Log Analytics Log Insight vRealize Operations vRealize Operations Insight

vCNS Content Pack for Log Insight Now Available!

I am happy to announce that a new content pack covering VMware’s vCloud Networking and Security (vCNS) product is now available. This content pack provides analysis for both vShield Manager as well as vShield Edge, and makes troubleshooting, root cause analysis, auditing and security simple and easy. In this blog post, I will discuss what the content pack offers and how it can be leveraged.

vcns

Proactive Monitoring of Your vCloud Networking and Security (vCNS) Devices

Quickly Identify Issues

When managing networking and security devices, it is critical to understand what changes were made by whom, when and if anything went wrong. The vCNS content pack makes it easy to answer these questions through dashboards such as General – Problems.

vcns-problems

Easily Consume Data

vRealize Log Insight makes it easy to display information in different ways. Generic widgets have been created to determine the health and status of your vCNS devices. You can drill down within a particular dashboard by using pre-specified dashboard filters. In addition, you can manipulate widgets to display information in different ways. For example, let’s look at the vCNS Load Balancer dashboard from vShield Manager. In the bottom right corner, you will see a pie chart displaying load balancer events by event.

li-vcns-lb-dashboard

Let’s manipulate the visual representation by selecting the magnifying glass on that widget which will bring us to the Interactive Analytics page.

li-vcns-lb-event

As you can see, we have results that indicate that a wrong state and a down state have occurred on more than on occasion. Both of these states could indicate a potential problem we need to investigate. In addition, we have results that indicate an up state, which is the state we would expect. The question becomes, what is the current state? To determine this, let’s select the grouped by vmw_vsm_system_lb_event drop-down and select the time series radio button.

li-vcns-lb-event-over-time

As you can see, the last state events indicate an up state. While this is good, we are looking at state events for all defined virtual servers on the system. We still do not know if all virtual servers are in an up state or only some. Let’s now select the over time grouped by vmw_vsm_system_lb_event drop-down and this time select non time series grouped by vmw_vsm_system_lb_virtualserver and vmw_vsm_system_lb_event.

li-vcns-lb-event-virtualserver

As we can see, the up state is the same as the down state for all virtual servers indicating that all virtual servers are currently online. We have now confirmed that are virtual servers are healthy.

Alerts

The vCNS content pack comes with built-in alerts to ensure you are notified if issues arise. Be sure to enable these alerts!

li-vcns-alerts

Track Changes and Isolate Security Threats

As mentioned earlier, knowing what changes where made by whom, when and if anything went wrong is critical. In addition to the General – Problems dashboard, the General – Security and the Manager – Audit / System dashboards make it possible to perform system auditing.

vcns-manager

Deep Knowledge and Insight

Defined Extracted Fields

In the vCNS content pack, applicable fields have been extracted with detailed descriptions making it easy to comprehend what a field means.

li-vcns-field-definition

Firewalls

When managing devices such as firewalls and load balancers, it is critical to understand when anomalies occur and it is critical to ensure that configurations are correct. Let’s see how the vCNS content pack assists with this by looking at the Edge – Firewall dashboard.

li-vcns-edge-firewall

As you can see in the vShield Edge events over time by status widget, it is very clear when a spike or dip in events are seen. I was able to simulate how this might appear in a real environment by switching the default rule on the Edge firewall from Deny to Allow and then back again.

Below the top widget are three pie charts which indicate dropped events by source, destination and protocol. These charts make it trivial to validate that destinations and protocols are properly being dropped. In my environment, I only want Log Insight ingestion API traffic, which is over port 9000, and with these charts, I can quickly see that traffic that should be allowed is being dropped.

Summary

The vCNS content pack for Log Insight provides detailed information about vShield Manager and vShield Edge devices. Fields have been extracted within events with detailed descriptions and applied to complex queries to provided easy to understand visualizations of events. The content pack covers many areas of the vCNS product including auditing, configuration, security, firewall and load balancing. Like all content packs, the vCNS content pack is freely available on VMware Solution Exchange and the in-product Log Insight marketplace, if you are running Log Insight 2.5 or newer.

Note: There is some overlap between the VMware – vCNS content pack and the VMware – NSX-v content pack as both leverage vShield components. The two content packs provide information in different ways and both should be leveraged when analyzing vShield events.