that can be used for the admin you’re prompted for the license key. If you don’t have it at hand, don’t worry. You can enter it later.

If you want notifications from Log Insight, enter an e-mail address. These notifications are generated when important system events occur (e.g., when Log Insight is about to start rotating out data because the disk is full).

Customer Experience Improvement Program

Once per week, Log Insight will send anonymized Trace Data to VMware via encrypted email. This information allows us to create the best possible product for you. VMware will use collected information to prioritize development resources towards features and fixes that are most valuable to our customers.

If you’re allowed to do this, please select it. This way VMware gets the information to improve the product.

The time configuration of Log Insight is very important. Every message gets a time stamp. If message from different systems have different timestamps troubleshooting and querying the logs are more difficult.

If you want to receive notifications and other messages configure the SMTP stack for Log Insight. Make sure the mailserver accepts mail from the IP address/host, otherwise no mail will be sent.

Done! And now?

Now the fun part starts. If you login to vRealize Log Insight you’re prompted to ‘Ingest Data’ from vSphere, Agents and Syslog.

ingest-data

I will be explaining the sources for Log Insight in future posts, but go ahead, and try something in the mean time.

Want to know more about vRealize Log Insight?

Jeremy van Doorn did an interview with Darla Hershberger at VMworld 2013 about Log Insight.