In this article I will help you to set up your first source, vRealize Log Insight for vSphere integration. vRealize Log Insight can integrate with vSphere to automatically import events from vCenter server and logs from ESXi hosts.

If you missed the first articles in the series and are wondering what vRealize Log Insight is, check out this article.

The configuration is fairly simple. Log in to vRealize Log Insight, select Administration | Integration | vSphere.

LI-configmenu

vsphere-integration-2vsphere-integration-1

Don’t forget to check if you entered the right credentials with the ‘Test connection’ button. It will save you ripping the hair out of your head later on.

There are two checkboxes in this dialog: “Collect vCenter Server events, tasks, and alarms” and “Configure ESXi hosts to send logs to Log Insight”.

When enabling the first the vCenter Server’s events, tasks, and alarms will be sent to Log Insight and will show up as searchable events in Interactive Analytics. vCenter Server logs must be sent separately via a Log Insight agent. The integration requires credentials with Read-Only or System.View permissions depending on the vCenter Server version.

Enabling the “Configure ESXi hosts…” will configure the selected ESXi hosts to send their logs to Log Insight via syslog. If you already got another syslog target configured, don’t worry. Existing syslog targets on these hosts will not be removed. For the integration to work the user needs a minimum of “Host.Configuration.Change settings” and “Host.Configuration.Network configuration” permissions.

It is best practice to create a custom vCenter role with the necessary permissions. Use of an administrator account is, obviously, not recommended for security reasons for the integration with vCenter.

Under the ‘Configure ESXi hosts to send logs to Log Insight’ option you’ll find the advanced options where you can filter if all ESXi hosts need to be configured, or just a selection, as well as the Syslog protocol (UDP, TCP or SSL).

vsphere-advanced

If you want to add another vCenter, just click the plus button.

Dashboards

The vSphere integration comes with its own dashboard, just like most management packs for Log Insight. There are a dashboards, for general things, vCenter Server, vSphere, Storage and virtual machines.

A couple of dashboards/widgets:

  • General|Problems – by type, connectivity lost by component, physical hardware events, NFS problems, SCSI latency, various queries (core dump, APD, device offline, SCSI conflicts, HA events)
  • General|Performance – Slow SQL commands, DRS events, SCSI latency, VMware tasks
  • vSphere|DRS / HA – Failed vMotion operations, HA events, VMs failed over by HA, DRS imbalance
  •  All storage dashboardssecurity

Of course also the security and auditing dashboards are very interesting.  These widget shows you who are logging in to your server. In this case its the Log Insight server itself (192.168.1.78)

You can drill down to the exact message with the Interactive Analytics, just click on the hostname, username or source to get the popup for the Interactive Analytics.

events-security

If you suspect a breach you can click on the event_type and add it to the filter, or just to highlight it.

security-filter

Next time I will walk you through the installation of a Windows agent.