vRealize Log Insight, vRealize Operations, vRLI, vROps

vRealize Operations and Logging via CFAPI and Syslog

Without any doubt configuring vRealize Operations to send log messages to a vRealize Log Insight instance is the best way to collect, parse and display structured and structured log information.

In this post I will explain the major differences between CFAPI and Syslog as the protocol used to forward log messages to a log server like vRealize Log Insight.

The configuration of the log forwarding in vRealize Operations is straight forward. Under “Administration” –> “Management” –> “Log Forwarding” you will find all options to quickly configure vRLI as target for the selected log files.

The following figure shows how to configure vRealize Operations to send all log messages to vRealize Log Insight using the CFAPI protocol via HTTP.

Figure 1: Log Forwarding configuration

The CFAPI protocol, over HTTP or HTTPS, used by the vRealize Log Insight agent provides additional information used by the vROps Content Pack. The extracted information flows into the various dashboards and alert definitions delivered through the Content Pack. Following picture shows one of the available dashboards populated with available data when using CFAPI and vRLI.

Figure 02: vROps Content Pack

In case you (for whatever strange reason) cannot use CFAPI, you can configure vROps to use Syslog. It is as simple as selecting Syslog as the protocol option in the configuration page shown in the following picture.

Figure 03: Syslog as configured protocol

The drawback of using Syslog here is that the additional information parsed by the agent and used by the content pack will no longer be available and you will need to create your own extracted fields in vRLI to parse data from the log messages.

In the next both pictures you can see the empty dashboards and log messages without any vROps specific fields in the interactive analytics .

Figure 04: Empty dashboards when using Syslog
Figure 05: Missing vROps specific fields when using Syslog

It is important to know that vROps is using Syslog over TCP when configured via UI as shown in figure 03.

But what if you are forced to use Syslog over UDP?

There is no such option in the UI but since vROps is using the regular vRLI agent, there has to be a way to configure it to use UDP instead of TCP.

The vRLI config file explains how to set the according option:

Figure 06: liagent.ini config file

You can just replace

proto = syslog

with

proto = syslog_udp

restart the agent

service liagentd restart

and your vROps nodes starts to forward log messages to your log server using UDP.

I have setup a fake log server listening on 514 UDP using netcat:

Figure 07: Syslog over UDP in NC

If you configure the vRLI agent in vROps directly via the config file, please keep in mind:

  • that you are using a function which is not officially supported by VMware
  • you will need to make such manual changes on every node
  • you will need to monitor any changes to that file which can be triggered via the UI or vROps updates

Stay safe.

Thomas – https://twitter.com/ThomasKopton

3 Comments

  1. Hi Thomas,

    Thanks for knowledge sharing, your blogs are very helpful but unfortunately i am from Linux squad.

    We have some tricky situation i dont find any use case similar to my needs.

    we have linux server as syslog server, previouly Log Insight collecting logs from devices and sending to syslog server. on syslog server’s targetted path, we saw capturing the logs inside the specific device named directories.

    our VMware team did upgrade activity on Vrealize product or unfortunately due to some other reason, some thing is changed and now we are not receiving logs inside specific device name directories, we receiving logs in Log insight device name only.

    Nov 28 14:31:54 LOGINSIGHT01 1 2021-11-28T11:31:54.868+0000 DEVICE01 vmkernel – – [Originator@6876 key1=”HCIlogs”] PortCfgVsiGetParamPortCfg:392: : not found

    Kindly suggest, how we can get data in specific device name directory.

    1. Hi,

      I am not sure if I really understand the issue. What “devices” do you mean and how is vRLI collecting log messages on these devices? Is the vRLI agent collecting and sending logs to vRLI or are the devices sending their messages via Syslog to vRLI?

      Thomas

Leave a Reply

Your email address will not be published. Required fields are marked *