VMware vRealize Log Insight gathers logs from ESXi hosts and VMs in your virtual and physical environments. The product is extensible via content packs available in the VMware marketplace. In this post, we'll show you how you can not only use it as a main collector for your infrastructure, but also how to use the content pack for Microsoft Windows.

vRealize Log Insight enables you to visualize and analyze event information that is extracted from VMware products and other sources. It can manage both structured and unstructured data. The product is also able perform complex analytics, searches, and real-time monitoring, and it uses machine learning techniques for predictions and what-if scenarios.

Log Insight collects data using one of two feeds, as follows:

  • The Syslog protocol, which uses UDP or TCP over port 514 or TCP (SSL) over port 1514.
  • The VRealize Log Insight Ingestion API, which uses TCP over port 900 or TCP (SSL) over port 9543.

In our case, we just wanted to see how we could use this product with some Windows Servers.

VMware has a content pack for Microsoft Windows, which is used to create a server group. The group ensures that every time a Windows Server has the agent installed, the agent picks up the settings from the server and forwards its logs. Otherwise, we would need to configure each agent.ini file manually, which is time-consuming.

I assume that you know how to download and install vRealize Log Insight. It's distributed as a standard OVA file that is imported into vCenter Server. All you have to do is configure networking.

Once you have vRealize Log Insight up and running, just go to the Content pack section and do a search for "Windows." You should find the content pack there. You'll have to have an internet connection enabled. The content pack is a free download.

Install Windows content pack

Install Windows content pack

While there, you can click the Enable auto-update for all agents button. This will generate a setting with a preselected checkbox for the deployment.

Enable auto update for agents

Enable auto update for agents

Then, on the Administration tab, you'll need to click Agents in the left column and then click the down arrow next to All Agents.

Once done, you'll find "Microsoft - Windows" in the list.

Look for Microsoft Windows

Look for Microsoft Windows

Then, on the right, click the double box icon to copy the template and navigate to the Content Pack menu in Log Insight.

Copy agent group

Copy agent group

Click the Import Content Pack button. In the Import Content Pack menu, do this:

Click the Browse button, and select the content pack you are trying to import. Then select the Install as content pack option and click Import.

Now, we can configure the filter to find the Windows Server. In my lab example, I picked "OS," "Matches," and "Microsoft Windows Server 2016 Datacenter."

Click the Save New Group button.

Create a new group for agents

Create a new group for agents

The group I have created includes Windows Server machines. We can go ahead and install the agent on the Windows Servers, and each installation will have the identical configuration.

Install the Windows Agent ^

You can choose to install the Windows agent manually or by using GPO if you're in a Microsoft Active Directory (AD) environment.

Log in to the Windows machine on which you want to install the vRealize Log Insight Windows agent.

Change to the directory where the vRealize Log Insight Windows agent .msi file resides (perhaps a Windows share on a file server).

Double-click the vRealize Log Insight Windows agent .msi file, accept the terms of the License Agreement, and click Next.

Install the agent on a Windows Server

Install the agent on a Windows Server

The IP address or host name of the vRealize Log Insight server is automatically populated, so simply click Install. After a few seconds, it is done.

The wizard installs or updates the vRealize Log Insight Windows agent as an automatic Windows service under the Local System service account. If the box already has the agent installed, you will need to restart the agent or do a reinstallation.

Click Finish. You should see the agents within the Administration > Agents user interface.

All agents can be found within the UI

All agents can be found within the UI

Final words ^

You can place the MSI file of the agent on a share and use GPOs to deploy it in your environment if you have other Windows machines to monitor. The MSI file has its settings configured to send logs directly to the Log Insight server.

You can configure logs being sent from virtual machines or physical hosts if you still have any within your environment. vRealize Log insight can collect logs from Windows, Linux, vCenter Server, or ESXi hosts. The product is highly scalable and can work in clusters if there are large vSphere environments.

The product supports multitenancy with role-based access control (RBAC) and provides an internationalization/localization UI.

Subscribe to 4sysops newsletter!

During deployment of the vRealize Log Insight virtual appliance, you can select from preset configuration sizes that best match your existing environment and your ingestion requirements.


Leave a reply

Your email address will not be published.


© 4sysops 2006 - 2022


Please ask IT administration questions in the forums. Any other messages are welcome.


Log in with your credentials


Forgot your details?

Create Account