Skip to main content

vRealize Log Insight Overview

vRealize Log Insight has been around for several years now, but I keep hearing people referencing the fact that many companies own it and don't even realize it. Let's change all that!

For those of you not aware, vRealize Log Insight (hereafter referred to as vRLI because I'm lazy and don't want to type out the whole name) is a log management and analytics solution from VMware. It ingests syslog data from various sources - not just vSphere/ESXi! - and displays all that data in easy-to-understand and customizable dashboards while at the same time providing a powerful analytics engine, giving easily searchable structure to unstructured data. It's a really helpful tool for me, so I will provide an overview to get you familiar at a high-level with its features.

As a side note: while not specific to vRLI, having a centralized location for syslog data makes correlating issues between layers of the technology stack much easier than trying to remember what system logs where during an outage. Even if you don't use vRLI, I believe it's always a good idea to get your logs off the device that is generating said logs, for both security and ease of troubleshooting.

Available Versions

After that elevator pitch for why you want vRLI for centralized log management/analytics, you are probably asking yourself "how do I get my hands on this?" and you'll be glad to hear that there are a few different ways you can accomplish that goal. This is (in part) what I was making mention of earlier when I said that you might already own it. At the time of this writing, there are three different "versions" of vRLI, and each will grant you different features. There is a nice feature comparison matrix over at that describes the feature availability, so I won't dive deep on ALL the differences but will cover the major ones.

vRealize Log Insight for vCenter Server

If you own vCenter Server Standard (or above), you are entitled to 25 OSI licenses of vRealize Log Insight. VMware defines an OSI, or Operating System Instance, as "any server, virtual or physical, with an IP address that generates logs, including network devices and storage arrays". This licensing tier will get you a fully functional vRLI instance with access to Dashboards and Interactive Analytics, but you miss out on the advanced features available in the full version (clustering, high availability, event forwarding, archiving, and the ability to install custom and/or 3rd party content packs).

vRealize Log Insight for NSX

When you purchase a CPU license for NSX (VMware's security and network virtualization product) you will also receive a 1 CPU entitlement for vRLI. Technically, this is the full version of vRLI, but there are some limitations - namely, you are only entitled to vSphere and NSX log events, and you are supposed to only install vSphere and NSX content packs. However, it does enable you to use those advanced features not available to users of the vCenter Server-specific version.

Full vRealize Log Insight

A license for the full version of vRLI can be purchased per physical CPU, or granted as part of the vCloud or vRealize suite licensing. The full version offers unrestricted functionality of all features. If you are planning to use vRLI for managing more than just vSphere logs, the full version is worth seriously considering. The added features definitely make it a more "enterprise-ready" solution - especially clustering and HA.

Interface Overview - Dashboards

The vRLI interface is split into two main parts - Dashboards and Interactive Analytics. We'll start with the Dashboards view, which is great for viewing trends and historical information. The default dashboards are actually pretty useful out-of-the-box, but the real magic is the ability to clone and customize the dashboards to fit the use cases for your environment. As you can see from the screenshot below, there are also a wide variety of Content Packs that are available to extend vRLI's log management functionality to other VMware products and vendors outside of VMware. All the available content packs can be found on VMware's Solution Exchange.

Interface Overview - Interactive Analytics

The Interactive Analytics tab is where all of the raw data is aggregated, and is really great for digging into the raw log files (all searchable via customizable fields, of course) and correlating system events or doing root cause analysis. The screen is split into a visual representation of the number of events matching a particular query over a period of time (in this case 5 minutes) and the actual log entries themselves below that in text. I'd have to say that I spend most of my time in vRLI in this window, unless I'm working on building a dashboard.

One other cool thing that vRLI does is offer integration into vRealize Operations Manager (vROPS). I could (and maybe will) do a whole separate post on vRLI/vROPS integration, but it will allow you to launch vRLI from within vROPS without having to open a separate window and even perform VM-specific log data searches directly from vROPS with the click of a button. Pretty neat.

Obviously this quick post just scratches the surface of what vRLI can do, so if you want to learn more, there are a few great resources that you use to dive a bit deeper on all of vRLI's capabilities:

Thanks for reading!


Post a Comment

Popular posts from this blog

How To: Unjoin NetApp Nodes from a Cluster

Let me paint you a word picture:

You've upgraded to a shiny new AFF - it's all racked, stacked, cabled and ready to rock. You've moved your volumes onto the new storage and your workloads are performing beautifully (of course) and it's time to put your old NetApp gear out to pasture.

We're going to learn how to unjoin nodes from an existing cluster. But wait! There are several prerequisites that must be met before the actual cluster unjoin can be done.

Ensure that you have either moved volumes to your new aggregates or offlined and deleted any unused volumes.Offline and delete aggregates from old nodes.Re-home data LIFs or disable/delete if they are not in use.Disable and delete intercluster LIFs for the old nodes (and remove them from any Cluster Peering relationships)Remove the old node's ports from any Broadcast Domains or Failover Groups that they may be a member of.Move epsilon to one of the new nodes (let's assume nodes 3 and 4 are the new nodes, in th…

Modernizing a NetApp Certification

Read on to find out how new versions of NetApp exams are written during an Item Development Workshop at NetApp's RTP office
In mid-October, this message popped up in the NetApp United Slack channel from Petya Stefanova, NetApp United's fearless leader:
Hey @channel there’s a new opportunity to participate in an IDW with NetAppU. This time the workshop will be reviewing the two exams for NetApp Certified Data Administrator ONTAP (NCDA, NS0-192) and NetApp Certified Support Engineer ONTAP (NCSE ONTAP, NS0-590), taking place mid-end January. If you are interested, drop me an email how you quality and can contribute to IDW. I need to submit nominations by Friday. So please let me know ASAP! Partners and customers can participate
I immediately knew that it was something that I would be interested in, so I talked to my employer to get their approval and put in my application. At the time, I didn't have any NetApp certifications so I didn't expect to be selected to take part in…

Cisco UCS Platform Emulator Installation

To continue my series of posts on building the framework for a functional lab environment, I'd like to talk about the Cisco UCS Platform Emulator (UCSPE). It is a software appliance packaged as a vSphere OVA that approximates a UCS deployment, including the networking components (a pair of switches called the Fabric Interconnects) and both blade and rackmount UCS servers (B- and C-Series, respectively). It can be a great tool for learning and becoming more familiar with the UCS platform. I will be deploying my UCSPE on vSphere 6.7 in my lab, but it should work similarly in other recent versions.

1. Start by downloading the UCS Platform Emulator OVA from - you will need a Cisco Connection Online (CCO) login in order to begin the download. I am using version 3.1(2ePE1) of the emulator for this guide as that appeared to be the latest version available at the time of writing. Side note, I also noticed during the boot process that this versi…