Credit to NICO GUERRERA for blog content (Bio Below)!
vRealize Log Insight 1.0 was released for general availability in 2013, and since then it has steadily grown in features, scale, and customer adoption. I have worked with customers who have deployed up to sixty nodes of Log Insight across multiple clusters and datacenters, ingesting hundreds of thousands of events per second. While a deployment of that scale is great for simplifying troubleshooting and alerting, and performing root cause analysis by aggregating and forwarding events to a few centralized repositories, it can also become a logistical headache for large scale deployments. vRealize Log Insight, like any software, has configuration limits. Many customers might only need one or two vRLI clusters to cover their whole environment, but as with the example above, a customer with sixty vRLI nodes will have to manage multiple hostnames, URLs, credentials, alerts and queries. Nobody wants to have to keep notes or constantly remember which vRLI instance they need to log into to check on a certain set of hosts, or have to maintain a massive runbook to remind users which dashboards, alerts and content packs to build and maintain in which vRLI instances.
This is where VMware’s latest SaaS offering comes to the rescue. VMware Log Intelligence is a cloud based log aggregation and alerting tool that has the potential to scale out to meet the extremely high ingestion and querying demands of large enterprise environments. Since it is a single portal SaaS offering, Log Intelligence eliminates the need to keep track of wikis and documentation on which vRLI instances are connected to which vCenter, collecting which events, or where is home to the dashboards and content packs you need to check on a regular basis for a given environment. We can forward all our events from our vRLI clusters to Log Intelligence, and have a single portal to log into and work from.
Forwarding from vRLI to VMware Log Intelligence
Forwarding events from vRLI to Log Intelligence is as simple as deploying a cloud services data collector OVA in vCenter and then setting up a new event forwarding destination in Log Insight. After you deploy the Log Intelligence collector in your environment and verify that it is active in the ‘Data Collector’ tab in Log Intelligence, we can start forwarding our events from vRLI.
We create a new event forwarding destination in VRLI, as shown above, and send all our events to our Log Intelligence data collector, which will in turn send the events over the WAN to our Log Intelligence cloud instance. I chose to add a custom tag to show which datacenter these events are coming from, for organizational purposes. If the connection test is successful, we can save the new destination, and it will immediately begin sending our events to Log Intelligence.
Once events start forwarding off to Log Intelligence, we can query and create alerts and dashboards just like in Log Insight. The advantage being we can do all of our querying and configuration in one single user interface, instead of having to move back and forth between VRLI instances.
Consolidating Events in VMware Log Intelligence
With all our events going to Log Intelligence, we can start to build dashboards, saved queries, and alerts in one single pane of glass. If you are already familiar with how to build items in vRLI, building dashboards and queries in Log Intelligence should be a piece of cake.
Above we have a simple dashboard built in vRLI to show us when someone disables DRS in our monitored vCenter instances. All we had to do to create this dashboard was run a query for ‘Disabled DRS’ in our interactive analytics screen, and then choose to save it as a dashboard.
We can follow nearly the same process in Log Intelligence, and create useful dashboards, such as this one, to monitor when DRS has been disabled and see if there are any trends over time (e.g. at night when contractors are working, or during certain maintenance windows). Having the dashboard in Log Intelligence lets us monitor an entire large scale virtual environment without the added hassle of logging into multiple vRLI portals and building, configuring, and checking numerous alerts and dashboards. Another added benefit of the SaaS model is that admins can spend less time worrying about the underlying hardware, virtual machines, and storage for vRLI and spend more time getting to the root of issues across their environment via the one thing that matters most in a logging tool…the logs!
I would like to reiterate that this architecture isn’t meant for every customer in every environment. If you are currently able to collect all logs and events in your environment via a single vRealize Log Insight cluster, and you don’t need to dig around to multiple vRLI instances to troubleshoot and get a clear picture during a root cause analysis…this might not be for you. If you can work in a single vRLI cluster but don’t have a coherent disaster recovery scenario for your production cluster, or if you don’t even have a DR location to build a second cluster, VMware Log Intelligence can certainly be used as a secondary location for all your production logs and events without the hassle of building out an environment to forward them to. Finally, if you are a global or enterprise customer with multiple vRLI clusters across multiple environments, VMware Log Intelligence can help take some of the burden out of things like having to track which vRLI clusters are connected to which environments, remembering which cluster you need to log in to start troubleshooting issues with an environment, and trying to keep track of which dashboards and queries are built into which vRLI instances. Simplification is key in any well architected environment, and by using vRLI and VMware Log Intelligence together we can make the onerous process of troubleshooting in that sixty node vRLI environment as simple and transparent as having a single cluster with a single hostname to access so we can start the critical process of troubleshooting as soon as the alerts hit your inbox.
Senior Technical Account Manager
Nico Guerrera is a Senior Technical Account Manager for VMware living in Connecticut. He started with VMware in 2016. He has been working with VMware products and software since he graduated college in 2005 and has obtained every VCP certification from VI 3.0 on to vSphere 6.5. He is also a member of the TAM Tech Lead team for Cloud Management.