This page contains the most relevant information for VMware Log Insight!
Official links
- Product Page – information about Log Insight, trial/download, purchasing, and other resources
- Log Insight Community – Direct access to product management and tech previews (highly recommended for all users)
- VMware Community – Traditional way to ask questions and report bugs on VMware products like Log Insight
- Content Packs – Free plugins to Log Insight that make troubleshooting and RCA much easier (highly recommended for all users)
- Links – Product Documentation, APIs, Calculator
- VMware Blog – Great material from a variety of VMware authors
- Training – Fundamentals, Learning Zone
- Social media – Twitter, YouTube, LinkedIn, Facebook, Google+
Blog posts
Community
- Anthony Spiteri
- Brian Graf
- Chris Chua
- K. Chris Nakagaki
- Cody Hosterman
- Drew Tonnesen
- Eric Sloof
- Manny Sidhu
- Markus Kraus
- Michael Ryom
- Michael White
- Ryan Mangan
- Tomas Baublys
- vmkdaily
- William Lam
SFlanders
- Stand-up
- Getting data in
- Usage
- Administration
- Version
- Other
Twitter
This section contains protips that I posted on Twitter. Please note I started this page will after I had started posting protips on Twitter. As such, some protips may be missing. If a protip has become obsolete, I have crossed it out below.
Shortcuts
@smflanders #protip:
- General
- #protip: The #LogInsight virtual appliance default root password is empty and SSH is disabled until the password has been set
on the console - #protip: 4 CPU @ >=2.0GHz, 8GB RAM, and 500 IOPS is the minimum recommended production configuration for #LogInsight
- #protip: using a FQDN instead of an IP is always recommended in #LogInsight (e.g. cluster config, client agent config, and LB config)
- #protip: With #LogInsight in scale-out (cluster) use an external LB and point all ingestion traffic to the LB (all nodes should be in pool)
- #protip: ensure each node in a #LogInsight cluster is configured with a static IP address, DHCP is not supported for production environments
- #protip: #LogInsight 2.0 supports ingestion over syslog (TCP/UDP/514, TCP[SSL]/1514/6514) and the ingestion API (TCP/9000)
- #protip: time is very important between nodes in a #LogInsight cluster; be sure to validate time configuration in the administration section
- #protip a full vDisk for #LogInsight retention is normal, logs are rotated on a FIFO basis and new vDisks can be added to increase retention
- #protip: After configuring the #LogInsight integrated load balancer add the VIP to DNS and send all query and ingestion traffic to the FQDN.
- #protip: A #LogInsight cluster is dependent on reliable and accurate DNS and NTP.
- #protip: A minimum of two DNS and four NTP servers should be configured on every #LogInsight node (and any other system you run).
- #protip: To remove #vROps integration from #LogInsight, uncheck both checkboxes and select Save
- #protip: The #LogInsight virtual appliance default root password is empty and SSH is disabled until the password has been set
- Upgrade
- #protip: Before upgrading #LogInsight take a backup/snapshot of every node
- #protip: When upgrading a #LogInsight cluster you must upgrade the master first
- #protip: To upgrade #LogInsight workers, on the master go to the Clusters page under Administration, select maintenance mode then upgrade
- #protip: #LogInsight workers must be upgraded one at a time
- 2.0
- #protip: #LogInsight 2.0 is 6x faster than the competition, features 8x more ingestion than 1.x and is available now. Deploy/Upgrade today!
- #protip: upgrading to #LogInsight 2.0 requires version 1.5 GA or newer. If running an older version, upgrade to 1.5 first then 2.0.
- #protip: #LogInsight 2.0 supports up to a 6-node cluster (1 master / 5 workers) supporting up to 45K EPS and 12TB of capacity (2TB per node)
- #protip: in #LogInsight 2.0 you can change/disable the session timeout through the UI under Administration > General pic.twitter.com/bYSivnPif3
- 2.5
- #protip: #LogInsight 2.5 requires a minimum of three nodes in order to provide ingestion HA
- #protip: #LogInsight 2.5 requires worker to worker communication. See the security guide for details
- #protip: In #LogInsight 2.5 after adding a worker to a standalone node the integrated load balancer can be configured from the Cluster page
- #protip: A #LogInsight 2.5 cluster requires two new ports for node-to-node communication: TCP/7000, TCP/9042
- #protip: In #LogInsight 2.5, content packs, including updated ones, can be downloaded from the in-product marketplace
- #protip: When integrating #LogInsight 2.5 with #vROps 6.0 you must use a local vR Ops account, AD accounts will not work.
- Agent
- #protip: The #LogInsight Windows agent can be downloaded directly from the UI under Administration > Agents (or from http://my.vmware.com )
- #protip: the #LogInsight@Windows agent will only collect changes to files it monitors unless you add a new file then all data will be sent
- #protip: You can configure where a #LogInsight #Linux agent sends its logs during installation: SERVERHOST=<LI> rpm -ivh <package>
- Content Packs
- #protip: #LogInsight content packs are free. Partner content packs can be found on Solution Exchange. https://solutionexchange.vmware.com/store/loginsight …
- #protip: To create a #LogInsight content pack go to Content Packs
from gear icon, click content, click gear to export pic.twitter.com/pVEu4jYmer - #protip: #LogInsight content pack fields are read-only and have a namespace in parenthesis to the right of the name. pic.twitter.com/QkGb3ral8l
- #protip: when downloading a free #LogInsight content pack from Solution Exchange be sure to check out the Tech Specs section for config info
- Queries
- #protip: #LogInsight supports phrase queries on the search bar using double quotations pic.twitter.com/xRT6VoSvHw
- #protip: #LogInsight supports non-prefixed glob queries where * = 0 or more keywords and ? = 1 keyword pic.twitter.com/qVZY8EcO91
- #protip: #LogInsight supports java-based regular expressions via a constraint, but always add keywords pic.twitter.com/JhsB3Isell
- #protip: regular expression queries in #LogInsight are defined using a constraint and the ‘matches regex’ operation. pic.twitter.com/hNw34LWge3
- #protip: #LogInsight allows users to create custom extracted fields privately (all users) or shared (admin users). pic.twitter.com/NAwCIFE79l
- Cluster
- #protip: to create a #LogInsight 2.0 cluster deploy a new node select join existing deployment in config wizard and enter master node’s FQDN
- #protip: in a #LogInsight cluster, the worker’s UI authenticates against users with the Admin User role on the master (ie no new admin user)
- #protip: the only reason to log into a #LogInsight worker’s UI is to install a custom web SSL certificate (cannot be pushed by master today)
- #protip: The #LogInsight integrated load balancer requires that all nodes and the specified VIP be in the same layer 2 network
- #protip: Using the ingestion API over SSL with a #LogInsight cluster requires changing the SSL certificate on all nodes to be the same.
YouTube Videos
SFlanders
- Upgrading to Log Insight 2.0
- Deploying the Log Insight 2.0 Virtual Appliance
- Initial Standalone Configuration of Log Insight 2.0
- Join a Log Insight 2.0 Deployment
- Deploying the Log Insight 2.0 Windows Agent
- Configuring the Log Insight 2.0 Windows Agent
#vBrownBag
- Let’s Talk About Log Insight Webhooks
- Fun with Log Insight APIs
- Log Insight Importer
- Log Insight Use Cases
- Putting Unstructured Data to Use
- The Art of Log Insight
- Creating Your Own Log Insight Dashboards for Security
- vCNS DMZ with Log Insight
- The Importance of Collecting and Analyzing Log Messages
- What’s New and What’s Next in Log Insight
- Introduction to VMware Log Insight
Hi,
I have installed Log Insight 2.5 VM appliance on vSphere 5.5. I am getting ‘Apache 2 Ubuntu default page’ when I try to login through web interface of the appliance to configure. How do I solve this?
Previously, I was trying to install VM through nested vSphere 5.5 host, then, I was not able to get the web interface work at all.
I would really appreciate your help.
Thanks.
Hi — thanks for the comment! If you are seeing Apache and Ubuntu then you are not connecting to a LI instance 🙂 LI does not run Apache nor does it run on Ubuntu so perhaps you have an IP address issue. LI runs fine on nested ESXi just note that deployment is only supported via vCenter Server as the only way you can configure networking in a supported way is through OVF properties and OVF properties require vCenter Server. I hope this helps!
Hi, Thanks for your reply. I have deployed LI through vCenterServer Client. I can see the IP address assigned through vApp properties in ‘Edit settings –> Options’ while deploying the VM.
I checked – /etc/init.d/loginsight status
Log Insight running
I checked if tcp port 80 is open and it is open, service is running.
I did restart the loginsight and the web application started on port 80.
According to one of blogs, https://sflanders.net/2015/03/10/heads-up-log-insight-fails-to-start-with-cannot-connect/, I checked the runtime log file and didn’t find any error displayed.
I also checked if Cassandra is running and this is what I see –
sh li-cassandra.sh –status
sh: li-cassandra.sh: No such file or directory
However, as I understand, Cassandra is not related to the issue I am facing.
This is the exact page I see when I try to access the Web UI of LI –
https://assets.digitalocean.com/articles/lamp_1404/default_apache.png
I am not sure how to check httpd logs related to LI from the console. How do I fix this to configure LI and get going?
Thanks.
If Log Insight starts then Tomcat started. The screenshot shows Ubuntu and LI runs on SLES so sounds like you have a duplicate IP address in the environment.
Hi Steve,
is there a way to remove a host from LogInsight? Some random Windows box, not a LI Clusternode.
Thanks in advance
Christian
Hey Christian — Thanks for the comment. If you stop ingesting events from a client then the client will be removed once its logs have rotated off of the LI instance. There is no way to delete events from a client before the retention period has expired. The feature you will want to vote for is: http://loginsight.vmware.com/a/dtd/Variable-retention-periods/8997-24427
Thanks for providing the resource. I love LogInsight and this site.
Hey Michael — Thanks for the comment and I am glad you are enjoying Log Insight!
Very big thanks for your extensive posts! Helped me very much to understand all possible deployment options and caveats.
Could you maybe provide the visio stencils you used or tell me where you got them?
Which stencils are you referring to?
Hey Steve,
Is there a way to update the email addresses, vrops and webhook in alerts using API. I see the option of GET and POST but nothing for PUT to update the alerts. I want to use API because I have 6 instances of Log Insight and each having more than 300 alerts so not easy to update manually.
Hey Daya,
Before I left VMware this was not possible but was on the roadmap. I do not believe I have seen anything about it being released, but not sure.
Nice content thanks for posting such an interesting blog.