If, like most of us, you forward vCenter and ESXi host Syslog data to centralised Syslog targets (and if you don’t, then I’d advise you do), then you’ll be pleased to hear that (as long as you have a valid vCenter Server license) you’ll be able to utilise the power of VMware vRealize Log Insight to interrogate this data.
This article will be the first in a two part VMware vRealize Log Insight series, the first of which will detail the simple installation and configuration process, with the second article focusing on advanced configuration and integration with VMware NSX via vRealize Log Insight Content Packs (vRealize Log Insight add-ins enabling further integration with both VMware and 3rd party products).
As per VMware documentation, VMware vRealize Log Insight supports a single, 25 OSI) Log Insight for vCenter Server license (i.e. – 1x vCenter Server, and 24x other vSphere elements). In a nutshell, this means vRealize Log Insight is totally free for single vCenter Server use, however, this does come with a few exceptions. Firstly, the Log Insight for vCenter Server license is limited to VMware-only Content Packs and, furthermore, the use of Enterprise features (such as event forwarding and archiving) are disabled. Still, this isn’t a bad compromise by any means, and I’d recommend you try-out vRealize Log Insight as soon as you can.
ESXi Host Syslog Configuration
Firstly, if you aren’t already forwarding your ESXi Syslog data to a central target, then you’ll need to configure this first. For lab purposes (and in a number of use cases) the below example details how we configure all ESXi hosts to forward all Syslog data to our vCenter Server.
Note, if you have a large number of hosts in your estate, it might be preferable to configure this setting via a Host Profile.
1. Set the syslog server address on each ESXi host by browsing to Configure > Advance System Settings > Edit.
2. Find Syslog.global.log and edit accordingly (udp://vCenterFQDN:514). In the below screenshot and, for lab purposes, I’ve forwarded the Syslog data to my vCenter Server. Once complete, click OK.
vRealize Log Insight – Installation and Configuration
1. First of all, you’ll need the VMware vRealize Log Insight virtual appliance, the OVA for which can be downloaded here.
23. Lastly, we’ll need to connect vRealize Log Insight to your vCenter Server instance. Simply browse to Administration > vSphere, and enter your vCenter Server Hostname and suitable credentials (for testing purposes I’m using email@example.com, however, in a production scenario it is obviously recommended to use a service account. This service account will require Host.Configuration.Change settings and Host.Configuration.Network configuration privileges in vSphere. To read more, click here). Once complete, test your connection and click SAVE.
In part 2 of this series we’ll take a deeper look into vRealize Log Insight with advanced configuration and integration with VMware NSX via the vRealize Log Insight Content Packs. We will also detail the work required to configure all NSX Distributed Logical Routers, Edge Service Gateways, NSX Controllers, and the NSX Manager to forward Syslog information.