Integrating Log Insight Alerts into vSphere with Operations Management

Integrating Log Insight Alerts into vSphere with Operations Management

This post was originally published on this site ---

vRealize Log Insight for vCenter is a fantastic utility on all on its own. However, when you combine it with the power of vSphere with Operations Management you really get some fireworks! Alerting is one of the areas where this dynamic combination shines. This happens to be because of Log Insight’s ability to take any query and send that data as an alert to vRealize Operations Manager!

Here is an example of what an alert sent from Log Insight to vRealize Operations Manager, which is included as part of vSphere with Operations Management, looks like:

vROps Alert View from Log Insight Integration

The above alert contains both information forwarded from Log Insight as well as some automatically integrated objects from vRealize Operations Manager. First, we can see that the alert was received from Log Insight and has detected an SSH session started on the given host. We can also see a custom description and recommendation, which happens to include sample links for both internal and external resources. Furthermore, in the symptoms section, there’s the actual source event for the alert. The event shows us additional information such as the IP address where the session originated and the exact timestamp for when it occurred. Lastly, the ‘More Information’ section can be used to further diagnose the object, within the respective areas, in vRealize Operations Manager.
Example: Clicking ‘View additional metrics’ would take us to the ‘All Metrics’ tab.

We will now walkthrough how these alerts can easily be setup in Log Insight.

Log Insight Alert Configuration

Log Insight alerts can be created against any event Log Insight receives. To keep it simple, we will repeat the process to create the example alert from the above section.

To begin creating an alert, we will first want to log into our Log Insight instance. From there, head over to the ‘Interactive Analytics’ tab.

Log Insight Interactive Analytics Dashboard

We will then want to search for the event of ‘sshd accepted’.
Note: The time frame may need to be modified to find events for the specific query. In this instance, I changed the timeframe to be ‘Latest 6 hours of data’.

Log Insight Event Query

These events returned have a specific event type ID. We will want to create a filter based on that specific ID. We do this to avoid any other events from potentially creating a false alert. To create the event filter, we will want to click the blue ‘event_type’ link. This pops out a menu where we can create a filter. We then select the ‘Events Like This’ within the ‘Add Filter’ section.

Log Insight Event Filter Creation

The view will refresh after adding the new filter based on the event type. At this point, we are ready to create the alert. Click on the ‘Alert’ icon (red bell) and then select the ‘Create Alert from Query’ option.

Log Insight Alert Creation from Query

We are now greeted with the ‘New Alert’ screen. Here we will customize the alert with things such as a new name, description, recommendations, as well as where and how often the alert should be sent.

Each setting can be filled in as follows:

  • Name: Here we will want to enter the desired alert name of ‘Host: SSH Session Started’
  • Description: Enter a description that makes sense, in this case we used ‘An ESXi host has started an SSH session. This action should be inspected as soon as possible”
  • Recommendation: This section can then be used to enter further information such as any instructions, web links to either internal or external URLs, and so forth.

NOTE: Clicking the blue ‘Edit’ link beneath each of the following sections will allow for a WYSIWYG (what you see is what you get) editor to allow for the inclusion of text formatting, web links, bullets, and numbered lists.

After populating those sections, we will want to focus on the ‘Notify’ area. Here we want to configure the alert to send the notification to vRealize Operations Manager. We do this by clicking the indicated checkbox.

Once checked, there are a few new configuration options available to us.

  • Failback Object: configures the alert for a specific item within vRealize Operations Manager
    • Example: Log Insight sees the object as an IP address while vRealize Operations Manager sees the object as a DNS name. The alert can be configure to point to the proper object.
  • Criticality: none, info, warning, immediate, and critical
  • Auto Cancel: cancels the alert automatically after 10 minutes

The last section we will want to configure is the ‘Raise an alert’ area. Here we can choose how Log Insight processes the initial alert and any additional alert. The option is to forward an alert to vRealize Operations Manager with every match, when a match is new for a set period of time, or if there are a specific number of matches found for a specific amount of time. In this example, we will leave the setting on the default of ‘On any match’.

Clicking ‘Save’ will then create the new alert!

Log Insight New Alert Creation

Alerts in vRealize Operations Manager

We have now created the alert, so we should take a look at how they look when in the vRealize Operations Manager console.

Here’s how the alert will show up in the ‘Recommended Actions’ dashboard:

Log Insight inside vR Ops Dashboard

If we click on the alert, we arrive at the alert page we viewed at the top of this post.

Summary

As shown above, combining the power of vSphere with Operations Management with Log Insight for vCenter allows for some terrific integration. This continues to make vSphere environment operations activities like discovery, diagnosis, and root cause analysis that much easier!

Download your free copy of vRealize Log Insight for vCenter today for use with vSphere with Operations Management!

The post Integrating Log Insight Alerts into vSphere with Operations Management appeared first on VMware vSphere Blog.

Leave a Reply

Your email address will not be published. Required fields are marked *