Skip to main content

vRealize Log Insight Overview


vRealize Log Insight has been around for several years now, but I keep hearing people referencing the fact that many companies own it and don't even realize it. Let's change all that!

For those of you not aware, vRealize Log Insight (hereafter referred to as vRLI because I'm lazy and don't want to type out the whole name) is a log management and analytics solution from VMware. It ingests syslog data from various sources - not just vSphere/ESXi! - and displays all that data in easy-to-understand and customizable dashboards while at the same time providing a powerful analytics engine, giving easily searchable structure to unstructured data. It's a really helpful tool for me, so I will provide an overview to get you familiar at a high-level with its features.

As a side note: while not specific to vRLI, having a centralized location for syslog data makes correlating issues between layers of the technology stack much easier than trying to remember what system logs where during an outage. Even if you don't use vRLI, I believe it's always a good idea to get your logs off the device that is generating said logs, for both security and ease of troubleshooting.

Available Versions

After that elevator pitch for why you want vRLI for centralized log management/analytics, you are probably asking yourself "how do I get my hands on this?" and you'll be glad to hear that there are a few different ways you can accomplish that goal. This is (in part) what I was making mention of earlier when I said that you might already own it. At the time of this writing, there are three different "versions" of vRLI, and each will grant you different features. There is a nice feature comparison matrix over at https://www.vmware.com/products/vrealize-log-insight.html that describes the feature availability, so I won't dive deep on ALL the differences but will cover the major ones.

vRealize Log Insight for vCenter Server

If you own vCenter Server Standard (or above), you are entitled to 25 OSI licenses of vRealize Log Insight. VMware defines an OSI, or Operating System Instance, as "any server, virtual or physical, with an IP address that generates logs, including network devices and storage arrays". This licensing tier will get you a fully functional vRLI instance with access to Dashboards and Interactive Analytics, but you miss out on the advanced features available in the full version (clustering, high availability, event forwarding, archiving, and the ability to install custom and/or 3rd party content packs).

vRealize Log Insight for NSX

When you purchase a CPU license for NSX (VMware's security and network virtualization product) you will also receive a 1 CPU entitlement for vRLI. Technically, this is the full version of vRLI, but there are some limitations - namely, you are only entitled to vSphere and NSX log events, and you are supposed to only install vSphere and NSX content packs. However, it does enable you to use those advanced features not available to users of the vCenter Server-specific version.

Full vRealize Log Insight

A license for the full version of vRLI can be purchased per physical CPU, or granted as part of the vCloud or vRealize suite licensing. The full version offers unrestricted functionality of all features. If you are planning to use vRLI for managing more than just vSphere logs, the full version is worth seriously considering. The added features definitely make it a more "enterprise-ready" solution - especially clustering and HA.

Interface Overview - Dashboards

The vRLI interface is split into two main parts - Dashboards and Interactive Analytics. We'll start with the Dashboards view, which is great for viewing trends and historical information. The default dashboards are actually pretty useful out-of-the-box, but the real magic is the ability to clone and customize the dashboards to fit the use cases for your environment. As you can see from the screenshot below, there are also a wide variety of Content Packs that are available to extend vRLI's log management functionality to other VMware products and vendors outside of VMware. All the available content packs can be found on VMware's Solution Exchange.





Interface Overview - Interactive Analytics

The Interactive Analytics tab is where all of the raw data is aggregated, and is really great for digging into the raw log files (all searchable via customizable fields, of course) and correlating system events or doing root cause analysis. The screen is split into a visual representation of the number of events matching a particular query over a period of time (in this case 5 minutes) and the actual log entries themselves below that in text. I'd have to say that I spend most of my time in vRLI in this window, unless I'm working on building a dashboard.


One other cool thing that vRLI does is offer integration into vRealize Operations Manager (vROPS). I could (and maybe will) do a whole separate post on vRLI/vROPS integration, but it will allow you to launch vRLI from within vROPS without having to open a separate window and even perform VM-specific log data searches directly from vROPS with the click of a button. Pretty neat.

Obviously this quick post just scratches the surface of what vRLI can do, so if you want to learn more, there are a few great resources that you use to dive a bit deeper on all of vRLI's capabilities:




Thanks for reading!

Comments

Popular posts from this blog

How To: Unjoin NetApp Nodes from a Cluster

Let me paint you a word picture:

You've upgraded to a shiny new AFF - it's all racked, stacked, cabled and ready to rock. You've moved your volumes onto the new storage and your workloads are performing beautifully (of course) and it's time to put your old NetApp gear out to pasture.

We're going to learn how to unjoin nodes from an existing cluster. But wait! There are several prerequisites that must be met before the actual cluster unjoin can be done.


Ensure that you have either moved volumes to your new aggregates or offlined and deleted any unused volumes.Offline and delete aggregates from old nodes.Re-home data LIFs or disable/delete if they are not in use.Disable and delete intercluster LIFs for the old nodes (and remove them from any Cluster Peering relationships)Remove the old node's ports from any Broadcast Domains or Failover Groups that they may be a member of.Move epsilon to one of the new nodes (let's assume nodes 3 and 4 are the new nodes, in th…

ONTAP Configuration Compliance Auditing with PowerShell and Pester

I have been looking for a way to validate NetApp cluster configuration settings (once a configuration setting is set, I want to validate that it was set properly in a programmatic fashion) and prevent configuration drift (if a setting is different than its expected value, I want to know about it). I needed it to be able to scale out to dozens of clusters as well, so it needed to be something that I could run both automatically and on an ad-hoc basis if necessary.

NetApp PowerShell Toolkit

The core of the solution is the NetApp PowerShell Toolkit, without which this would likely not be possible. It contains 2300+ cmdlets for provisioning and managing NetApp storage components. It can be downloaded from the ToolChest on the NetApp MySupport site (with a valid login). You'll find exhaustive documentation there as well for each of the cmdlets along with syntax examples and sample code. It is a fantastic and easy way to automate common storage tasks - we use it in our environment for e…

Step up your HTTP security header game with NetScaler Rewrite Policies

There are a number of HTTP response headers that exist to increase web site security. If set properly, they can ensure that your site is less exposed to many common web vulnerabilities. By no means are these descriptions exhaustive, so I have included some references that can provide a more in-depth explanation at the bottom of each section. I'd also like to give a shout-out to the OWASP Secure Headers Project and Scott Helme of securityheaders.com - thank you!

Note: Screenshots are from a NetScaler VPX 12.1 - if you are running a different version, the screenshots may look different, but the logic is the same. So that I have something to bind these policies to, I've also already created a load-balancing virtual server named lb_web_ssl and a Service Group for two TurnKey LAMP servers on the back-end.

X-Frame-Options
The X-Frame-Options header is designed to guard against clickjacking (an attack where malicious content is hidden beneath a clickable button or element on a web si…