If, like most of us, you forward vCenter and ESXi host Syslog data to centralised Syslog targets (and if you don’t, then I’d advise you do), then you’ll be pleased to hear that (as long as you have a valid vCenter Server license) you’ll be able to utilise the power of VMware vRealize Log Insight to interrogate this data.

This article will be the first in a two part VMware vRealize Log Insight series, the first of which will detail the simple installation and configuration process, with the second article focusing on advanced configuration and integration with VMware NSX via vRealize Log Insight Content Packs (vRealize Log Insight add-ins enabling further integration with both VMware and 3rd party products).

As per VMware documentation, VMware vRealize Log Insight supports a single, 25 OSI) Log Insight for vCenter Server license (i.e. – 1x vCenter Server, and 24x other vSphere elements). In a nutshell, this means vRealize Log Insight is totally free for single vCenter Server use, however, this does come with a few exceptions. Firstly, the Log Insight for vCenter Server license is limited to VMware-only Content Packs and, furthermore, the use of Enterprise features (such as event forwarding and archiving) are disabled. Still, this isn’t a bad compromise by any means, and I’d recommend you try-out vRealize Log Insight as soon as you can.

ESXi Host Syslog Configuration

Firstly, if you aren’t already forwarding your ESXi Syslog data to a central target, then you’ll need to configure this first. For lab purposes (and in a number of use cases) the below example details how we configure all ESXi hosts to forward all Syslog data to our vCenter Server.

Note, if you have a large number of hosts in your estate, it might be preferable to configure this setting via a Host Profile.

1. Set the syslog server address on each ESXi host by browsing to Configure > Advance System Settings > Edit.
2. Find Syslog.global.log and edit accordingly (udp://vCenterFQDN:514). In the below screenshot and, for lab purposes, I’ve forwarded the Syslog data to my vCenter Server. Once complete, click OK.ESXi_Syslog_Config_01

3. Lastly, browse to Configure > Firewall and click Edit.
4. Scroll down syslog, enable the service, and click OK.ESXi_Syslog_Config_02

vRealize Log Insight – Installation and Configuration

1. First of all, you’ll need the VMware vRealize Log Insight virtual appliance, the OVA for which can be downloaded here.

2. Login to vSphere and deploy the OVA.

3. Browse to the OVA location and click Next.

4. Give your new VM a name, assign to an appropriate datacenter/folder, and click Next.

5. Select an appropriate compute resource and click Next.

6. Review the details and click Next.

7. Accept the EULA and click Next.

8. Select a configuration appropriate for your environment (for this lab environment, Extra Small is fine). Click Next when done.

9. Select an appropriate storage resource and click Next.

10. Assign an appropriate network and click Next.

11. Lastly, enter the relevant network details and Root credentials, and click Next

12. Review the configuration summary and click Finish.

13. Once deployed, power-on the new VM and sit back while your configuration is applied.

14. After a restart, and when the build is complete, you’ll be presented with the below console.

15. Open a browser and visit the appliance’s FQDN or IP address. Click Next.

16. Click Start New Deployment.

17. When requested, enter the relevant admin credentials and click Save and Continue.

18. Enter your VMware vCenter license key and click Add License.

19. Click Save and Continue.

20. Ensure your NTP configuration targets the correct NTP servers (for lab purposes, I’ve retained the default as per below). Once done, click Save and Continue.

21. Enter your environment’s SMTP settings and click Save and Continue.

22. Click Finish.

23. Lastly, we’ll need to connect vRealize Log Insight to your vCenter Server instance. Simply browse to Administration > vSphere, and enter your vCenter Server Hostname and suitable credentials (for testing purposes I’m using administrator@vsphere.local, however, in a production scenario it is obviously recommended to use a service account. This service account will require Host.Configuration.Change settings and Host.Configuration.Network configuration privileges in vSphere. To read more, click here). Once complete, test your connection and click SAVE.

24. When prompted, click OK.

25. vRealize Log Insight will now configure all ESXi hosts in your environment. This will have no impact on your hosts, nor will they require a restart.

26. Once complete, give vRealize Log Insight a few minutes to begin collecting your Syslog data (5-10 minutes in most cases) and, when ready, you’ll be presented with a rather cool looking Dashboard.

In part 2 of this series we’ll take a deeper look into vRealize Log Insight with advanced configuration and integration with VMware NSX via the vRealize Log Insight Content Packs. We will also detail the work required to configure all NSX Distributed Logical Routers, Edge Service Gateways, NSX Controllers, and the NSX Manager to forward Syslog information.