vRealize Log Insight is one of these underrated VMware products that have been around for a few years but haven’t received the attention they deserve. Originally named vCenter Log Insight, the first release was in September 2013 and the product was taken incredibly far since then with constant investment in it by VMware.

vrealize-log

Protect Your Data with BDRSuite

Cost-Effective Backup Solution for VMs, Servers, Endpoints, Cloud VMs & SaaS applications. Supports On-Premise, Remote, Hybrid and Cloud Backup, including Disaster Recovery, Ransomware Defense & more!

This product benefits from a short update cycle with a new release every 3 to 6 months on average. We are now on version 4.6 since April of this year and it comes with some cool new features that we will mention here.

Why do you need Log Insight

Log Insight is just like any syslog server to which you send your logs, be it from a VMware entity or not. The main value added to the product is that it comes with a whole lot of built-in content packs containing all the filters, thresholds, alerts and whatnot that you should be looking for in the logs sent by VMware products. There actually is a lot to learn by just going through them…

Dashboard view

Download Banner

vrealize-log

Interactive analytics view

vrealize-log

A lot of administrators never look into implementing such a solution because they think products made by big companies like VMware are expensive, they don’t have time to configure it or that they simply don’t need it. Well, let me tell you that if you are used to “log hunting” in your environment and cross-reference the records, this will change your life big time and the configuration won’t take long! And guess what, you are entitled to 25 Log Insight OSI licenses with your vCenter server license. So why not use it?

  • It comes as a virtual appliance (OVA)
  • Gathers logs from any systems, not just VMware
  • Can work in clustered mode / High availability
  • VMware and 3rd party content packs
  • Agents available to improve Guest OSes logging
  • Log consolidation
  • HTML5 web interface
  • Can send alerts based on thresholds
  • Great for auditing purpose

“Content packs are plugins to VMware vCenter Log Insight that provide pre-defined knowledge about specific types of events such as log messages.”

Obviously, the VMware content packs offer amazing visibility into the logs of vCenter and ESXi. By default in Log Insight, you get content packs for vROPS 6.7, vSphere and VSAN. You can then add third party content packs that are available via a marketplace accessible in the web interface of the appliance.

vrealize-log

vrealize-log

Licensing

There are 2 ways to license Log Insight:

  • Per OSI (Operating System Instance): Any unique source that sends logs to the appliance. vCenter Server includes 25 OSI licenses out of the box. You can then buy additional packs
  • Per CPU: Any log data sources from a single CPU, regardless of hypervisor or number of guest OSs. For example, if you buy 2 CPU licenses for your dual CPU hypervisor (VMware, Hyper-V…), you will be able to send logs from the hypervisor itself and all the guest VMs running on it

There is, however, a little caveat about the 25 OSI licenses included in the vCenter license:

  • Some features are unavailable such as:
    • Clustering
    • High Availability
    • Event Forwarding
    • Archiving
  • Only 1 vCenter license per Log Insight instance
  • No access to third party content packs

With that said you can already do a lot with these 25 OSI licenses.

As an example, take a medium size infrastructure with 1 vCenter and 20 ESXi hosts. If you use your vCenter license you can forward from your vCenter, all your hosts and you will still have 4 licenses to spare for your backup solution or whatever else you may judge relevant to log.

Compatibility and Upgrade Paths

vRealize Log Insight 4.6 supports:

  • vCenter 5.5 and later
  • ESXi 5.5 and later
  • vRealize Operations Manager 6.6 and later

If you are already running an instance in your environment, you may have to go through intermediate version to get to 4.6 according to which one you are currently using. If you were upgrading from 4.0 you would need to upgrade to 4.3, then to 4.5.1, finally to 4.6.

vrealize-log

Upgrading Log Insight is one of the easiest upgrade processes for a VMware product. All you need to do is download the upgrade bundle (.pak) and upgrade from the admin page. More info here.

Getting Log Insight

To download the appliance Log on myvmware.com in the Download section (create an account if you don’t already have one), choose vSphere, find “VMware vRealize Log Insight 4.6.0 for vCenter”. And click on “Go to Downloads”. Enroll for the trial and download the appliance.

vrealize-log

You don’t have to worry about downloading the guest agents as you can download them from the appliance when it is deployed.

vrealize-log

I will not cover the deployment process here as there are already hundreds of tutorials out there and it is just like deploying any OVA. When you first log on the web page the configuration wizard walks you through the process of getting your appliance ready which is extremely easy.

What’s new in version 4.6

VMware brings lots of interesting new features and enhancements in the latest version of their Syslog appliance (release notes):

  • Support for up to 15 vCenters per node
  • Added ability to send an alert when a configured log source stops sending log events after a fixed amount of time. You can add hosts to the white list so it won’t raise an alert if it becomes inactive for longer than configured
  • vrealize-log

  • Added ability to export a full list of agents from the Admin->Agents page
  • vrealize-log

  • Added ability to control the visibility of items on Dashboard widgets. Use Shift-Click to toggle and Option/Alt-Click to show all
  • Added ability to search for users on the admin/users page and to delete multiple users
  • vrealize-log

  • Ability to authenticate VMware Identity Manager (vIDM) local users
  • For SLES installations, product upgrade now updates base operating system libraries from SLES 11 SP3 to SLES 11 SP4. This means that installations that are upgraded to this release, and installations from fresh deployments of this release have the same base OS libraries
  • Additional APIs including those for creating alerts, deleting VIPs, and authenticating with vIDM
  • Improved informational messaging when deleting VIPs with the API
  • Minor Improvements for PLU license representation on the license page
  • Support for receiving RAW event messages without headers

Conclusion

Log servers always have a place in the enterprise but it might seem daunting and time-consuming to busy administrators. And most of the time it takes a lot of time indeed to analyze what is sent to the syslog server, create the filters, the dashboards, the alerts… This is where VMware managed to take away the heavy lifting work and give administrators a ready to go out of the box configuration.

If you haven’t tried Log Insight yet, this is definitely worth checking out as it will open a whole new world of possibilities in terms of auditing, troubleshooting and alerting. It takes no more than 5 minutes for a basic setup and is free for the first 25 senders.

Follow our Twitter and Facebook feeds for new releases, updates, insightful posts and more.

5/5 - (2 votes)