This page contains the most relevant information for VMware Log Insight!

 

li-logo-iconOfficial links

blog-iconBlog posts

Community

SFlanders

Twitter-iconTwitter

This section contains protips that I posted on Twitter. Please note I started this page will after I had started posting protips on Twitter. As such, some protips may be missing. If a protip has become obsolete, I have crossed it out below.

Shortcuts

@smflanders #protip:

  • General
    • #protip: The #LogInsight virtual appliance default root password is empty and SSH is disabled until the password has been set on the console
    • #protip: 4 CPU @ >=2.0GHz, 8GB RAM, and 500 IOPS is the minimum recommended production configuration for #LogInsight
    • #protip: using a FQDN instead of an IP is always recommended in #LogInsight (e.g. cluster config, client agent config, and LB config)
    • #protip: With #LogInsight in scale-out (cluster) use an external LB and point all ingestion traffic to the LB (all nodes should be in pool)
    • #protip: ensure each node in a #LogInsight cluster is configured with a static IP address, DHCP is not supported for production environments
    • #protip: #LogInsight 2.0 supports ingestion over syslog (TCP/UDP/514, TCP[SSL]/1514/6514) and the ingestion API (TCP/9000)
    • #protip: time is very important between nodes in a #LogInsight cluster; be sure to validate time configuration in the administration section
    • #protip a full vDisk for #LogInsight retention is normal, logs are rotated on a FIFO basis and new vDisks can be added to increase retention
    • #protip: After configuring the #LogInsight integrated load balancer add the VIP to DNS and send all query and ingestion traffic to the FQDN.
    • #protip: A #LogInsight cluster is dependent on reliable and accurate DNS and NTP.
    • #protip: A minimum of two DNS and four NTP servers should be configured on every #LogInsight node (and any other system you run).
    • #protip: To remove #vROps integration from #LogInsight, uncheck both checkboxes and select Save
  • Upgrade
    • #protip: Before upgrading #LogInsight take a backup/snapshot of every node
    • #protip: When upgrading a #LogInsight cluster you must upgrade the master first
    • #protip: To upgrade #LogInsight workers, on the master go to the Clusters page under Administration, select maintenance mode then upgrade
    • #protip: #LogInsight workers must be upgraded one at a time
  • 2.0
    • #protip: #LogInsight 2.0 is 6x faster than the competition, features 8x more ingestion than 1.x and is available now. Deploy/Upgrade today!
    • #protip: upgrading to #LogInsight 2.0 requires version 1.5 GA or newer. If running an older version, upgrade to 1.5 first then 2.0.
    • #protip: #LogInsight 2.0 supports up to a 6-node cluster (1 master / 5 workers) supporting up to 45K EPS and 12TB of capacity (2TB per node)
    • #protip: in #LogInsight 2.0 you can change/disable the session timeout through the UI under Administration > General pic.twitter.com/bYSivnPif3
  • 2.5
    • #protip: #LogInsight 2.5 requires a minimum of three nodes in order to provide ingestion HA
    • #protip: #LogInsight 2.5 requires worker to worker communication. See the security guide for details
    • #protip: In #LogInsight 2.5 after adding a worker to a standalone node the integrated load balancer can be configured from the Cluster page
    • #protip: A #LogInsight 2.5 cluster requires two new ports for node-to-node communication: TCP/7000, TCP/9042
    • #protip: In #LogInsight 2.5, content packs, including updated ones, can be downloaded from the in-product marketplace
    • #protip: When integrating #LogInsight 2.5 with #vROps 6.0 you must use a local vR Ops account, AD accounts will not work.
  • Agent
    • #protip: The #LogInsight Windows agent can be downloaded directly from the UI under Administration > Agents (or from http://my.vmware.com )
    • #protip: the #LogInsight@Windows agent will only collect changes to files it monitors unless you add a new file then all data will be sent
    • #protip: You can configure where a #LogInsight #Linux agent sends its logs during installation: SERVERHOST=<LI> rpm -ivh <package>
  • Content Packs
  • Queries
  • Cluster
    • #protip: to create a #LogInsight 2.0 cluster deploy a new node select join existing deployment in config wizard and enter master node’s FQDN
    • #protip: in a #LogInsight cluster, the worker’s UI authenticates against users with the Admin User role on the master (ie no new admin user)
    • #protip: the only reason to log into a #LogInsight worker’s UI is to install a custom web SSL certificate (cannot be pushed by master today)
    • #protip: The #LogInsight integrated load balancer requires that all nodes and the specified VIP be in the same layer 2 network
    • #protip: Using the ingestion API over SSL with a #LogInsight cluster requires changing the SSL certificate on all nodes to be the same.

youtube-iconYouTube Videos

SFlanders

#vBrownBag

13 comments on “Log Insight

Radhika says:

Hi,
I have installed Log Insight 2.5 VM appliance on vSphere 5.5. I am getting ‘Apache 2 Ubuntu default page’ when I try to login through web interface of the appliance to configure. How do I solve this?
Previously, I was trying to install VM through nested vSphere 5.5 host, then, I was not able to get the web interface work at all.
I would really appreciate your help.
Thanks.

Hi — thanks for the comment! If you are seeing Apache and Ubuntu then you are not connecting to a LI instance 🙂 LI does not run Apache nor does it run on Ubuntu so perhaps you have an IP address issue. LI runs fine on nested ESXi just note that deployment is only supported via vCenter Server as the only way you can configure networking in a supported way is through OVF properties and OVF properties require vCenter Server. I hope this helps!

Radhika says:

Hi, Thanks for your reply. I have deployed LI through vCenterServer Client. I can see the IP address assigned through vApp properties in ‘Edit settings –> Options’ while deploying the VM.
I checked – /etc/init.d/loginsight status
Log Insight running
I checked if tcp port 80 is open and it is open, service is running.
I did restart the loginsight and the web application started on port 80.
According to one of blogs, https://sflanders.net/2015/03/10/heads-up-log-insight-fails-to-start-with-cannot-connect/, I checked the runtime log file and didn’t find any error displayed.
I also checked if Cassandra is running and this is what I see –
sh li-cassandra.sh –status
sh: li-cassandra.sh: No such file or directory
However, as I understand, Cassandra is not related to the issue I am facing.
This is the exact page I see when I try to access the Web UI of LI –
https://assets.digitalocean.com/articles/lamp_1404/default_apache.png
I am not sure how to check httpd logs related to LI from the console. How do I fix this to configure LI and get going?
Thanks.

If Log Insight starts then Tomcat started. The screenshot shows Ubuntu and LI runs on SLES so sounds like you have a duplicate IP address in the environment.

Christian says:

Hi Steve,
is there a way to remove a host from LogInsight? Some random Windows box, not a LI Clusternode.
Thanks in advance
Christian

Hey Christian — Thanks for the comment. If you stop ingesting events from a client then the client will be removed once its logs have rotated off of the LI instance. There is no way to delete events from a client before the retention period has expired. The feature you will want to vote for is: http://loginsight.vmware.com/a/dtd/Variable-retention-periods/8997-24427

Michael Lapham says:

Thanks for providing the resource. I love LogInsight and this site.

Hey Michael — Thanks for the comment and I am glad you are enjoying Log Insight!

Matt Kaufmann says:

Very big thanks for your extensive posts! Helped me very much to understand all possible deployment options and caveats.
Could you maybe provide the visio stencils you used or tell me where you got them?

Which stencils are you referring to?

Daya Ram says:

Hey Steve,

Is there a way to update the email addresses, vrops and webhook in alerts using API. I see the option of GET and POST but nothing for PUT to update the alerts. I want to use API because I have 6 instances of Log Insight and each having more than 300 alerts so not easy to update manually.

Hey Daya,

Before I left VMware this was not possible but was on the roadmap. I do not believe I have seen anything about it being released, but not sure.

Sophia Anderson says:

Nice content thanks for posting such an interesting blog.

Leave a Reply

Your email address will not be published. Required fields are marked *

Back To Top