Integrate vRealize Log Insight and NSX for centralized logging
VMware added vRealize Log Insight NSX in version 6.2.3. This central logging system receives log entries from ESXi hosts and helps identify issues in your NSX deployment.
A centralized logging system is convenient in any environment, but with VMware NSX and its many distributed components,...
Continue Reading This Article
Enjoy this article as well as all of our content, including E-Guides, news, tips and more.
it's a must. That's why VMware added vRealize Log Insight for NSX, a version of Log Insight focused strictly on vSphere and NSX logging. VRealize Log Insight is included in all versions of NSX, starting with NSX 6.2.3.
The main difference between vRealize Log Insight for NSX and regular Log Insight is that the former's EULA is restricted to vSphere and NSX log data. If you're still on NSX 6.1.x, you can download the new version of Log Insight if you're eligible for NSX 6.2.3.
Let's take a closer look at which logging components NSX enables, how to enable them, and check out some tips and tricks for using vRealize Log Insight NSX.
The breakdown of the NSX and vRealize Log Insight license mapping is as follows: NSX Standard, Advanced and Enterprise licenses provide users with one Log Insight Standard CPU for every NSX CPU. NSX Term Standard, Advanced and Enterprise licenses offer one Log Insight Standard CPU for every NSX Term CPU. The Log Insight Standard CPU for Term licenses will, eventually, expire; the license lists the expiration date. Finally, NSX for Desktop Advanced and Enterprise licenses include one Log Insight Standard CPU for every 50 CPUs of NSX Desktop.
Deploy the vRealize Log Insight appliance to begin; the appliance opens up a wizard that guides you through initial setup. Configure vRealize Log Insight to receive log entries from your ESXi hosts. For example, with a distributed firewall, logging occurs on the host where a specific VM runs -- it's ideal to have a centralized logging tool because VMs will probably move around in your cluster.
Once you deploy vRealize Log Insight, install the NSX content pack that allows vRealize Log Insight to interpret the information it receives from NSX. These content packs are the integration between the central logging server and the application; without them, the application can't process log entries.
To install a content pack, navigate to the menu in the upper right-hand corner of the vRealize Log Insight interface and access the marketplace included in the administration interface. Install the NSX-vSphere Content Pack (Figure A).
Next, it's time to set up NSX components. First up is the NSX Manager, which is a web interface for monitoring and configuring other NSX components. You can locate the point of entry for the vRealize Log Insight server installation under the Manage tab.
This integration allows you to see log entries related to both the NSX Server and vCenter, since each NSX Manager connects to one vCenter instance. Therefore, if NSX has a problem configuring something in vCenter, this problem will appear in the log entries.
Many other components enable logging once created and configured in NSX. For example, in Figure C, you can see where to configure the syslog server for a distributed logical router; this is the same for an NSX Edge appliance, since the Manage and Settings tabs are available for both.
If you also want to configure NSX controllers to send logs to your syslog server, you must configure it directly with the HTTP REST API.
If you forward your ESXi logs to vRealize Log Insight, your distributed firewall logs will be automatically forwarded, too. This is because you store firewall log entries in /var/log/dfwpktlogs.log, which are automatically forwarded when you configure a central syslog server for your ESXi host.
The firewall does not log any messages by default, so you must change your firewall rules in the vSphere Web Client to enable firewall logging.
Once you've set up NSX and vRealize Log Insight integration, you can use Interactive Analytics to find entries forwarded by NSX. For example, you can see entries forwarded as part of the distributed firewall log for a SpoofGuard warning.
These messages allow you to create alerts based on your queries so that whenever something happens, you receive a warning either via email or through the vRealize Operations Manager. Dashboards are another important part of the NSX and vRealize Log Insight integration; these dashboards help identify issues in your NSX deployment.
NSX Standard Edition garners positive reviews
VRealize Log Insight leaves room for improvement
Enhanced logging improves vSphere security