VMware

Log Insight: Integration Static Fields

by Steve Flanders

As I have covered in the past, Log Insight offers two types of integration. Both of these integrations feature the ability to add metadata to ingested events. In this post, I would like to cover the metadata they provide and how it can be leveraged. Read on to learn more!
li-logo

vSphere

First up, let me cover vSphere integration metadata. As you know, vSphere integration is made up of two parts:

  1. vCenter Server events, tasks, and alarms
  2. ESXi syslog collection

vSphere integration provides metadata capabilities for the vCenter Server side only — since ESXi must abide to the syslog RFC. Assuming you have selected the vCenter Server checkbox, events ingested through the integration may contain the following static fields:

  • vc_details (optional)
  • vc_event_type
  • vc_username (optional)

If you want to see this in your environment, perform a search on Interactive Analytics for appname contains vcenter-server:
li-ia-vc-metadata
Why is this metadata so valuable? Well, take vc_username as an example. This field tells you who performed the action that lead to the log message. This is critical information from an auditing stand point and something that is missing from the log event itself.

vRealize Operations Manager

Next, let me cover vROps integration metadata. As you know, vROps integration is made up of three parts:

  • Alerts
  • Launch in context
  • Inventory mapping — this one is always enabled with integration

Inventory mapping provides additional metadata for vSphere events — anything originating from (e.g. ESXi) or on (e.g. VMs) — that are integrated in vROps via the vCenter Server management pack. In short, if you configure the vCenter Server management pack in vROps, you configure events on vSphere components or VMs running on ESXi to point to LI, and you integrate LI with vROps then you will get the following static fields:

  • vmw_cluster (optional)
  • vmw_datacenter
  • vmw_host
  • vmw_object_id
  • vmw_vcenter
  • vmw_vcenter_id
  • vmw_vr_ops_id

If you want to see this in your environment, perform a search on Interactive Analytics for vmw_vr_ops_id exists:
li-ia-vrops-metadata
Why is this metadata so valuable? Well, take vmw_cluster as an example. This field tells you which vCenter Server cluster the event came from. This is critical information that can be used to isolate issues to a specific subset of the environment and something that is missing from the log event itself.

Summary

As you can see, the metadata provided by the Log Insight integrations are powerful additions to the query capabilities. The metadata can be leveraged in a variety of ways and is bundled by default in content packs today include the vSphere content pack. What do you use the metadata for?

© 2016, Steve Flanders. All rights reserved.

Steve Flanders

Leave a Reply

Your email address will not be published. Required fields are marked *

Back To Top