VMware Log Insight

Anyone use/implement/design this? I have a design and implement coming up for Log Insight and would like to know of any interesting points, gotchas and general ideas of this piece of code. I've got it running in the lab and it took a while to get used to but the capabilities are pretty cool - the way it ingests logs and lets you filter what you are after makes troubleshooting easier. My focus is on designing it right, anyone can click next > next to implement. Ideas?

Find more posts tagged with

Comments

jibbajabba

You need to design Log Insight

Zentraedi

Essendon wrote: »

Anyone use/implement/design this? I have a design and implement coming up for Log Insight and would like to know of any interesting points, gotchas and general ideas of this piece of code. I've got it running in the lab and it took a while to get used to but the capabilities are pretty cool - the way it ingests logs and lets you filter what you are after makes troubleshooting easier. My focus is on designing it right, anyone can click next > next to implement. Ideas?

I think the operational aspect is where you're really going to have to focus to be successful. Look at building dashboards tuned to their environment, SLAs, and general operations workflows. Provisioning and integration will also be key... Do they have some sort of CM/DSC and will point any new CIs to vRLI? Will vRLI this be sending alerts to another enterprise monitoring or ticketing system? What about log retention for security/compliance? How do you design for different policies there? What about devices/appliances that have limited syslog destinations? Implementing forwarders? What about monitoring other logs of interest on appliances?

jibbajabba

I think it shows that I merely pointed it at my vCenter and walked away

Essendon

@Jibba - Yeah mate, there's a fair bit to this thing!

@Zen - Thanks for the valuable insight.

Dashboards - yep, getting VMware assist on this.
Integration - I'm unaware of the need to automate pointing new CIs to it. AFAIK, the build process will include the LI machine as the syslog to use. LI will not be sending alerts anywhere, our intention is to use it for auditing and privileged user access management.
Logs - dunno how long the retention period is going to be. Gotta be something crazy I'm sure, like 14 years or something. I know the disk requirements may go through the roof. Interesting to find out if older stuff can be archived.
Appliances - at this stage, this is for ESXi machines only, so I dont have to worry about appliances at this stage but I'll ask this and plan in advance.

Thanks heaps!

Zentraedi

Ah, ok. Some people want to install the Windows agents for LI and get all those event logs going there too. Can also get random appliance logs forwarded via syslog-ng. If your project has a config manager or workflow provisioning process, it's nice to throw these items in there.

Anyway, LI is still far from covering the scope that your might see Splunk or ELK on, but if you really want to correlate across as many devices as possible might have to go for either of those routes.

Essendon

I'll post more here after I've had a few internal meetings with people and pick your brain again. This promises to be an interesting project. Thanks again.