One of the great features of Log Insight is its tight integration with other VMware products. One of these integrations is with vSphere. I have talked about vSphere integration in the past, however I would like to do so in more details to clear up some questions I have received lately.
Log Insight Integrations
Log Insight provides integrations to other VMware products today through plug-ins or modules. Configuration of integrations is done by admin users from the Administration page. In Log Insight 1.5, vSphere and vCenter Operations Manager integrations are exposed.
vSphere Integration
vSphere integration allows Log Insight to perform two operations:
- Collect vCenter Server events, tasks, and alarms from the vCenter Server database and ingest them as log messages.
- Configure ESXi hosts to forward syslog events to Log Insight
IMPORTANT: vSphere integration does not configure vCenter Server (Windows or VCSA) to forward syslog/log events to Log Insight. This is because vCenter Server does not provide an API way to apply such a configuration. For directions on how to manually configure vCenter Server to forward syslog/logs to Log Insight see this post.
Users are allowed to choose whether they want #1, #2, or both when configuring vSphere integration.
Permissions
vSphere integration is configured by specifying the credentials to one or more vCenter Server instances. Depending on which parts of the integration are desired, different vCenter Server permissions are required:
- Collect vCenter Server events, tasks, and alarms from the vCenter Server database and ingest them as log messages(Read-only role) = System.View
- Configure ESXi hosts to forward syslog events to Log Insight (requires a custom role to be defined) = Host.Configuration.Change settings, Host.Configuration.Network configuration, Host.Configuration.Advanced Settings, and Host.Configuration.Security profile and firewall
IMPORTANT: You must configure the permission on the top-level folder within the vCenter Server inventory, and verify that the Propagate to children check box is selected.
Configuration Maximum
While there is no hard limit to the number of vCenter Server instances that can be specified, the 1.5 release notes state that a maximum of two should be specified:
Connecting to too many vCenter Server instances can result in slow collection of vCenter Server events, tasks, and alarms
To collect events, tasks, and alarms data, Log Insight polls all connected vCenter Server instances sequentially. Collecting events from an individual server can take over 30 seconds and the collector always waits for two minutes after completion. For example, if there are 10 vCenter Server instances configured, the collector iterates through each of them taking up to 300 seconds. Combined with the additional two minutes of wait, this example would collect events from each server every 7 minutes.
Workaround: Do not connect more than two vCenter Server instances to a Log Insight instance.
ESXi Configuration
If you select the checkbox to configure ESXi host to forward syslog events to Log Insight and select Save then Log Insight will do the following:
- Connect to vCenter Server and poll for all hosts
- Connect to each host and if a supported ESXi host (4.1 and newer) configure it to forward events to Log Insight using UDP/514
- If the ESXi host is 4.x and a remote syslog destination is already set, Log Insight will override the configuration (4.x only supports a single remote syslog destination)
IMPORTANT: Only ESXi hosts will be configured. ESX is not supported as it does not support an API way to configure a remote syslog destination.
When you select the checkbox to configure ESXi hosts to forward syslog events to Log Insight you will notice a hyperlink below the checkbox that says, “Advanced options…”. After you select the checkbox and select Save the hyperlink below the checkbox changes to, “View ESXi remote syslog details…”. Use either hyperlink for additional options for configuring, reconfiguring, or unconfiguring ESXi hosts.
The hyperlinks allow for the following:
- Ability to select which ESXi hosts get configured
- Ability to specify the protocol used to forward events to Log Insight
- Ability to specify what happens if ESXi 4.x hosts are detected and already have a remote syslog destination configured
- Ability to determine which ESXi hosts are already configured to forward logs to Log Insight
- Ability to reconfigure ESXi syslog configuration in the case of the ESXi syslog bug
The last bullet is a subtle, but important one. If you select the checkbox for one or more ESXi hosts that are already configured to forward events to Log Insight and select the Configure button, Log Insight will reload the syslog configuration on the ESXi hosts. If you are impacted by the ESXi syslog bug, this workaround can be very useful.
Removing vSphere Integration
vSphere integration can be removed in the same selective manner as it can be enabled in:
- Collect vCenter Server events, tasks, and alarms from the vCenter Server database and ingest them as log messages – unselect the checkbox and select Save
- Configure ESXi hosts to forward syslog events to Log Insight – select the “View ESXi syslog configuration details…” hyperlink, select the checkbox(es) for the ESXi host(s) and select Unconfigure
- Both – select the red X in the upper right hand corner of the vCenter Server configuration dialog box and select Save (you have the option to remove the ESXi configuration or keep it)
© 2014 – 2021, Steve Flanders. All rights reserved.
Hi Steve,
Anytime I have deployed Log Insight and ticked the box to Configure ESXi my service account has to have:
Host.Configuration.Change settings
Host.Configuration.Network configuration
Host.Configuration..Advanced Settings
Host.Configuration.Security Profile and Firewall
Is this something particular to my environment or Log Insight 3.3?
Great blog, very helpful!
Cheers,
James
Hey James — Thanks for the comment. You are correct on the permissions. The documentation was updated, but not my blog post. I am fixing it now.
Ahhh sorry Steve, really need to start RTFM in more detail!