This content is part of the Essential Guide: The essential guide to VMware NSX SDN technology

Integrate vRealize Log Insight and NSX for centralized logging

VMware added vRealize Log Insight NSX in version 6.2.3. This central logging system receives log entries from ESXi hosts and helps identify issues in your NSX deployment.

A centralized logging system is convenient in any environment, but with VMware NSX and its many distributed components,...

it's a must. That's why VMware added vRealize Log Insight for NSX, a version of Log Insight focused strictly on vSphere and NSX logging. VRealize Log Insight is included in all versions of NSX, starting with NSX 6.2.3.

The main difference between vRealize Log Insight for NSX and regular Log Insight is that the former's EULA is restricted to vSphere and NSX log data. If you're still on NSX 6.1.x, you can download the new version of Log Insight if you're eligible for NSX 6.2.3.

Let's take a closer look at which logging components NSX enables, how to enable them, and check out some tips and tricks for using vRealize Log Insight NSX.

The breakdown of the NSX and vRealize Log Insight license mapping is as follows: NSX Standard, Advanced and Enterprise licenses provide users with one Log Insight Standard CPU for every NSX CPU. NSX Term Standard, Advanced and Enterprise licenses offer one Log Insight Standard CPU for every NSX Term CPU. The Log Insight Standard CPU for Term licenses will, eventually, expire; the license lists the expiration date. Finally, NSX for Desktop Advanced and Enterprise licenses include one Log Insight Standard CPU for every 50 CPUs of NSX Desktop.

Deploy the vRealize Log Insight appliance to begin; the appliance opens up a wizard that guides you through initial setup. Configure vRealize Log Insight to receive log entries from your ESXi hosts. For example, with a distributed firewall, logging occurs on the host where a specific VM runs -- it's ideal to have a centralized logging tool because VMs will probably move around in your cluster.

Content packs

Once you deploy vRealize Log Insight, install the NSX content pack that allows vRealize Log Insight to interpret the information it receives from NSX. These content packs are the integration between the central logging server and the application; without them, the application can't process log entries.

To install a content pack, navigate to the menu in the upper right-hand corner of the vRealize Log Insight interface and access the marketplace included in the administration interface. Install the NSX-vSphere Content Pack (Figure A).

NSX-vSphere Content Pack.
Figure A. Install the NSX-vSphere Content Pack.

Next, it's time to set up NSX components. First up is the NSX Manager, which is a web interface for monitoring and configuring other NSX components. You can locate the point of entry for the vRealize Log Insight server installation under the Manage tab.

This integration allows you to see log entries related to both the NSX Server and vCenter, since each NSX Manager connects to one vCenter instance. Therefore, if NSX has a problem configuring something in vCenter, this problem will appear in the log entries.

NSX Manager interface.
Figure B. NSX Manager interface.

Many other components enable logging once created and configured in NSX. For example, in Figure C, you can see where to configure the syslog server for a distributed logical router; this is the same for an NSX Edge appliance, since the Manage and Settings tabs are available for both.

Configure the syslog server for a DLR.
Figure C. Configure the syslog server for a Distributed Logical Router.

If you also want to configure NSX controllers to send logs to your syslog server, you must configure it directly with the HTTP REST API.

If you forward your ESXi logs to vRealize Log Insight, your distributed firewall logs will be automatically forwarded, too. This is because you store firewall log entries in /var/log/dfwpktlogs.log, which are automatically forwarded when you configure a central syslog server for your ESXi host.

The firewall does not log any messages by default, so you must change your firewall rules in the vSphere Web Client to enable firewall logging.

Once you've set up NSX and vRealize Log Insight integration, you can use Interactive Analytics to find entries forwarded by NSX. For example, you can see entries forwarded as part of the distributed firewall log for a SpoofGuard warning.

NSX CLI SpoofGuard.
Figure D. NSX command line interface SpoofGuard.

These messages allow you to create alerts based on your queries so that whenever something happens, you receive a warning either via email or through the vRealize Operations Manager. Dashboards are another important part of the NSX and vRealize Log Insight integration; these dashboards help identify issues in your NSX deployment.

Next Steps

NSX Standard Edition garners positive reviews

VRealize Log Insight leaves room for improvement

Enhanced logging improves vSphere security

Dig Deeper on VMware ESXi, vSphere and vCenter

Virtual Desktop
Data Center
Cloud Computing