In my previous blog , I described how to configure log sources to forward logs to vRealize Log Insight Cloud. Once the logs are in the next step is to start leveraging one of the most powerful features of vRealize Log Insight Cloud i.e., Content Pack.
In this blog I will walk through
- What is a content pack?
- Benefits of content pack
- Types of content pack
- How to use OOTB content pack
- How to create content and export a custom content pack
- How to import a custom content pack
What is content pack?
It is a collection of following objects that are relevant for set of product/application logs
- Extracted fields
Benefits of content pack
It provides following benefits
Types of content pack
There are 2 types of Content Packs
These are OOTB content packs included in vRealize Log Insight Cloud service. While writing this blog we have total 122 public content packs
These are custom content packs which any user can import into vRealize Log Insight Cloud. For e.g. I have published a simple one for Openshift logs on VMware Code platform which can be downloaded and imported https://developer.vmware.com/samples/7217/openshift_logs_v1.0.lint
How to use OOTB content pack
The first step is to enable the OOTB content pack.
Enable the content pack
Expand the main menu and click Content Packs. On the Public tab, click the toggle next to the title of the content pack to activate or deactivate it. The toggle is green when it is activated and gray when it is deactivated.
In our example we will be enabling “AWS – Cloud services” content pack. This content pack provides event logs for many popular AWS services such as S3, SNS, SQS, Kibana, DynamDB, RDS etc.
Visualize the Dashboard
Once it is enabled successfully you will be able to see Alerts/Dashboards/Queries however the alerts from the content pack are not enabled by default. You can enable the alerts in the Alert Definitions page
Now you can visualize the data in the dashboards for e.g. Following is the S3 Overview Dashboard. Following are some of the widgets of the dashboard
- Total number of AWS Cloud trail S3 API calls
- AWS S3 API calls over time range
- AWS S3 events over all users
- Public IP addresses accessed over time
- AWS S3 events by buckets
If you can analyze the logs in depth, you can view the actual log message by clicking on three dots and selecting View Log Query
This will open the Explorer Logs page which will show the actual logs
How to create content and export a custom content pack
Users can create private (user-defined) content such as Queries, Dashboards, Alerts and export them as a JSON file. This can be shared with other users. For e.g. I have published a simple content pack for OpenShift logs on VMware Code platform which can be downloaded and imported https://developer.vmware.com/samples/7217/openshift_logs_v1.0.lint
Save a query
Expand the main menu and click Explore Logs. Enter a query and click the Search button to view the results. In the upper-right corner of the page, click the Save icon. In the pop-up window, enter a name and description for the query and click Save.
Expand the main menu and click Explore Logs. Enter a query and click the Search button to view the results. In the upper-right corner of the page, click the three dots icon and select Add to Dashboard. In the Add Widget to Dashboard pop-up window, enter the name, type, and description for the widget to add to the dashboard. Under the widget details, click New Dashboard. Enter a name for the dashboard and click Add
Export custom content pack
Expand the main menu and click Content Packs. In the upper-right corner of the page, click Export Content. In the left section of the pop-up window, enter metadata for the content pack (Name, Namespace, Version). In the right section of the pop-up window, select the user-defined elements that you want to include in the content pack. Click Export and save the file to a location on your computer.
The exported file with extension. lint is stored in the specified location. The details in this file are JSON formatted
How to import a custom content pack
If someone has shared you the JSON file which includes the custom(user-defined) content, you can import them into vRealize Log Insight Cloud and start using the same.
Expand the main menu and click Content Packs. On the Private tab, click Import Content. In the pop-up window, select the import method. Select File. Browse for a content pack JSON file and click Open. Click Import
If the content is imported as a content pack, then it will appear under the Private tab.
If you’re not already using vRealize Log Insight Cloud, check out our free 30 day trial. To learn more about how to use vRealize Log Insight Cloud, please check out