There are a lot of blogs how to implement and use cases why implement vRealize LogInsight into your Environment.

The first and best reason to use it is that it is included in some licenses you maybe already own:

  • Free vRealize Log Insight for NSX Customers : All NSX 6.2.4 (and beyond) customers are entitled to vRealize Log Insight for NSX at no additional charge. The license model for vRealize Log Insight for NSX mirrors the license model for NSX. Read the FAQ for more information

  • Free Log Insight for vCenter : For each instance of vCenter Server that you own or purchase you are entitled to a free 25 OSI license of vRealize Log Insight for vCenter. For more information please see the FAQ

Use Case

The use case is simple - you need to have an overview of what is happening to your vSphere Environment :

  • Who logs in into your environment?
  • Are there any Administrator or Root actions and logins?
  • Which Firewall events happen to your environment?
  • Are there any unwanted changes to your VMs?

You can think of this as a Security Dashboard or what i would use it for - a Compliance Dashboard. Because LogInsight collects any kind of logs from your vSphere Environment you can build queries and Dashboards to report (hopefully) nothing has been changed to your environment.

I created one for my customers a few weeks ago based on some internal templates which i couldn’t share but then i have seen this tweet this morning and it is worth to test it.

So let’s start to download that Content Pack by @texiwill and configure it to my LogInsight Lab.

You download a vlcp-file which describes the vRealize LogInsight Content Pack and can be imported to the system.

LogInsight Admin Menu

Log in to your vRealize LogInsight System and switch to Content Packs via the Menu on the top right next to your login name.

Fig 1. LogInsight Admin Menu

LogInsight Content Packs Management

The Content Packs page initially shows the Marketplace where you can find more solutions to enhance your LogInsight configuration. Click on the + Import Content Pack Link on the bottom left (i don’t know who wanted to play hide and seek with us and placed it there…).

Fig 2. LogInsight Content Packs Management

LogInsight Import Content Pack

Click Browse and locate the file “Texiwill Security v1.0.vlcp” you downloaded before.

You have two options to install content packs:

  • Install as content pack Content will be installed as a content pack. It will be read-only and visible to all users.

    If you want to make any changes to the included dashboards or settings you have to copy it to your Custom Dashboard Section.

  • Import into My Content Content will be imported into my user space. It will be editable but only visible to me.
Fig 3. LogInsight Import Content Pack

Content Pack Overview

Import is easy and should not end in any errors. The result of the import is the installed Content Pack page as shown in Figure 4.

Fig 4. Content Pack Overview

Dashboard View

Can’t wait to see what’s happening in your environment - switch to Dashboard View and select the Texiwill’s Security Pack.

Fig 5. Dashboard View

There are 3 dashboards so far: Login Events and Actions, Firewall Events, and Configuration Events and Actions. All three designed to visualize what is happening in your environment.

  • Login Events and Actions
    • Count of Login/Actions events over time
    • vCenter Administrator Logins
    • vSphere Root Actions
    • Root Actions over time grouped by vmw_subTask
    • Count of vCenter Logins by Username
    • Count vSphere Actions by Username
    • Count vSphere Actions by Username and Hostname
  • Firewall Events
    • Count of Firewall events over time
    • Count of FW events over time grouped by source
    • Count of FW events over time grouped by hostname
    • Count of FW events over time grouped by hostname, vmw_vse_fw_status
  • VM Configuration Changes
    • Count of Change Events grouped by vc_event_user
    • Count of Modify Events grouped by vc_event_user, device_type
    • Count of Device Added grouped by vc_event_user, device_added
    • Count of Deleted Devices grouped by vc_event_user, device_deleted
    • Count of Change events grouped by vc_event_user, config_type
    • Count of Modify Events
    • Count of Add Events
    • Count of Delete Events

Summary

I hope this is usefull for you and you test this in your existing environment. Or you start with vRealize LogInsight today to enhance the visibility into your system.

Check out how easy it is to deploy vRealize LogInsight into your system with this short video.

Have some fun with vRealize LogInsight and your endless creativity!