It came to my attention during a talk with a customer today that there is some ambiguity around what is needed to use the VMware vRealize Log Insight Agent, and when it’s required. Since I’m writing this up for them, I figured it’s best to just publish it for anyone else who might have the same questions.
vRealize Log Insight can ingest logs from native syslog sources, as well as via the vRLI Agent. The vRealize Log Insight Agent is a robust log collection mechanism that can read from log files in various formats, as well as channels in the Windows Event Log. It provides encryption of events over the wire and is very resource friendly, but the primary benefit is in endpoint management. Gone are the days of having to configure your endpoints individually, with the vRLI Agent you can manage what files to read, per device class, all from your vRLI Server’s web interface. Additionally, native syslog, especially in applications doesn’t forward all the events that you sometimes want to display. A perfect example for this scenario is when you are looking at Dashboards inside of vRLI, and even though you have syslog configured in Horizon View, your widgets are still blank. The reason for this is that a lot of the Content Packs require logs that won’t natively be sent over a generic syslog method, they rely on additional logs that are stored on the file system. To make this information easy to collect, most Content Packs provide an Agent Group with these files predefined. This begs the question, what is an Agent Group?
Simply put: An Agent Group is a set of instructions on what logs to gather, that is limited by a user-defined criteria to a subset of your devices. Let’s take a look at a practical example, Horizon View…
On each of my Connection (Broker) Servers, I have installed a vRLI Agent, but it’s just sitting there and not collecting any logs, because I’ve not given it instructions on which log files to ingest. So, I navigate to Administration > Agents in my vRLI Server and configure an Agent Group by copying the “Horizon View – Broker (Windows)” Template.
Because I want to only attempt to collect these log files on Horizon Broker Servers, I’ve created a filter to only apply to my Broker Servers based on OS and Hostname. Once defined, I can see that it is only applied to my 4 connection servers.
Now that the filter is defined, let’s look at the actual configuration.
The configuration is straight-forward.
- 1. It’s a File Log – As shown in the left side, the source of my events is a file. The other option is a Windows Event Logs.
- 2. Source Directory – This folder is where all of my logs are located
- 3. Event Marker – Many tools don’t handle multi-line messages well. This regex string is the unique identifier of what defines a “new event”, regardless of newlines or other potentially deceiving markers.
- 4. Include Files – The Source Directory contains a lot of files, and I may not want to ingest them all. Here is where I define which file names I want to ingest data from.
- 5. Tags – Tags are important, and the larger you get, the more important they become. Please don’t neglect to utilize them because there are only 3 places to attach them to an event
It’s important to realize that you aren’t limited to the templated Agent Groups. You can define your own using the knowledge from what you just learned to define new log sources. Just hover over either “File Logs” or “Windows Event Log” and click on the green plus to create a new definition.