lunedì 28 luglio 2014

VMware vCenter Log Insight Series Part2 - Installation and Configuration

In this second post regarding VMware vCenter Log Insight I will explain how to deploy it and perform initial setup and configuration.
As first thing bookmark the VMware vCenter Log Insight documentation.

Log Insight installation is a quite straightforward process. Download the OVA file from and deploy it in the classic way.
During deployment you will be prompted to choose your deployment size. As discussed in previous article deployment size is related to how much data Log Insight is capable to ingest in a certain amount time. This obviously directly influences the requested CPU number and RAM size to support this certain kind of workload. Please note that the Extra Small configuration option is not supported in production but is only suited for demonstrations only.

Configure IP address, proper subnet mask, gateway, DNS and appliance root password.

Before continuing let's have a brief look at how Log Insight stores data. Once OVF has been deployde if you edit Log Insight virtual machine you will see something similar to this:

Three hard disks are used to store operating system data, application logs and, finally, logs and indexes received by Log Insight. By default, if Small configuration is used, application logs and data are stored in an LVM formatted 120GB disk.

/storage/core is where logs and indexes are stored. This volume can be increased by simply editing the virtual appliance hard disk size. When Log Insight is powered back on LVM will be automatically expanded and will reflect the new size.

Once Log Insight has booted completely point to it using a web browser and you can perform the initial configuration.

Here you can choose either to start a new deployment either to join an existing one. The latter option is used when adding worker nodes to an existing Log Insight cluster and we will see this in detail in another post so at this time I choose the former one.

Insert admin credentials.

Insert license key. You can skip this step at this time and insert the license later but a valid license key must inserted in order to access to collected logs and analytics.

Time configuration is an optional step but I suggest you to configure it to work properly since timestamps in log analysis can be a lifesaver.

SMTP is used by Log Insight to send alerts via email

When setup is complete you will be redirected to the main page of VMware vCenter Log Insight.

In order to get log data from vCenter Server and ESXi hosts connected to it you need to go to Administration -> vSphere and properly fill in the fields pointing to you vCenter Server then check both options in this page. This will automatically retrieve logs from vCenter and configure ESXi hosts to send logs to this instance of Log Insight.

NOTE: If you need to check if an ESXi host sends logs over to Log Insight just connect to it via SSH and run:

 esxcli system syslog config get  

To perform a manual configuration for sending logs from an ESXi host to Log Insight or to a generic syslog run the following command:

 esxcli system syslog config set --loghost='udp://<IP_OF_LOGINSIGHT:514>'  

That's all for now, in the next article we will start using vCenter Log Insight for analyzing logs.

Other articles in this series:
VMware vCenter Log Insight Series Part1 - Introduction
VMware vCenter Log Insight Series Part2 - Installation and Configuration
VMware vCenter Log Insight Series Part3 - Collecting Logs 
VMware vCenter Log Insight Series Part4 - Creating Analytics

giovedì 24 luglio 2014

VMware vCenter Log Insight Series Part1 - Introduction

It has been a while since my last post, so I decided to write some new content regarding my latest work. Recently I've been intensively working with VMware vCenter Log Insight 2.0 and I've to admit that this is a really valuable tool, so I decided to start a small post series regarding Log Insight.

In this first post I'll give you a brief introduction about this great piece of software.

Log Insight is an analytics tool that acts as a centralized logs server and is deployed in a VMware environment as a virtual appliance. The cool aspect of Log Insight is that it supports the collection of logs either from VMware infrastructure (i.e. ESXi hosts) either from physical infrastructure (i.e. physical servers, physical switches, etc.) either from application (i.e. virtual/physical machines guest operating systems).

Log Insight provides an easy to use interface to analyze, search, and aggregate informations from logs. It supports real-time complex queries against massive log datasets all accessible by using a web browser.

Log Insight use cases are:

-Identify issues during troubleshooting.
-Gain visibility across all infrastructure, either physical, either virtual, from a single log collection point.

Log Insight can be deployed following two reference architectures:

1)Centralized Log Management: where every log is sent directly over to Log Insight. This is best suited to be used in small to medium size environments.

2)Hub-Spoke: this is usually adopted in larger environments, even geographically dispersed, where all logs are first sent over to a syslog collector and only later are offloaded from the syslog collector over to VMware Log Insight.

Log Insight itself is designed to be scaled up and out. Scale-up capability is provided by supporting the size increase of the virtual appliance partition used for storing logs. Scale-out is achieved by native cluster support. Log Insight supports up to six nodes clustered to provide greater throughput and greater availability. A master node exists within the cluster and up to five slaves, referred as worker nodes, can exist.

During the installation of Log Insight you will be prompted to select the appliance size. According to the size of the infrastructure you are up to monitor you can either choose from Small to Large sizing deployment.

Small deployment requires 4 CPUs and 8GB of RAM and it supports the processing of up to 3GB of log files per day (with an average of 200 logs entries per second). Large deployment supports up to 113GB of log files per day with an average of 7500 log entries per second. It also requires 16CPUs and 32GB of RAM.

That's all for this first post, in the coming up articles I will guide you through installation and initial setup, configurations and analytics creation.

Other articles in this series:
VMware vCenter Log Insight Series Part1 - Introduction
VMware vCenter Log Insight Series Part2 - Installation and Configuration 
VMware vCenter Log Insight Series Part3 - Collecting Logs  
VMware vCenter Log Insight Series Part4 - Creating Analytics