Without any doubt configuring vRealize Operations to send log messages to a vRealize Log Insight instance is the best way to collect, parse and display structured and structured log information.
In this post I will explain the major differences between CFAPI and Syslog as the protocol used to forward log messages to a log server like vRealize Log Insight.
The configuration of the log forwarding in vRealize Operations is straight forward. Under “Administration” –> “Management” –> “Log Forwarding” you will find all options to quickly configure vRLI as target for the selected log files.
The following figure shows how to configure vRealize Operations to send all log messages to vRealize Log Insight using the CFAPI protocol via HTTP.
The CFAPI protocol, over HTTP or HTTPS, used by the vRealize Log Insight agent provides additional information used by the vROps Content Pack. The extracted information flows into the various dashboards and alert definitions delivered through the Content Pack. Following picture shows one of the available dashboards populated with available data when using CFAPI and vRLI.
In case you (for whatever strange reason) cannot use CFAPI, you can configure vROps to use Syslog. It is as simple as selecting Syslog as the protocol option in the configuration page shown in the following picture.
The drawback of using Syslog here is that the additional information parsed by the agent and used by the content pack will no longer be available and you will need to create your own extracted fields in vRLI to parse data from the log messages.
In the next both pictures you can see the empty dashboards and log messages without any vROps specific fields in the interactive analytics .
It is important to know that vROps is using Syslog over TCP when configured via UI as shown in figure 03.
But what if you are forced to use Syslog over UDP?
There is no such option in the UI but since vROps is using the regular vRLI agent, there has to be a way to configure it to use UDP instead of TCP.
The vRLI config file explains how to set the according option:
You can just replace
proto = syslog
with
proto = syslog_udp
restart the agent
service liagentd restart
and your vROps nodes starts to forward log messages to your log server using UDP.
I have setup a fake log server listening on 514 UDP using netcat:
If you configure the vRLI agent in vROps directly via the config file, please keep in mind:
- that you are using a function which is not officially supported by VMware
- you will need to make such manual changes on every node
- you will need to monitor any changes to that file which can be triggered via the UI or vROps updates
Stay safe.
Thomas – https://twitter.com/ThomasKopton
Hi Thomas,
Thanks for knowledge sharing, your blogs are very helpful but unfortunately i am from Linux squad.
We have some tricky situation i dont find any use case similar to my needs.
we have linux server as syslog server, previouly Log Insight collecting logs from devices and sending to syslog server. on syslog server’s targetted path, we saw capturing the logs inside the specific device named directories.
our VMware team did upgrade activity on Vrealize product or unfortunately due to some other reason, some thing is changed and now we are not receiving logs inside specific device name directories, we receiving logs in Log insight device name only.
Nov 28 14:31:54 LOGINSIGHT01 1 2021-11-28T11:31:54.868+0000 DEVICE01 vmkernel – – [Originator@6876 key1=”HCIlogs”] PortCfgVsiGetParamPortCfg:392: : not found
Kindly suggest, how we can get data in specific device name directory.
Hi,
I am not sure if I really understand the issue. What “devices” do you mean and how is vRLI collecting log messages on these devices? Is the vRLI agent collecting and sending logs to vRLI or are the devices sending their messages via Syslog to vRLI?
Thomas