With the growing infrastructure and huge amount of components (both physical as well as virtual) accountability and availability of these components are also increasing. Every time if there is any incident and customer logs a case with vendor support team the first thing they ask for is Logs. With the increase in number of various software components it becomes even more challenging to keep track of its various logs.
One common answer which I have been hearing from customer is that they have setup SYSLOG server. To be honest ask this question to yourself how many times have you logged into syslog server? I have seen cases where customer have configured SYSLOG server and forgot about it and one odd day when they stuck up into some issue and then start exploring their syslog server for relevant logs. So the bottom line is logs are very important for any infrastructure and maintaining logs is equally important and challenging as well.
VMware positions itself to cater this need with its vRealize LogInsight (aka vRLI) product. This product not only stores various logs but also structures them in a nicely manner so that it makes lot of sense for the administrator to view, analyze and share it among their peer. vRLI comes in the form of Windows.msi, Linux.rpm or standalone .ova appliance. The latest release in this segment is vRLI 4.3.2, please click here for Download& Release Notes of the product. The beauty of this product is to integrate seamlessly with vSphere or vRealize Operations Manager platform to display results in interactive dashboard. Please check vRLI Install & Configure demonstration and sizing vRLI documentation to identify correct sizing for your environment.
Customer have option to configure Extra Small, Small, Medium or Large deployment based upon EPS (Events per Second) in their environment. This is very important to size your appliance correctly considering future growth otherwise it may result into situation where administrators are spending their productive time fixing management solution issues rather than doing day-2 tasks.
Once the solution is configured at the first login user will landup on the below shown page, let’s understand various components of vRLI available on this page
- This is the address pane from where vRLI IP address or FQDN is accesses. If vRLI is configured in Cluster configurations instead of individual node IP address its VIP (Virtual IP) will be accessed. Configuring a new node will be similar to deploying new vRLI vAPp into the environment, the only change will be instead of selecting ‘Start New Deployment’ customer has to select ‘Join Existing Deployment’ and rest of the process will remain the same
- There are two types of dashboard options available to the customer the one in above screenshot is ‘Interactive Analytics‘ where it shows holistic event information coming from various esxi hosts or vCenter server
- The information available on this dashboard can then be sorted in various formats. Currently it is showing as Events one can select other options available like Field Table, Event Types, Event Trends etc
- This is query bar where one can create custom query to search for a specific event or select from available queries to get desired results Also in the same query bar one can select how old event we want to search starting from 5 min upto desired time frame – I will be sharing example on this portion in later part of this blog
- From this drop-down one can select the time frame of event where 1 bar = 10 seconds. Administrator can customize this from 1 sec to desired time frame to get their required interactive view
Now we got familiar with the various custom options available on dashboard let’s try to search desired log using this dashboard and see how it can help us to find a particular log event.
Let’s take an example that I want to search all ESXi events from past 48 hours where the text contain Error
Here we have the result based upon the query we just created, imagine if I had to find similar events from SYSLOG server or from vCenter log bundle how difficult this process would have been. Also the output is presented in a nice graphical format which makes the overall findings even more easier to understand when the event has occurred. This is one of the example of creating a custom query, it all depends upon customer’s requirement and their imagination to create various queries to get desired output.
There are 2 more options on top-right corner of the screenshot showing Snapshot& Add to Dashboard. Taking a snapshot creates an image of this result which can be used as reference at any point in time for future reference and if customer wants to run (this) custom query frequently in their environment then they have the ability to add it to dashboard using Add to Dashboard wizard so that every time the process is not repeated.
On Interactive dashboard customer gets the ability to Create Alert from Query option which means that if they want an alert to be triggered when a specific condition is True they can do so by creating their own alert
After selecting Create Alert from Query option below shown screen will appear where customer has to fill relevant information and every time this condition is satisfied they will be alerted on over the email.
Another good option available on Interactive Dashboard is to export event or charts to .csv but the option which is more useful is ability to Share Query. Let’s consider above example where I have collected some logs based upon the query I wrote, now imaging if I have to share the same dashboard to my peer then this option gives me the ability to share it in the form of a URL which any admin (who has access to vRLI) can run on it’s login and get same view as I have selected. This saves lot of time while sharing information amongst peer of a desired result.
So far we have discussed various use cases of vRLI in this post but it doesn’t stop there. Now let’s explore Dashboard option (selected below). This is the place where customer can select any type of event from all the available/configured solutions from their infrastructure. Currently I have selected VMware-vSphere suit and listed are the available set of dashboards from the collected logs based upon their event types.
For demonstrayion purpose I have selected VMware-vSphere General-Overview event trend for custom time frame i.e. 01-Nov-2016 to 31-12-2016 clicking any of the chart will take to the further deep insights of that event
Apart from managing logs vRLI is capable of capturing its own health which can be accessed via its Admin page and selecting System Monitor option. It shows the current resource utilization of vRLI appliance and if there are performance issues then this is the best landing page to understand what is the resource consumption of this vApp. Also from Statistic tab customer can identify EPS
Here is the option to configure Cluster functionality for vRLI. If customer has mulitple vRLI nodes it will appear here and they can create VIP (Virtual IP) to access it. Also Cluster upgrade activities and downloading log bundle can be performed from this page
Since vRLI is seamlessly integrated with vSphere / vROps so from this page customer can provide vSphere or vROps credentials and configure it. Using this they can leverage to store and present logs from both of these solutions directly on vRLI dashboard. For other solutions in place VMware provides various Content Packs which can be configured in vRLI to store their logs
Under General configurations customer can provide email ID or DL of the group whom they want to be alerted incase of any event. Also they can configure retention policy where administrator will be alerted when disk usage of vRLI vApp is hitting threshold along with browser timeout value
Time plays a very crucial role while troubleshooting any log bundle hence it becomes equally important in vRLI as well to configure correct time to the appliance. Best practice is to point vRLI to organizational NTP server but incase customers don’t have centralized NTP server they can point it to global NTP server or ESXi host time as well
Here customer can configure their SMTP server information which vRLI will use to send email alerts. Most of the things remains default except FQDN of SMTP server
This was an overview of this wonderful product but the best thing I would suggest is to deploy this solution in your environment and get your hands dirty with it. I’m sure administrators would love this product because it not only saves lot of productive time but also gives insights of the problem to dig-deep.
With this I end this blog… I hope it helps.. till then Happy reading….
Please visit my blog vrealizefor more blogposts