vRealize Log Insight is a powerful log management and analytics tool, natively integrating with VMware products such as vRealize Automation, vRealize Operations, and vSphere, as well as providing a heterogeneous platform for third party products. By collecting logs at operating system, virtual machine, host, and vCenter level, as well as for third party products, Log Insight is able to compile dashboards, and perform data analysis to help administrators troubleshoot quickly and effectively. To read more see the product page here. In this post we will install a new Log Insight appliance, additional appliances can also be added to scale out the solution.
- vRealize Log Insight can be licensed in packs of operating system instances, per CPU, or as part of vRealize and vCloud suites. A 60 day free trial can be obtained here.
- The licensing editions of vRealize Log Insight can be found on the product page here. Advanced features are included with NSX, vRealize suites, and vCloud suites.
- Version 4.0, 4.3, and 4.5 of the Log Insight appliance can be deployed to vCenter Server and ESXi versions 5.5 – 6.5. Only versions 4.3 and 4.5 are compatible with vSphere 6.5 U1.
- For other VMware products check the Product Interoperability Matrixes here.
- Access over the following ports is required for syslog: 514 (TCP/UDP), 1514 (TCP SSL), and the following ports for API: 9000 (TCP), 9543 (TCP SSL).
- The virtual appliance comes pre-configured, when sizing the installation consider the following:
- Extra small – 2 vCPU, 4 GB RAM, 132 GB disk (thick provisioned), vm hardware 7. Test or proof of concept, supports up to 20 ESXi hosts, 200 events per second, or 3 GB a day.
- Small – 4 vCPU, 8 GB RAM, 510 GB disk (thick provisioned), vm hardware 7. Small production workloads, supports up to 200 ESXi hosts, 2000 events per second, or 30 GB a day.
- Medium – 8 vCPU, 16 GB RAM, 510 GB disk (thick provisioned), vm hardware 7. Medium production workloads or Log Insight clusters, up to 500 ESXi hosts, 5000 events per second, or 75 GB a day.
- Large – 16 vCPU, 32 GB RAM, 510 GB disk (thick provisioned), must be upgraded to vm hardware 8. Large production workloads or Log Insight clusters, supports up to 1500 ESXi hosts, 15000 events per second, or 225 GB a day.
- Review the vRealize Log Insight Release Notes: v4.0 | v4.3 | v4.5
- Download vRealize Log Insight: v4.0 | v4.3 | v4.5
- For more information visit the vRealize Log Insight Information Center: v4.0 | v4.3 | v4.5
Download the required version of the VMware vRealize Log Insight virtual appliance. Log into the vSphere web client and right click the host or cluster where the appliance will be deployed, select Deploy OVF Template. Browse to the location of the downloaded OVA file and click Next. Review the template details and click Next.
Accept the license agreement and click Next.
Configure a name and location for the virtual appliance, click Next.
Select the appropriate deployment configuration and click Next. See above for sizing assistance.
Ideally the disk format should be changed to Thick Provisioned Eager Zeroed. Select the datastore to use and click Next. Select the network to use and click Next.
Enter the network settings for the virtual appliance. Expand Other properties and configure a root password. Once complete click Next. When adding DNS servers do not specify more than 2 DNS entries.
Review the summary page, tick Power on after deployment, and click Finish. The appliance console has a similar look and feel to ESXi. If you ever need to use the command line login with the root account. The password should be set during the OVA deployment, if you missed it then the root password is blank.
Open a web browser and connect to the IP address or FQDN of the newly deployed appliance. The setup wizard will autostart, click Next.
Click Start New Deployment.
Enter an email address and new password for the admin user, click Next.
Enter a license key and click Save and Continue.
Configure system notification settings and click Save and Continue.
Enter the NTP server(s) to use and click Test. If the test succeeds click Save and Continue.
Configure the SMTP server to use and click Save and Continue.
On the setup complete page click Finish.
The vRealize Log Insight appliance is now deployed and can begin collecting data. In this example we will be configuring vSphere Integration to automatically collect logs and events from vCenter Server and ESXi hosts. Click Configure vSphere Integration.
Enter the connection details of the vCenter Server. To configure only specific hosts to send logs to Log Insight click Advanced options. Test the connection and when you’re ready click Save.
Other administrative menus are located on the left hand side. The administration page can be accessed at any time by clicking the three line menu in the top right hand corner of the page.
You can also access the Content Pack Marketplace from this menu. Content packs can be added to collect data from other VMware and third party products.
To add a content pack select it and click Install.
For example to collect NSX logs and events we can install the NSX content pack.
With our Log Insight collecting data we can now flick through the various dashboards and available data. For more information on getting the most out of vRealize Log Insight, and a comprehensive user guide, see the Information Center: v4.0 | v4.3 | v4.5.