Why vCenter Log Insight is a “Must Have” for vSphere Environments
I recently took VMware’s vCenter Log Insight (2.0 beta) for a test drive and I was impressed at the time-to-value as well as the benefits relative to cost. Before I get started, I’d like to step back a bit and look at vSphere monitoring and explore the benefits of log monitoring.
UPDATE 6-11-2014: vCenter Log Insight 2.0 is now GA and has been released!
Monitoring vSphere with vCenter
vCenter out of the box does a great job of monitoring the vast majority of the things you’d want to know about. Hardware failures, datastore space, CPU/Memory utilization, failed tasks and so on. But chances are that on more than one occasion you had to peruse through ESXi host logs and/or vCenter log files to either find more detail or perhaps discover errors for conditions that vCenter doesn’t report on.
For example are you seeing SCSI errors or warnings? Path failures or All Paths Down (APD) errors? Any unauthorized intrusion attempts? Are API calls timing out? Is one host logging more errors than others? The bottom line is that for full holistic monitoring of a vSphere environment, log monitoring is a required element. The traditional problem here is time – SSH into a host at a time as needed and manually peruse the log files? There needs to be a better way.
Splunk is a popular option for log monitoring as it has the capability to ingest logs from multiple sources so that you can correlate events and/or time frames across multiple devices. There is a vSphere app for Splunk which I understand works fairly well, however once of the issues seems to be cost. As ESXi and vCenter logs can create large amounts of logs, this increases costs as Splunk is usually priced around the volume of log data that is ingested.
Enter vSphere Log Insight
vSphere Log Insight is designed for vSphere environments and list pricing starts at $250 per device (a device being an ESXi host, a vCenter Server, SAN, switch/router, firewall, etc.).
I decided to download the beta of Log Insight 2.0 and give it a spin. It’s simply a pre-built virtual appliance that you import as an OVA. Once I had the appliance running I logged into the website and added details and credentials to access the vCenter server. Within 30 minutes of downloading I was exploring the interface which was now collecting logs from vCenter and all the ESXi hosts defined within it.
One of the first things I noticed was the clean, fast and snappy HTML5 based interface. Compared to the flash based vCenter Web client it’s hard to not notice the difference (which increases my anticipation of the next vSphere release which I hope to have an HTML5 based interface).
Out the box, Log Insight comes with dashboards and content packs for both vSphere and vCenter Operations Manager (vCOPS). In the image below you will see on the left pane several dashboard views that can be selected within the vSphere pack. In the main window, one can click on and point in time on the top graph, an element of the pie chart, or even the “has results” of one of the queries and be instantly taken to an “Interactive Analytics” view where you can view the log events in detail (click image to expand).
If you were on the “Storage – SCSI Latency Errors” screen for example you’d see bar graphs for SCSI errors by device, path and host to quickly identify anomalies, as well as some pre-built queries as shown below. Clicking on any “Has Results” text will take you to a drill down view of the events that match the query.
The next day we ran into an issue were a certain VM failed to vMotion to another host. I logged into vCenter Log Insight, selected the “vCenter Server – Overview” tab, set the time range to “past 5 minutes”, and instantly identified the time interval of the failure. I clicked on it and in a blink I was looking at all the relevant log entries. It literally took me seconds to log in and get to this point – a huge time saver!
But wait, there’s more!
vCenter Log Insight is at it’s core a SYSLOG engine. While it is designed to immediately exploit vSphere log elements it can also be used for SANs, switches, firewalls and more. If you browse the Soltuion Exchange you will see that content packs already exist for NetApp, HyTrust, VCE, Cisco UCS, vCAC, Brocade, EMC VNX, Puppet and more. In summary you can point Log Insight at anything that outputs logs with a growing library of content packs to provide even more value.
The Bottom Line
The bottom line is that if you want to see everything going on in your vSphere environment you need to be looking at logs. Log Insight can be used to create alarms as well vastly expedite the process to peruse through log files from multiple sources to see what is going on.
I was impressed in how easy it was to deploy and in how quickly we received almost immediate value from it. At a list price of $250 per device (per year) it seems like a no-brainer for many mission-critical vSphere environments.
Also take a look at the following whitepapers: