VMware describes vRealize Log lnsight (vRLI) as a log analysis tool that delivers highly scalable log management with intuitive, actionable dashboards, sophisticated analytics, and broad third-party extensibility. It provides deep operational visibility and faster troubleshooting across physical, virtual and cloud environments. Documentation can be found here: https://docs.vmware.com/en/vRealize-Log-Insight/index.html?topic=%252Fcom.vmware.ICbase%252FPDF%252Fic_pdf.html
At its core, vRLI is a Syslog server that consumes logs and presents them back to users for troubleshooting purposes. Originally called vCenter Log Insight, it consumed logs from vCenter, but has since been expanded to include anything that can send logs via the Syslog protocol, which includes things like vCenters, ESXi Hosts, network devices, Linux/UNIX VMs, etc. For devices that don't natively support Syslog, agents can be installed: https://docs.vmware.com/en/vRealize-Log-Insight/8.1/com.vmware.log-insight.agent.admin.doc/GUID-83976956-C16C-42BD-9950-C6EDDF983086.html.
To get started, deploy the vRLI virtual appliance, the preset sizes and specifications are listed below. The smallest production deployment should be a minimum of Small. Extra Small should be used for demo, trial, or POC purposes only.
vRLI can scale out by using multiple instances in clusters. Clusters enable scaling of ingestion throughput, increase query performance, and allow high-availability ingestion. In cluster mode, vRLi provides master and worker nodes. Both master and worker nodes are responsible for a subset of data. Master nodes can query all subsets of data and aggregate the results. You can use from three to 18 nodes in a vRLI cluster. Details on combining vRLI nodes to form a cluster can be found here: https://docs.vmware.com/en/vRealize-Log-Insight/8.2/com.vmware.log-insight.getting-started.doc/GUID-B793B5C7-C856-4324-8202-EBB35265BA7B.html.
vRLI clusters include an integrated load balancers, which are detailed here: https://docs.vmware.com/en/vRealize-Log-Insight/8.1/com.vmware.log-insight.administration.doc/GUID-7B981536-F80C-458F-A196-2AFD4B1D33C2.html
Now, how do we get the data? We'll start by collecting the vSphere related data and expand beyond the vSphere edge in the next blog. Connecting vRLI to a vSphere environment is detailed here: https://docs.vmware.com/en/vRealize-Log-Insight/8.2/com.vmware.log-insight.administration.doc/GUID-09F7B992-D7F4-40B6-8F16-4B5A6E9BEC67.html. As indicated, vRLI can collect two types of data from vCenter instances and the ESXi Hosts they manage:
Events, tasks, and alerts (structured data with specific meaning). If configured, vRLI pulls events, tasks, and alerts from the vCenter instances.
Logs (unstructured data). ESXi Hosts and vCenter instances can push their logs to vRLI via Syslog.
To connect vRLI with your vSphere environment go to Administration - Integration - vSphere.
Click the +ADD VCENTER SERVER link to add a connection to a vCenter instance.
Provide the Hostname for the vCenter instance you'll be connecting to and the credentials you'll be using to connect. Detailed documentation can be found here: https://docs.vmware.com/en/vRealize-Log-Insight/8.1/com.vmware.log-insight.administration.doc/GUID-21B17F1D-E308-41BC-938C-2D2A30714958.html#GUID-21B17F1D-E308-41BC-938C-2D2A30714958
The top check box on the right allows you to collect vCenter events, tasks, and alarms. By default, vRLI collects this data from vCenter every two minutes. Hover over the information bubble for details:
The bottom check box on the right allows you to configure all ESXi Hosts in that particular vCenter instance for log forwarding.
Once you select the Configure ESXi Hosts to send logs to Log Insight, you'll be presented with an Advanced settings option. This allows you to configure log forwarding for all ESXi Hosts or just specific ones.
Once chosen, click the blue OK button. vRLI will then reach out to the vCenter API and make the configuration changes. At this point you should have data coming into vRLI with an architecture diagram like this.
We will explore the data and more in our next blog.