Need a syslog server that isn’t just a dumping ground for logs that you view with a simple text viewer?
Look no further than VMware vRealize Log Insight!
This post includes information about the Log Insight version that you are probably already licensed for and how to install and configure the solution
Entitlement
Firstly, good news: If you have a supported version of vCenter Server Standard (5.x or 6.x) then you are entitled to a 25 x OSI pack.
For example the 25 OSI pack would let you ingest logs from:
- 1x vCenter Server
- 10 x ESXi Hosts
- 10 x Virtual Machines
- 2x Switches
- 1x Firewall
- 1x Storage array
- Total: 25
Here are all supported features with the 25 OSI pack:
Some caveats with this 25 OSI pack
- You can only use content packs for VMware products. However you can use it for accepting syslogs from any device, you cannot install content packs for anything non-VMware
- You cannot bundle multiple 25 OSI packs into one instance. For example if you have 2x vCenter servers and want to get the 2x 25 OSI entitlement (50 OSIs), then you need 2x Log Insight instances (One per vCenter Server) to benefit from 50 OSIs
- You will not be able to use advanced features such as event forwarding or HA unless you purchase the full version of Log Insight
Installation & Configuration
The install process is nicely streamlined, here are the steps to install and configure vRealize Log Insight 4.5.1
- Download the OVF from https://vmware.com
- Deploy the OVF & configure standard network settings
- Once the appliance is booted, login to the web user interface
- Enter admin credentials for future login
- The deployment starts
- Enter the license key, for the 25 OSI pack, use your vCenter Server standard license key
- Configure SMTP for alerting. This is not required if you do not want to receive alerts
- Setup finished!
- Now we need to send syslogs to Log Insight, fortunately this can be automated
- Select vSphere Integration
- Enter your vCenter Server credentials. You may want to use a new “log insight” account so that you can see which operations are being conducted by log insight when reviewing logs in vCenter
- Test the connection and press save once done
- This will poll all vCenter Servers and ESXi hosts and configure them to send logs to Log Insight without any further configuration
- Note: If you already have these components “sysloging” to somewhere else, their logs will still be sent there in addition to Log Insight. To stop this you need to remove that older configuration from each ESXi server manually
- Within General Configuration you can specify a list of email addresses to send alerts to
- Make sure you setup NTP otherwise your logs will have the wrong time against them and make troubleshooting difficult
- That’s it! Log Insight is installed. Refer to the dashboards to see what data is being ingested. Be sure to add content packs by selecting the icon on the top right
- Remember that if you are using the 25 OSI model then you can only use VMware content packs but that doesn’t stop you from logging non-VMware products and analyzing the logs
Content packs
Finally, see below for a list of some of the content packs available to those with the full entitlement
For more information and videos about VMware vRealize Log Insight, see the product page here: https://www.vmware.com/products/vrealize-log-insight.html