vSAN customers who use vRealize Log Insight will be interested to know that a new Log Insight content pack for vSAN was released this week. Version 2.1 of the vSAN content pack introduces some changes that are worth noting for environments that rely on Log Insight's dashboard and alerting capabilities.
For those unfamiliar to Log Insight, this log aggregation and analytics solution presents an easy to use UI that allows for predefined queries of events and errors that are presented in widgets across ready-made dashboards, or even to other applications. This can be vSAN specific log events, or as this demonstration shows, a blend of vSAN and non-vSAN events for better root cause analysis. Content packs are the method of extending its intelligence to a given application or component in the data center. Once a content pack is installed, the administrator will have these solution-specific, prebuilt dashboards available for immediate use.
Why the updates?
As solutions like vSAN evolve and introduce more capabilities to the data center, their log events evolve as well. Solutions rely heavily on the query definitions found in these Log Insight content packs to report events accurately. As vSAN has advanced, the underlying queries needed to be updated to ensure the accuracy of all types of event activity.
It was also important to optimize the queries to reduce false positives that might suggest an error, but was nothing more than a benign event. This is one of the benefits with multiple engineering teams working closely together. No one understands the underlying event log data from vSAN better than VMware. It is Log Insight that passes this knowledge onto the user.
What has changed?
Two of the congestion dashboard widgets have been adjusted. The "Maximum memory congestion reached" and "Maximum SSD congestion reached" widgets have been adjusted so that the threshold aligns with the alert condition found in the vSAN health service in vCenter.
The associated alerts related the memory and SSD congestions have also been adjusted to ensure consistency. Alert queries can sometimes go unnoticed, as they can be created or managed from the "Interactive Analytics" view in Log Insight. Figure 1 shows where you can find this listing, and enable or disable the alerts as desired.
Figure 1. Listing of existing alert definitions in Log Insight
The update also removes two alerts found in previous editions of the content pack. These were the alerts for "Operations took too long" and "Object component state changes - Absent." In past editions of the content pack, normal operations of vSAN such as hosts entering maintenance mode may have generated events that were a part of these alert queries and would have falsely reported conditions that needed attention. These alerts were removed to eliminate confusion for the administrator.
Updating the Content Pack for vSAN
Content pack updates for Log Insight is an easy process. Simply click on the three horizontal bars next to the "admin" profile and click "Content Packs." You will see the updates to the content packs currently in use. You can also download content packs directly from the VMware Solution Exchange, or in this specific case, the content pack for vSAN at: https://marketplace.vmware.com/vsx/solutions/vmware-vsan-content-pack.
Figure 2. Updating the content pack within the Log Insight Administration Console
The content pack is compatible with Log Insight versions 4.0 through 4.7, and will work with all supported versions of vSAN: 6.0 through 6.7 U1.
Remember that log activity is a direct reflection on the amount of activity, and potential errors in an environment. In lab environments, or other clusters that have little activity, the dashboards may be relatively empty, and should not be cause for alarm. Selecting a larger time window beyond the default setting of 5 minutes will often show more log activity in the environment monitored.
Log data has had a long history of being difficult to work with, which makes a log analytics solution like vRealize Log Insight so valuable. Log Insight interprets log data, so you don't have to. If you're an administrator with vSAN and Log Insight in your environment, be sure to grab this latest update to the content pack for vSAN. If you aren't familiar with Log Insight and what it can do, take a look at what it can do. It is a simple way to make the administration of an environment easier.