VMware made a surprise entry into the data center log consolidation and analysis market recently in early June with its new product vCenter Log Insight. The product is a result of VMware’s acquisition of Pattern Insight in August 2012. While the data center log consolidation and analysis space is already crowded with products from such companies as Splunk, LogRhythm, Sumo Logic and Loggly, VMware’s product stands out because of Log Insight’s integration with vSphere and vCenter Operations Manager. This integration, combined with VMware’s ability to upsell Log Insight with future vSphere and vCloud enterprise license agreements, will push adoption. Log Insight has a lot to offer VMware and data center admins. Let’s look at how it works and how it might help you.
How Log Insight works
Log Insight is a virtual appliance that you deploy in your vSphere virtual infrastructure (you need a vSphere infrastructure to use it). The virtual appliance contains the Log Insight application installed on a SUSE Linux operating system and database. This easy-to-use virtual appliance deployment is a significant competitive advantage over the competition.
VMware claims that the “secret sauce” of Log Insight is the design of the underlying database. Thanks to the just-in-time schema definition of the Log Insight database, it can ingest syslog data from hundreds of syslog agents and store the unstructured data without modifying the database.
With a slick HTML5 Web interface, Log Insight serves as a syslog server for any device that sends it log data. Log Insight integrates with your vCenter server to learn about your virtual infrastructure.
Log Insight gives a visual representation of what’s going on with dashboards made up of widgets that represent custom graphs of log events from your virtual infrastructure (or any other device that you opt to send syslog data from). Log Insight includes a vSphere dashboard, and you can create your own custom dashboards based on saved queries.
These custom dashboards, alerts, extracted fields and saved queries can be exported and shared with other Log Insight users. Even better, from the perspective of a VMware admin, you can import content packs shared by other users or from hardware vendors. For example, there might be an EMC storage content pack or Cisco device dashboard. Any vendors whose products create and send syslog data could benefit from creating their own dashboard.
Use cases for VMware Log Insight
Common use cases for Log Insight include the following:
- Log consolidation to prevent data loss
- Monitoring vSphere and other servers, storage or network devices in the data center
- Troubleshooting vSphere or other data center infrastructure
- Security auditing and compliance
While these are the most common use cases (and use cases that VMware says it will continue to support with improved functionality in later versions), Log Insight is a syslog server, log consolidation tool and log analysis tool that works for any type of device that can send syslog data. For example, you can send Cisco router/switch syslogs, storage area network syslogs, Linux server syslogs and even Windows Server syslogs (if you install a syslog agent) to Log Insight. With that data, you can perform interactive analysis in the Log Insight console, allowing you to search and filter that data to find the unique and important information. You can use those search results that can save a query and use it to configure an alert and add it to a Log Insight dashboard for future monitoring.
Log Insight is currently in beta and is expected to be released during the third quarter 2013. VMware said it expects to charge $200 per monitored operating system or per monitored device. Not only is it unique because it’s tailored toward vSphere, but it’s also designed to handle real-time analysis on massive amounts of unstructured log data and allow you to search and filter it quickly.
You can evaluate Log Insight at the VMware vCenter Log Insight beta community.