If you are upgrading or have upgraded to vSphere 6.0, you should be aware of a couple syslog gotchas. These will be especially important if you are running a central logging system like vRealize Log Insight. Read on to learn more.
I frequently get questions around how to forward only certain log files from ESXi or how to collect a log file that is missing. I get the question so frequently that it warrants a quick post. The title of this post says it all – it’s all or nothing. If you configure remote syslog on ESXi then you will get all configured logs files from ESXi. There is no supported way today to customize what logs files are stored locally versus sent remotely. The only customization that you can make is what severity logs messages are forwarded to the remote syslog destinations by changing log verbosity, however this is not recommended (read here for more information).
When the Log Insight Windows agent was released in version 2.0, the decision to use the agent was easy because Windows does not natively support syslog. Given the release of the Log Insight Linux agent, I have been asked a few times why the agent should be used over already available syslog agents like Rsyslog and Syslog-NG for sending events to a remote destination like Log Insight. I would like to cover 12 reasons in this post.
My post on vCAC logging has been quite popular since its release. With VMware’s release of new and updated management products at the end of 2014, some changes to vCAC, now vRA, exist. In order to avoid confusion by attempting to update the older post, I decided it was time for a new post. Also, with the release of the Log Insight Linux agent, it is a good time to show end-to-end remote logging for vRA when leveraging the Log Insight agents.
Unfortunately, vRA still does not support setting a remote syslog destination to forward all vRA logs within the GUI yet. Like last time, I would like to cover where all the log files are located and more importantly how you can forward them to a remote syslog destination like Log Insight.
In Log Insight 2.0 a scale-out feature was introduced. The best practice when using scale-out is to configure an external load balancer in front of the cluster and send all ingestion traffic (i.e. syslog and ingestion API) to the load balancer instead of directly to a node. The reason for this best practice is to assist with balancing data across nodes and also to provide ingestion high availability. In this post, I would like to discuss why data may not be balanced across a Log Insight cluster whether a load balancer is used or not.
One question I get over and over again is can you / how do you import existing logs into Log Insight? The common use-cases are:
- Support bundle – someone has a support bundle and wants to analyze the logs
- RCA – an existing set of logs exist and analysis to determine the root cause of an issue is desired
- Analysis – a log analysis tool does / did not exist and analysis of previous logs is desired
So, how to you import existing logs into Log Insight?