vRealize Log Insight 8.0 is now available for download and includes a number of customer-requested features and enhancements. Log Insight is VMware’s on-premises log analytics tool which makes troubleshooting and basic security monitoring a breeze. If you’re not using Log Insight today, then head over to the product page and take advantage of the 60-day evaluation right now! Whether you’re a long-time user or brand new to the world of Log Insight, let’s cover the new features while you download the latest bits.
To begin, let’s address the new version number. The last version of vRealize Log Insight was 4.8. What happened to versions 5.x-7.x? Yes, this jump in version numbers may seem a little bit jarring. However, as vRealize Log Insight has been released in lockstep with the rest of the vRealize Suite for some time, it made sense for us to make the jump and match our version number with the rest of the suite. Since vRealize Operations and vRealize Automation are at version 8.0, vRealize Log Insight is now 8.0 as well. With that out of the way, let’s get on with the new and improved features!
Unlimited Exports
This first new feature on our tour is a big one! Previous versions of Log Insight limited users to only be able to export 20,000 log messages at a time. 20,000 sounds like a large number, but in the world of logging, 20,000 log messages may account for only a few minutes or even seconds worth of log events. Log exports are often used to document the root cause of issues or even as a record of security incidents, and with this hard limit, it sometimes meant that multiple exports were required to capture a complete scenario. In vRealize Log Insight 8.0 I’m happy to announce that this limit is no longer a thing! Users can now export an UNLIMITED number of log events!
When you initiate an export, Log Insight will run a check to see how many log messages need to be exported. If the number is less than or equal to 20,000 then Log Insight will download the log messages via your browser just as it has in the past. If the number of log messages is greater than 20,000, then Log Insight will ask for an NFS path. Once that’s been provided, Log Insight will create an archive on that share. As you can imagine, exporting a large number of logs can take some time. That’s why large log exports are performed in the background so you can continue to work while Log Insight handles the rest. A green status bar is provided at the top of your screen so you can keep an eye on the progress.
New OS
Log Insight 8.0 now runs on Photon OS 3.0! New deployments will come with Photon OS already installed, but what’s really cool is that upgrades from 4.8 will perform an in-place OS swap from SUSE to Photon! This means you don’t have to stand up a new cluster and migrate your old data. Instead, our team of brilliant engineers has figured out a way to reliably replace the OS in-place with a single PAK file. Yes! This means that upgrades are just as easy as they have been in the past. This does, however, require you to be on Log Insight 4.8 so you may have to perform an incremental upgrade if you’re running an older version. If you think this sounds like a risky maneuver, it’s actually quite safe.
The image above shows the before and after of a vRealize Log Insight instance as it gets upgraded from 4.8 to 8.0. Simply put, the existing SLES partition includes enough free space to accommodate Photon OS without impacting its ability to run. During the upgrade procedure, the SLES partition is shrunk and a new partition is created. Photon OS 3.0 then gets installed in this new partition and then gets added to the appliance’s boot loader as the new default OS. And because Photon is such a lightweight OS, there’s no need to remove SUSE so you can take comfort in knowing you can roll back instantly should you need to. As you can see the appliance’s data and logs remain untouched throughout this process. If this process sounds familiar to you, that’s because this is very similar to how ESXi handles upgrades.
New Audit Capabilities
For many organizations, logs and log analytics tools can be sacred grounds. Not only are they a potential bonanza of information for wrong-doers, but they’re also trusted to provide accurate information. How often do you go back and validate the queries behind your custom dashboard widgets haven’t been tampered with? It’s not a common practice for most of us. vRealize Log Insight 8.0 puts these concerns to rest with new audit logging capabilities. Activities such as users logging in and out, failed logins, content pack management, modification of dashboard widgets, configuration changes, and more are all recorded in the audit logs. These logs can be pulled as a part of the support bundle and reviewed at any time.
Agent Updates
The vRealize Log Insight Agent is a useful tool for pulling logs from applications and OS’es that lack built-in Syslog features. The agent is available in Linux and Windows flavors and now includes support for Photon OS 3.0, Ubuntu 18.04, and Windows Server 2019. But that’s not all! The vRealize Log Insight Agent is going open source!! Keep an eye out for an upcoming blog post once the agent’s source is available on GitHub.
IMPORTANT: As a result of the vRealize Log Insight Agent going open source, the agent and importer’s download locations have changed. You can now find them under Drivers & Tools inside the VMware vRealize Log Insight 8.0.0 Tools SDK.
Content Pack Updates
Many content packs have been improved in this release as well. As VMware releases updates to its products, the logging capabilities of these products improve as well and Log Insight is there to capture it all! vSphere, vSAN, and NSX-T have all been improved to provide visibility into storage policy modifications, failed login attempts, NSX backup failures, and service disruptions, and a lot more! An updated Linux Content Pack is also available which includes visibility for changed passwords, telnet connections, file system mounts, and failed login attempts, as well as new dashboards. There are a lot of great improvements to these content packs and I haven’t even come close to listing them all. Of course, vRealize Log Insight 8.0 is backward compatible so you can continue to use your existing favorite content packs!
As you can see, our engineers have been hard at work on this new release of vRealize Log Insight. I’ve only highlighted a few of the new features here but you can check out the release notes for a complete list. And as always, visit the vRealize Log Insight product page for all the latest and greatest!