Traceability and Auditing with VMware vRealize Log Insight Cloud

Save to My DOJO

Traceability and Auditing with VMware vRealize Log Insight Cloud

The landscape of IT as we know them has always been shaped by innovation, driven by the vision of modern tech organizations. Through these innovations, environments gain in complexity and inter-dependencies. Making auditing and traceability a critical component of the IT environment and this is where vRealize Log Insight Cloud comes into play and helps solve this problem.

Over the last few years, VMware has been following the vision set out by Pat Gelsinger back in the early 2010s. The company operated a shift towards cloud computing and it was still the most prominent topic during VMworld 2021. Through this shift, VMware is offering more and more of their products as cloud services and this applies to vRealize Log Insight which used to be only an on-premise appliance solution. With vRealize Log Insight Cloud, the on-premise appliance is a proxy that acts as syslog target and relays the data to your VMware Cloud service.

What is VMware vRealize Log Insight Cloud?

Formerly known as VMware Log Intelligence, VMware vRealize Log Insight Cloud is a cloud service that offers a managed solution to get visibility across various public and private clouds through log forwarding. You will find the features of any respectable Syslog server such as log aggregation, analytics, dashboards, custom alerting…

vRealize Log Insight Cloud

The great thing about vRealize Log Insight is that it includes content packs with all the intelligence and experience gathered by VMware and their customers over the years. That way you don’t have to download third-party plugins or manually create a bunch of rules to get a deep insight into your products.

vRealize Log Insight Cloud architecture and ingestion options

VMware vRealize Log Insight Cloud is built in a way that allows multiple services to forward logs to it in order for the IT department to be able to correlate data across their SDDC and Cloud services.

vRLI Cloud architecture

The vSphere integration for on-premise SDDC is based on an appliance named the Cloud Proxy. This appliance collects the journals from various on-premise sources and forwards them to VMware vRealize Log Insight Cloud in a compressed and encrypted state.

vRealize Log Insight Cloud connects various public and private Clouds to consolidate log aggregation

vRealize Log Insight Cloud connects various public and private Clouds to consolidate log aggregation.”

In this article, we will describe how to get started with VMware vRealize Log Insight Cloud by using the 30-day trial period.

Ingestion options

A wide variety of sources are currently supported out of the box with associated content packs such as:

    • Agents: Cloud Proxy, Fluentd, Fluent Bit, Log Insight Agent, LogStash
    • Applications: Apache, Docker, HAProxy, Kubernetes, IIS, SQL Server, TKG, NGINX, Github, Gitlab…
    • Cloud Providers: AWS, Azure, GCP (Google Cloud Platform), VMC on AWS
    • Third-party forwarders: Protocols such as Rsyslog, Syslog, TCP and UDP.

Note that these are the log sources that encompass all use cases. You will find a more specific array of solutions in the Content Packs with products like vRealize Orchestrator, vRealize Automation, SRM, Dell iDRAC, Active Directory, you name it.

Content Packs with products like vRealize Orchestrator, vRealize Automation, SRM, Dell iDRAC, Active Directory

How to set up VMware vRealize Log Insight Cloud

As the name implies, VMware vRealize Log Insight Cloud is a cloud service so you need to have a VMware Cloud Services account in order for you to enable it. If you don’t have an account, you can create one here.

The onboarding process will be different if you are a VMware Cloud (VMC) user

The onboarding process will be different if you are a VMware Cloud (VMC) user.”

Although VMware vRealize Log Insight Cloud is a paid VMware Cloud service, a 30-days trial period is offered for free to test the product before going with a paid subscription. We will use this free trial period in this example.

Port requirements

Let’s cover a few networking prerequisites laid out by VMware before jumping into it. There actually is a page in the official documentation with a “getting started” checklist. Most of these points we are describing in this article, however, I think the part about networking ports should be addressed before starting.

The Cloud Proxy appliance we will deploy will need the following network ports:

Source

Destination

Port

Protocol

Service Description

Standard system log Remote Cloud Proxy 514 TCP, UDP Syslog data over TCP or UDP
vRealize Log Insight Agents or Server Remote Cloud Proxy 9000 TCP vRealize Log Insight log data in JSON format (CFAPI)
Remote Cloud Proxy vRealize Log Insight Cloud 443 TCP vRealize Log Insight Cloud data over HTTPS

 

Step 1: Request Trial access

The first step is to request access to the service within the trial period. It took less than 15 minutes for me to receive the activation email so it should be pretty quick.

    • Log in the VMware Cloud Services console > Go to Services > Search for “log insight” > Click on REQUEST ACCESS.

https://console.cloud.vmware.com

VMware Cloud Services console

    • You will be redirected to the vRealize Log Insight product page. Here click on REQUEST FREE CLOUD TRIAL.

REQUEST FREE CLOUD TRIAL

    • In step 1 of the registration window, type in your details and click NEXT.

type in your details and click NEXT

    • In step 2, you may or may not put in your real information (a thought goes to all these fake VMware accounts to download evaluation products…). Then click NEXT.

step 2, you may or may not put in your real information

    • In step 3, you can add extra details and choose to receive communications that I’m actually interested in. Finish the wizard with the captcha and click SUBMIT.

step 3, you can add extra details and choose to receive communications

    • At this point, you will receive a notification email letting you know the request has been received. You will then need to wait a bit for the activation email to come through.

At this point you will receive a notification email letting you know the request has been received

    • Once you get the activation email, click on ACTIVATE SERVICE.

Once you get the activation email, click on ACTIVATE SERVICE

You should receive the confirmation email pretty quickly after requesting access to the trial.”

    • An organization with the details you filled in earlier should be pre-created and checked. Click CONTINUE here.

An organization with the details you filled earlier should be pre-created and checked. Click CONTINUE here

    • This will take you to a page where you can review the subscription tiers and start the trial with START MY TRIAL.

This will take you to a page where you can review the subscription tiers and start the trial with START MY TRIAL

At this point, you have enabled your free 30-days trial period and have access to the vRealize Log Insight Cloud console at https://www.mgmt.cloud.vmware.com/li/. In the next steps, we will deploy the Cloud Proxy to link our on-premise environment to the VMware Cloud Service.

Step 2: Deploy vRealize Log Insight Cloud Proxy

Now that we have access to the console, we need to deploy the Cloud Proxy in our on-premise environment to gather the logs and forward them to vRealize Log Insight Cloud. The download of the Cloud Proxy appliance happens in the Cloud console (not on my.vmware).

Cloud proxies establish the connection between your on-premise SDDC and vRealize Log Insight Cloud

Cloud proxies establish the connection between your on-premise SDDC and vRealize Log Insight Cloud”

    • It brings up a popup where you can download the appliance by clicking DOWNLOAD OVA.

The download may take some time but you can come back to this page by following the same path so don’t worry if you close it or get your session disconnected after a while. Note that the key specified below will be used when we deploy the OVA to link it with the Cloud portal.

The Cloud Proxy appliance must be downloaded from your vRealize Log Insight Cloud console

The Cloud Proxy appliance must be downloaded from your vRealize Log Insight Cloud console.”

    • Once the appliance is downloaded, go ahead and deploy it in your vSphere environment. I won’t go into the details of deploying an OVA but I will only point out that you need to paste the key mentioned earlier in the Customize template pane under the VMware Cloud Services One Time Key (OTK) section.

The key will pair your Cloud Proxy instance with your VMware Cloud account

The key will pair your Cloud Proxy instance with your VMware Cloud account.”

    • After you start the appliance, wait a couple of minutes and the Cloud Proxy should appear in the VMware vRealize Log Insight Cloud console like so.

Click on the Cloud Proxy’s name to display extra details about it

Click on the Cloud Proxy’s name to display extra details about it.”

Enable Content Packs

We now have an on-premise Cloud Proxy that is linked to the VMware Cloud Services console but no logs are being forwarded just yet. First, we’ll need to enable content packs.

    • Go to Content Packs > Public > Enable those that apply to your environment.

In my case, I enabled VMware Cloud > General.

Go to Content Packs > Public > Enable those that apply to your environment.

As well as VMware Products > VMware vSAN, VMware vSphere.

There are quite a few similar ones so it can be tricky to know which one to enable. I chose to pick the latest one.

Content packs are available for a wide variety of source products

Content packs are available for a wide variety of source products.”

 

Step 3: Connect vCenter Server

We now need to connect our on-premise infrastructure to vRealize Log Insight Cloud. In order to do so properly, we will create a vSphere role with just enough permissions (don’t you go using the SSO admin account right!).

vSphere role creation

    • Log in your vCenter Server and go to Administration > Access Control > Roles > click on the Read-only role > Clone it and give it a reasonable name such as vRealize Log Insight Cloud and click OK.

The read-only role must be cloned to create a dedicated role for vRLI Cloud

The read-only role must be cloned to create a dedicated role for vRLI Cloud.”

    • Edit the role and add the following privileges under the Host subcategory:
      • Configuration.Advanced settings
      • Configuration.Change settings
      • Configuration.Network configuration
      • Configuration.Security profile and firewall

Note that these host privileges are required for vRealize Log Insight to automatically configure the hosts, otherwise you would have to do it all manually.

Host privileges allows vRealize Log Insight Cloud to configure the hosts for log forwarding

Host privileges allows vRealize Log Insight Cloud to configure the hosts for log forwarding.”

    • Then create a new user. Whether it is in AD, OpenLDAP or vsphere.local doesn’t matter as long as it follows your internal security policy. I created vrli-[email protected] for the purpose of this demonstration.
    • Then select the top vCenter object > Permissions > Add the user we created with the role we created and enable Propagate to children.

Set the permission at the root of the vCenter instance

Set the permission at the root of the vCenter instance.”

vCenter connection and vSphere host logs forwarding

    • Once this is done, go back to the VMware Cloud console in Configuration > vSphere Integration > ADD VCENTER SERVER and type in the connection details. Check both checkboxes to configure the hosts and forward events to it, then click SAVE.

It is recommended to check the boxes to ensure proper host configuration

It is recommended to check the boxes to ensure proper host configuration.”

    • Once this is successfully completed, you should see the configured hosts on the vSphere Integration page.

Once this is successfully completed, you should see the configured hosts in the vSphere Integration page

If you look at the Advanced Settings of a host that was reconfigured, you will find the Syslog.global.logHost value set to the Cloud Proxy appliance.

“vSphere hosts are automatically configured for log forwarding

vSphere hosts are automatically configured for log forwarding.”

vCenter server logs forwarding (Optional)

This step is optional but we will quickly see how to configure the vCenter appliance to forward its syslog activity to vRealize Log Insight Cloud.

    • Log in the vCenter server VAMI on https://<vcenter>:5480 and go to Syslog > CONFIGURE and configure it like so and click SAVE:
Server Address

FQDN or IP address of the Cloud Proxy appliance

Protocol

TCP

Port

514

 

The default protocol and ports for Syslog servers is TCP 514

The default protocol and ports for Syslog servers is TCP 514.”

    • There is a SEND TEST MESSAGE feature that sends a specific message to make sure it is picked up by whatever Syslog solution is in the background.

the vCenter VAMI lets you send test message to ensure a successful connection

the vCenter VAMI lets you send a test message to ensure a successful connection.”

    • You can check for this live in vRealize Log Insight Cloud by going to Live Trail > set the filter to look for “syslog test message” for instance, send it from the VAMI and it should pop up in the live trail. If it doesn’t come up, then I’m afraid it’s time to start troubleshooting.

Live trail lets you observe logs in real time as they come in

Live trail lets you observe logs in real-time as they come in.”

Step 4: Start using it

The rest is up to you to tailor vRealize Log Insight Cloud to your needs and start skimming through logs to find anomalies you wouldn’t normally pick up.

Customize your dashboards and queries to gain visibility in your environment

Customize your dashboards and queries to gain visibility in your environment.”

The user interface is pretty self-explanatory and intuitive to use. You can create custom dashboards, move things around, create complicated queries…

The content packs you enable will give you access to a number of dashboards such as the one below for “vCenter Server – Events”.

The content packs you enable will give you access to a number of dashboards such as the one below for “vCenter Server – Events”

I particularly liked KB insights. A feature that uses indexing and machine learning techniques to identify and pair anomalies with suggested solutions from a knowledge base created by customers and field experts for similar problems that were solved in the past. That way save time by letting the engine do the research work for you and propose KB articles or VMTN posts that may hold the solution to the issue.

KB Insights proposes KB articles or VMTN community posts as potential solutions to anomalies found in the logs

KB Insights proposes KB articles or VMTN community posts as potential solutions to anomalies found in the logs.”

Additional config

While there is no definite answer as to how you should use the solution going forward, it is highly recommended to configure the email settings so you can receive an alert whenever a condition is met.

Email notifications are a must have in any respectable SDDC environment.

Email notifications are a must-have in any respectable SDDC environment.”

You can also have a look at the Access control settings of vRealize Log Insight Cloud. Three roles exist out-of-the-box that will be enough in most instances:

    • Organization Owner
    • vRealize Log Insight Cloud Admin
    • vRealize Log Insight Cloud User

Free Tier and Premium Subscription

The 30-days free trial period has no restrictions in terms of features so you can review the solutions as you would use them in production. The log retention is 10 days and data limits apply:

    • VMware Cloud on AWS users: 50 GB per day.
    • Non-VMware Cloud on AWS users: 10 GB per day.

Once you reach the end of the trial period, the following happens:

    • VMware Cloud on AWS users: 15 days grace period, then conversion to VMware Cloud core subscription or upgrade to a premium subscription.
    • Non-VMware Cloud on AWS users: You must upgrade to a standalone premium subscription to continue using it.

You can find up-to-date information on features and subscription specifics in the official documentation.

Switching to a paid subscription is obviously made easy for you, just go to Configuration > Subscriptions > ADD PAYMENT METHOD. You can then choose a plan which will be more or less financially interesting according to your commitment to the program.

vRealize Log Insight Cloud Premium subscription will vary in price according to the time commitment.

vRealize Log Insight Cloud Premium subscription will vary in price according to the time commitment.”

To protect your VMware environment, Altaro offers the ultimate VMware backup service to secure backup quickly and replicate your virtual machines. We work hard perpetually to give our customers confidence in their backup strategy.

Make sure you come back regularly to our VMware DOJO section to keep up with the latest VMware articles and news!

So Should you be using vRealize Log Insight Cloud?

In most organizations, the VMware infrastructure is managed by a handful of administrators but is accessed by a variety of users for specific purposes linked to their role in the company. In such instances, vRealize Log Insight Cloud will help you achieve user action identification for traceability and auditing purpose. Some software vendors may also request customers to retain the logs to ensure that their CPU or VM based license is not being overused.

vRealize Log Insight Cloud offers robust Syslog capabilities for VMware products and third-party software through content packs. The fact that the logs are stored in the cloud means they will remain available even in the instance of a full site or storage failure and help in the troubleshooting effort.

Altaro VM Backup
Share this post

Not a DOJO Member yet?

Join thousands of other IT pros and receive a weekly roundup email with the latest content & updates!

Frequently Asked Questions

Formerly known as VMware Log Intelligence, VMware vRealize Log Insight Cloud is a cloud service that offers a managed solution to get visibility across various public and private cloud through log forwarding.
No, there is a 30-day trial period, after that, a subscription is required. If you are a VMware Cloud user, you are entitled to the core features at no extra cost. There used to be 25 OSI included with a vCenter license but it is no longer the case after vCenter Server 6.7 U2 .
No, vRealize Log Insight is a syslog server first and foremost that can forward logs to a SIEM.
vRealize Log Insight Cloud can be accessed via the VMware Cloud Services Console while on-premise implementations of vRLI will be accessible via the appliance's IP address or FQDN.

Leave a comment

Your email address will not be published.