In my last post, I demonstrated how easy it is to integrate Log Insight (LI) with vRealize Operations (vR Ops). In this post, I will talk about the value of integrating LI with vR Ops.
I want to reiterate a few points from my previous post as they are applicable to the benefits outlined below:
- In order to get the best integration, LI 2.5 or newer and vR Ops 6.0 or newer are highly recommended.
- LI can connect to a single vR Ops instance today, but multiple LI instances can be integrated with the same vR Ops instance.
- If multiple LI instances are integrated with the same vR Ops instance then some integration benefits will only be available to the last configured LI instance.
1. Inventory Mapping
- Prerequisites: requires LI 2.5 or newer and vR Ops 6.0 or newer.
One reason to integrate LI with vR Ops is to take advantage of the inventory mapping feature. Inventory mapping provides two advantages described below.
Note: Even if multiple LI instances are connected to the same vR Ops instance, the inventory mapping benefits described below will work properly with all integrated LI instances.
1A. vSphere Inventory Event Tagging
If vR Ops is connected to one or more vSphere environments (e.g. vCenter Server, ESXi, and/or VMs), those vSphere environments are forwarding events to LI and LI is integrated with vR Ops then the events in LI will have some static fields defined including vmw_datacenter, vmw_host, vmw_object_id, vmw_vcenter, vmw_vcenter_id, and vmw_vr_ops_id.
These fields provide inventory information to events that may not otherwise contain such information. For example, a VM may not know that it is a VM. Even if the VM does know that it is a VM, it is very unlikely that the VM knows where it lives within the environment (e.g. host, cluster, datacenter, vCenter, etc). If vR Ops is monitoring vSphere then vR Ops does know the mapping of VM to host, cluster, datacenter, and vCenter and thus can pass this information to LI. Of course, over time an object, such as a VM, may move to different hosts, clusters, datacenters, or even vCenters. When this occurs, vR Ops will be aware and can pass this new information to LI. LI handles this by tagging an event during ingestion time with the latest inventory mapping information it has received from vR Ops. If the object moves then new events will get tagged with the new inventory information while old events will contain the old inventory information.
Perhaps you can see the power this brings. With this integration, you can construct a query that could isolate an issue to a specific subset of your environment. For example, let’s say you are receiving a large number of events containing a specific error message. All of these error messages are coming from VMs. Previously, to troubleshoot this problem you would need to connect to each VM and figure out what is going on and try to manually determine if there is any correlation. Now, from LI, you can easily determine if all of the VMs are on the same host, cluster, datacenter, and/or vCenter. Being able to determine where in the environment an issue is happening makes it possible to isolate and contain problems reducing the time-to-recovery.
1B. vSphere Inventory Object Alerting
If LI and vR Ops are integrated then LI can map alerts back to vR Ops objects automatically. I will cover this as part of the second benefit below.
2. Alert Integration
- Prerequisites: works with any supported version of vR Ops though one option requires LI 2.5 or newer and vR Ops 6.0 or newer.
Note: Even if multiple LI instances are connected to the same vR Ops instance, LI alerts will be properly received by vR Ops.
LI has a feature called alerts, which I have covered here. You can think of alerts as queries that run on a schedule and only trigger if they meet a certain threshold. Alerts can be sent via email and/or vR Ops.
You will notice, when you configure an alert to be sent to vR Ops you need to specify a resource in vR Ops. The behavior of this mandatory option depends on what version of LI and vR Ops you are running:
- LI 2.5 or newer and vR Ops 6.0 and newer – the resource option is used as the default object in vR Ops that will receive the LI alert assuming inventory mapping returns no information for an event triggered by the LI alert (e.g. non-vSphere events). If the event does have inventory mapping information then the LI alert will automatically get mapped to the correct object in vR Ops regardless of what the resource parameter is set to in LI.
Important: There are two known limitations to be aware of:
1. If the third radio button is used in the threshold (i.e. Raise an alert) for the LI alert then events triggered will always be sent to the resource specified even if inventory mapping returns results. The workaround is to use any of the other two threshold options.
2. The criticality option has no effect on how the LI alert appears in vR Ops. All LI alerts appear with criticality notice in vR Ops.
- LI older than 2.5 and/or vR Ops older than 6.0 – the resource option is the vR Ops object that will receive notification every time this particular LI alert triggers.
vR Ops Notification Events
LI alerts are sent to vR Ops as notification events. Notification events in vR Ops are accessible from a variety of locations including:
- Alerts – vR Ops 6.0 has a dedicated section for alerts (shown below) as well as an alerts section per object, while vR Ops 5.x features alerts in the custom UI.
- Object – vR Ops 6.0 also shows LI alerts in Troubleshooting > Events (shown below), while vR Ops 5.x features LI alerts under Environment > Events.
Important: You need to enable the option to show notification events for them to appear in the graph.
3. Two-way Launch in Context
- Prerequisites: vR Ops -> LI works with vR Ops 5.7.1 or newer, but LI -> vR Ops requires LI 2.5 or newer and vR Ops 6.0 or newer.
Note: If multiple LI instances are connected to the same vR Ops instance then only the last LI instance integrated with vR Ops will have the Launch in Context feature. This also means that the Launch in Context feature is overridden whenever a LI instance is integrated with a vR Ops instance that was previously integrated with a different LI instance.
From vR Ops to Log Insight
- Prerequisites: vR Ops 5.7.1 or newer and the LI adapter, which may need to be installed manually–see the requirements section above for more details.
If you have installed the LI adapter for vR Ops and integrated LI with vR Ops then you have the ability to query for logs from any object within vR Ops. To do this, navigate to the Environment section and drill-down to a particular object such as a vCenter, ESXi host or VM. After selecting the object, select the Actions drop-down and click the option to Search for logs in vRealize Log Insight.
Upon doing this, a new browser tab will open directing you to the LI instance integrated with vR Ops. Once you authenticate, you will be navigated to the Interactive Analytics page of LI with a query that will return any results for the object selected in vR Ops.
Note: If using a version of vR Ops older than 6.0 then the query constructed will be based on hostname, which may return no results even though events for the object are being ingested by LI. With vR Ops 6.0, the query is based on the vR Ops ID, which ensures that results are returned if they are being ingested. In short, use of vR Ops 6.0 is recommended.
From Log Insight to vR Ops
- Prerequisites: LI 2.5 or newer and vR Ops 6.0 or newer.
If you have installed the LI adapter for vR Ops and integrated LI with vR Ops then you have the ability to view the object that sent an event to LI. To do this, navigate to the Interactive Analytics page of LI and find an event that contains inventory mapping fields. Hover over the event and to the left select the gear icon drop-down. Select the option to Open Analysis in vRealize Operations Manager.
Upon doing this, a new browser tab will open directing you to the vR Ops instance integrated with LI. Once you authenticate, you will be navigated to the Environment > Analysis section of vR Ops with the object selected.
With vR Ops and LI, you have complete visibility of structured and unstructured data in your environment, but with integration between the products you get a single pane of glass from which to ensure the health of your environment, get notified of detected issues, automatically respond to issues detected and perform complete troubleshooting and root cause analysis.
Integration of vR Ops with LI provides complete and central visibility of structured and unstructured data in your environment.
© 2015, Steve Flanders. All rights reserved.