VMware vRealize Log Insight is a log analyser with capabilities to receive logs from regular syslog (so every device that can send syslog over the network) and from agents for Windows and Linux. Mostly every device can be configured to send logs to it and it can be used for quick and easy operation tasks, giving one a full picture of their environment.

Inside Log Insight, you can install (or create your own) content packs. These content packs are a way to create dashboards with filtered data. The filtered data is usually determined by queries to the Log Insight search engine and is targeted to a specific product of which the data you want to see, for example: DRS actions, storage alerts, virtual machine snapshotting, etc. If it is logged to Log Insight, you can create a query to get it.

One if these content packs is for VMware NSX, released by VMware a few months ago. You can get it here.

In the NSX content pack, there are pages to troubleshoot or check on the entire NSX installation itself, logical switches audit and alerts, distributed logical router audit and events, layer 2 bridge messages, distributed firewall alerts and real-time traffic logs and NSX Edge messages.

Especially the distributed firewall traffic logging is an awesome tool for debugging network traffic in real-time. See the top sources and destinations, what traffic is being passed and blocked on a per packet basis and other useful stuff. Having the NSX content pack in Log Insight is a must for any network that has NSX running.

Installing the NSX content pack itself is a piece of cake, so I won't go through that one. What is interesting though, is the configuration inside NSX required to have every NSX component log to Log Insight. Yes, I'm afraid it's not just switching on a single option or a single button.

There are a few things that can generate syslog messages in NSX: the NSX Manager, NSX controllers and NSX Edges. These all have separate syslog settings and there's no global template or something, so you have to go through them all. The NSX Manager and NSX Controllers shouldn't be a problem, just configure the syslog settings 4 times (1 Manager, 3 Controllers) and you're done. However, the amount of NSX Edges can be pretty dynamic as your users can deploy one on demand.

To ensure all components are using the same syslog settings, I've created a PowerShell script to go through the NSX Manager, Controllers and all Edges and configure a syslog server.

You can find this script in my GitHub repository.

To use it, change the variables on the top the script to your environment: your NSX Manager login details and syslog server details:

$NSX_Manager_IP = "nsxmanager.myurl.nl"
$NSX_Manager_User = "admin"
$NSX_Manager_Password = "mysecretnsxpassword"

$LOG_Server = ""
$LOG_Port = "514"

After you've changed the variables, run it and everything should start logging. Depending on the dynamic nature of your NSX environment, you should run this periodically. You can put it in a scheduled task to automatic have new NSX Edges log to your syslog server.

Good luck!

Share the wealth!