Log Insight ships with two content packs: General and vSphere. Both of these content packs have been updated for Log Insight 2.5. I would like to cover the updates in these two content packs and how you can best leverage them in your environment.
General
The General content pack is meant to provide information about all events coming into your Log Insight instance. The first version of this content pack focused on events by hostname and source as well as priority. The updated content pack presents this information in a more coherent way and adds information about other types of events in Log Insight.
The Overview dashboard provides statistics around the number of devices generating events by hostname and priority, but also calls out the devices generating the most events per category.
The Event Types dashboard provides information based on the machine learning feature of Log Insight. This dashboard follows the same format as the Overview dashboard and can be extremely helpful in tracking down new environmental issue.
The Agents dashboard compliments the Administration > Agents section of the UI and provides information about agents to non-admin users. While it provides similar information on the Agent page, it also provides additional information such as number of unique winlog and filelog being collected.
Finally, the security dashboard demonstrates queries for particular types of events. This information can be helpful for highlight analysis of events before drilling down deeper.
vSphere
The vSphere content pack received another major overhaul for Log Insight 2.5. Some of the changes are enhancements to existing dashboards while others are completely new dashboards.
The General – Overview dashboard now includes queries that leverage the new vRealize Operations integrations (a post on this later). In short, you can now group events by inventory location including cluster. The widget even tells you the prerequisites in order for it to return results.
The General – Problems dashboard has been modified to provide even more critical information to you. The most important queries are listed at the top with all the alerts available in the content pack listed just below them. At the bottom of the page are additional queries, which should also be investigated when looking into environmental problems. I would strongly advise checking out and enabling relate alerts, especially those marked critical.
The General – Security dashboard now shows the same information for vCenter Server and ESXi and highlights failed login attempts. Be sure to check out the last dashboard in the ESXi column is it listed CLI commands run against ESXi!
The General – Configuration dashboard is new and can be extremely helpful when standing up or growing an environment. It indicates when configuration problems including invalid and unsupported configurations as well as when configuration limits have been reached.
The vSphere – vMotion dashboard is a new dashboard that provides some widgets that had been on previous dashboards and many new queries related to vMotion.
The Storage – VSAN dashboard is a new dashboard that provides information about VSAN events. Other VSAN information can be found on the General – Problems and General – Inventory dashboards.
Summary
If you are not checking out the default content packs in Log Insight you really should be. If you are running the Log Insight 2.5 beta, head over to the marketplace to get the updates to the two content packs listed above.
© 2014 – 2021, Steve Flanders. All rights reserved.
