Senior Technical Account Manager

While helping out as a Cloud Management TAM SME for Log Insight, a popular question that comes up during customer engagements is, “We have Log Insight deployed, but what can we do with it?” Deploying the appliance and connecting it to an environment is the easy part. The hard part comes in knowing what to do with that flood of event data that’s now rushing in.

There are three main ‘quick and easy’ starter use cases that I would suggest a customer that is new to Log Insight begin with.

  1. The ‘Problems’ dashboard in the built-in vCenter content pack.
  2. Browsing the content pack marketplace and installing packs relevant to the customer’s environment.
  3. Creating some simple user alerts to address specific concerns in a customer’s environment.

These three easy to set up use cases will have your customer on their way to making sense of their logging data, and leveraging it to solve specific problems in their environment.

1. The ‘Problems’ Dashboard

Upon logging in to the Log Insight web interface, the user is presented with a list of standard content pack dashboards. The ‘VMware – vSphere’ dashboard is built into Log Insight, and does not need to be installed. If you expand out the vSphere dropdown, one of the dashboards listed is named ‘General – Problems’.

Selecting the dashboard will yield this screen:

Now, ideally, we would want this dashboard to show ‘No results’ for most of the widgets. Since very few production environments are completely problem free, the customer should immediately have some issues to chase down. This dashboard will show storage issues such as paths down, disconnects, and latency issues to name a few. There are also hardware events if a server is malfunctioning, as well as a host of triggerable alarms from vCenter HA and DRS events to storage and ESXi host issues.

If the customer wants some more detail, they can drill down on any of the dashboards or alerts with a click to get further details in the Interactive Analytics screen. Below is a drill down of the teal colored section of the pie chart above, ‘vmfs.heartbeat.timedout’.

From here the customer can start researching what the errors mean, if they are affecting the environment in any way, or if they need to open a ticket with VMware support for help.

2. The Content Pack Marketplace

Another very powerful use case for Log Insight are the free content packs provided in the Log Insight Marketplace. If your customer is ready to move beyond basic vSphere/ESX log analysis, they have access to a plethora of third party content packs. The screenshot below is just a small taste of the different content packs available.

Once a customer clicks on a content pack, installs it, and does any necessary post install configuration steps, they will have access to new dashboards and alerts on the Log Insight Dashboard page. The example below shows some of the dashboards and alarms created once the Linux content pack is installed.

If we then click on the ‘Security – Su / Sudo’ dashboard, we get a breakdown of successful and failed su and sudo attempts on any Linux machine with a Log Insight agent on it that is configured to collect audit events.

3. Custom Queries and Dashboards

Log Insight gives the customer the ability to create his own custom-tailored dashboards and alerts if none of the canned dashboards suit their needs. For example, my customer was noticing that DRS was disabled on some clusters when he was completing some post-migration vCenter checks one morning. He had asked me if there was a way we could find out who was disabling DRS during the night shift, and ask them why they weren’t turning it back on when they were done with their work. I asked him if he had Log Insight installed, and I got the typical response of “Yeah, I installed it a while back…but we don’t look at it.”

I thought this was the perfect opportunity to show him the value of the product that he paid for but wasn’t even using! We logged into Log Insight and did a simple search in the ‘Interactive Analytics’ query page for “DRS Disabled” for the past 24 hours. Sure enough, we came up with a result from the night before. Log Insight showed the log event of DRS being disabled on his cluster, as well as metadata for the domain user who disabled it. See screenshot below for an example from my home lab. The event shows that DRS was disabled on the ‘Lab’ cluster and that my local admin user was the one who did it.

My customer exported the data into a CSV file and emailed the contractor asking him to be more careful in the future when he disables critical components in the VMware environment. We didn’t stop there though. We wanted to make sure we would be alerted if it happened again so we tweaked it a bit and turned the query into an alarm which would email his team every time DRS was disabled on a cluster in their environment.

Now we had an alarm to alert the team, and Log Insight had proven its usefulness with just a few simple words searched in the query box. Now I am working with my customer to register all their ESX hosts with Log Insight so they can start to troubleshoot any potential issues that might be waiting in the wings on their ESX hosts as they start their migration to vSphere 6.0.

vRealize Log Insight is a powerful troubleshooting and root cause analysis tool that all customers with a valid vCenter 5.x or 6.x license have access to. Even with just the basic 25 OSI license that vCenter gives them access to, customers can learn the basics by collecting vCenter tasks and events, as well as some ESX events in a small environment. There is no limit to content pack installs in a ‘vCenter licensed’ Log Insight deployment, so they can start monitoring their NSX, VSAN, and 3rd party OS environments with a few clicks. I hope everyone finds this post useful in helping their customers realize the potential value of their new, or already existing, Log Insight deployment. I know after trying these simple scenarios, that any customer will be hooked and constantly looking for the next query to write or dashboard to build to gain greater and greater visibility into their environment!

Nico Guerrera is a Senior Technical Account Manager for VMware living in Connecticut. He started with VMware in 2016. He has been working with VMware products and software since he graduated college in 2005 and has obtained every VCP certification from VI 3.0 on to vSphere 6.5. He is also a member of the TAM Tech Lead team for Cloud Management.