top of page
Brock Peterson

VMware vRealize Log Insight 301

This final blog in the vRealize Log Insight (vRLI) series will focus on Content Packs. Similar to management packs in vRealize Operations (vROps), content packs are deployed into your vRLI cluster. They capture and publish log data from vRLI aware logs via dashboards, queries, extracted fields, and alerts. They can also contain agent configurations used to tell agents what logs to send and how to tag/parse them.

Out of the box, vRLI comes with several content packs: General, vSphere, vSAN, and vROps. Documentation here: https://docs.vmware.com/en/vRealize-Log-Insight/8.1/com.vmware.log-insight.user.doc/GUID-9C372B56-A252-4444-AB6F-C80752A7F4C4.html


Besides the default content packs, there are many others. The first place to look is the VMware Marketplace: https://marketplace.cloud.vmware.com/services?search=content%20packs, which is also available directly from the vRLI UI:

The Content Pack Marketplace integration allows you to deploy them directly from the vRLI UI and keep them up to date.


There are also Community Supported content packs available from the vRLI UI, these are contributed by the larger vRLI community. VMware {code} also warehouses content packs (and much more): https://code.vmware.com/samples?categories=Sample&sort=dateDesc&keywords=&tags=vRealize%20Log%20Insight%20Content%20Pack&groups=&filters=&page=


Let's explore the out-of-the-box VMware vSphere content pack, it's found here.

There are five tabs detailing the contents:

  1. Dashboards - these are the dashboards that show the log data for that particular technology. Each dashboard in the content pack will be described here, with widget names, widget types, and notes.

  2. Queries - these are the queries being used to pull data from the vRLI aware logs. Query names and notes are given for each.

  3. Alerts - the alerts defined within the content pack. They have notifications defined within: email, webhook, and/or a subsequent vROps alert.

  4. Agent Groups - agent groups contain configurations for monitoring, parsing, and tagging events sent to vRLI. They effectively tell the user (or agent) what directory/logs to monitor, the REGEX used to extract fields, and the subsequent tag assigned to them. Documentation here: https://docs.vmware.com/en/vRealize-Log-Insight/8.2/com.vmware.log-insight.administration.doc/GUID-53A0B505-BEAF-4BC4-B634-4964FC0D66CD.html

  5. Extracted Fields - the fields being extracted from the logs, including: field names, REGEX used to extract them, and more.

Let's install one, in this case we'll install the NetApp - Data ONTAP content pack from Blue Medora.

After checking the box and clicking INSTALL, the content pack will be deployed into your cluster and Setup Instructions will be provided.

The instructions show us how to consume the NetApp logs, in this case via Syslog. They also show us how to configure a VIP to filter those logs, ultimately tagging them with a "product=netapp" tag. This of course will be used in the NetApp dashboards and alerts. Once installed, the NetApp content pack will show under the Installed Content Packs dropdown, along with the default ones from VMware.

The dashboards included in the content pack will now be visible in the Dashboards tab, under Content Pack Dashboards.

Most often, content packs will include instructions on how to forward logs to vRLI via Syslog, but there are times an agent will be required. There are two types of vRLI agents: Linux and Windows. Document found here: https://docs.vmware.com/en/vRealize-Log-Insight/8.2/com.vmware.log-insight.agent.admin.doc/GUID-636EFA8D-B063-46FE-A192-36450954E218.html


As an aside, VMware Technical Marketing Manager, Matt Bradford, has a great video detailing vRLI agents, view it here: https://www.youtube.com/watch?reload=9&v=UwqNEqbglCQ. He publishes a lot of content on his blog as well: http://vmspot.com/. Follow him on Twitter at @vmspot.


An example of a vRLI content pack requiring an agent would be the one for Microsoft SQL Server. Upon installation, you'll find these instructions.

This content pack requires a vRLI agent with the cfapi protocol and the included agent group configuration. The agent group configuration that comes with the management pack will tell you exactly what logs will be forwarded to vRLI, the tags they will be given, and other configuration related information. You're then instructed to add your vRLI Windows agents to the MSSQL Agent Group, which gets the logs from the MSSQL servers to the vRLI cluster.


All agents, the ability to enable auto-updates, download the latest agent versions, and agent configurations are available here.

Beyond vROps and vRLI, the vRealize Suite of platforms from VMware includes vRealize Automation and vRealize Lifecycle Manager. We'll be exploring these next.



1,241 views

Comments


bottom of page