Installing vRealize Log Insight 4.5 for vCenter

I went to a VMUG User Conference in August and ran into an old colleague. We started catching up and compared environments. He said I needed to look into VMware vRealize Log Insight. That same day, I went to a session by Paul Woodward, Jr who had Log Insight in his presentation. During Paul’s presentation, he said he uses Log Insight as a quick tool to diagnose issues because any customer with vCenter, has 25 OSI licenses automatically. Who doesn’t like “free” stuff? I took this as a sign. I need to find out more about vRealize Log Insight.

Since version 3.3.2, VMware started to give a taste of Log Insight away to customers who have a valid vCenter license. The name of the product is called VMware vRealize Log Insight for vCenter. This licensed product will allow a customer to stand up one Log Insight appliance and bind it to one vCenter server. If if you have two vCenter licenses, you will need to stand up a second Log Insight appliance. Log Insight for vCenter comes with 25 OSI licenses. These licenses allow you to monitor a range of devices. Those devices can be ESXi hosts, physical servers, VM, or anything else that can run the agent or emits syslogs. This gives you some great flexibility. Perhaps you have have a smaller vSphere environment with a couple of critical VMs. You can monitor your hosts plus those VMs. These licenses are limited in their functionality, but are pretty feature rich. Some high level items missing that a customer might want are HA, Clustering or Custom Content. To get these features, you’ll need to purchase a full Log Insight license.

Below are the steps I took to stand up vRealize Log Insight for vCenter in my lab. You may follow these steps as well. If you like the product, or are missing out on some of the extra features or need to just buy more licenses contact VMware. The purchased licenses will enable these features and you get to keep your 25 licenses.


There are some pre-reqs that must be meet if you’re moving into production. I will not be using this in production. Instead, I want to put this in my lab, so I will not be meeting some of these pre-requisites. I will provide a quick link if you want review them for yourself: here.

Installing vRealize Log Insight

  • Launch vSphere Client, select File > Deploy OVF Template
  • Follow the prompts
  • On the option for Deployment Configuration, select the option that best fits the environment from which vRealize Log Insight for vCenter will be collecting logs. The default of Small is auto-selected and the minimum supported production setup. I changed mine to Extra Small as this will be a lab. Plus, I don’t have an extra 510 GB of storage laying around the house.
    Note: Large deployments require an upgrade to the virtual hardware after deployment.

    Option Log Ingest Rate vCPU Memory
    Extra Small 6 GB/day 2 4 GB
    Small 30 GB/day 4 8 GB
    Medium 75 GB/day 8 16 GB
    Large 225 GB/day 16 32 GB

    My deployment configuration:

  • On the Disk Format page, select a disk format. Thick Provisioned Lazy Zeroed is the default selection. This is a lab so I selected Thin Provision.
  • (Optional) On the Network Mapping, select the desired Destination Networks.
  • (Optional) On the Properties page, if you do not provide network settings like IP address, DNS address, and gateway. Log Insight will use DHCP to set those settings.
    • I like to use an IPAM and statically assign IP addresses for appliances. In my lab, I went ahead and configured all necessary network information.
    • On the Properties page, you can also set the root password near the bottom of the page. If you missed this option, you can use Remote Console once the vm is powered on and configure the password. root/{blank} are the default credentials.
  • Follow the prompts to complete the deployment. After you power on the virtual appliance, an initialization process begins. The initialization process takes several minutes to complete. At the end of the process, the virtual appliance restarts. This fooled me…be patient.(Automate) If you want to know how to deploy by command line, check out

Setup vRealize Log Insight

Now that our virtual machine is happy and is up and running, it’s now time to start the setup. This is where we’ll configure Log Insight to communicate with our vCenter. Here we go!

  • Use your favorite web browser and navigate to the IP address given in previous steps. Mine would be
  • When you hit the page for the first time, it will “Welcome” you (thank you) and prompt you to click Next.
  • Click START NEW DEPLOYMENTThis took some time…again…be patient.
  • Set the password for the admin account and click SAVE AND CONTINUE.
    (Optional) Email of the admin account.
  • On the License page enter in the license key. Click Add License. Next, click SAVE AND CONTINUE.According to this VMware KB2144909, you can use your existing vCenter 6.x or 5.x license key to monitor 25 hosts.
  • On the General Configuration page, put in the email address of those who will need to receive notifications. Click SAVE AND CONTINUE.(Optional) Keep the selected option to Join the VMware Customer Experience Improvement Program if you would like to participate.
  • One the Time Configuration page, enter in your internal NTP time servers. Some NTP servers are given. Click Test to confirm communication. Click SAVE AND CONTINUE.
  • To enable outgoing email, configuration this page. Click SAVE AND CONTINUE.


Ready to Ingest Some Data

Before you can have vRealize Log Insight for vCenter collect alarms, events and tasks you need to configure it to pull this information from your vSphere environment.

vRealize Log Insight can collect two types of data from vCenter Server and ESXi hosts.

  • Select Configure vSphere Integration from vSphere Integration.
  • Type the IP address and credentials for a vCenter Server, and click Test Connection.Note: It is recommended that you use a service account. This is a lab. I’m breaking the law and using administrator.
  • Click SAVE.

Final Thoughts

Once Log Insights is configured, it starts pulling log files from the end points. Any past log files are not collected, only new log files that are generated. The UI looks modern and easy to navigate. The interactive dashboard is a little intimidating, but fast. I believe in certain environments the “free” version will be all they need.

Local Host Cache Events for XenApp/XenDesktop

I recently had an issue related to a database outage. Our broker servers were configured for Local Host Cache (LHC), but stopped brokering new connections when the database went down. You could see the events in the broker servers losing connection to the database, but you couldn’t see the LHC election process taking place or if LHC was brokering connection versus the database. Is there suppose to be an event that Says LHC has kicked in? Don’t know. To the Google’s!!

After a quick Google search, I stumbled across George Spiers,, website. In his blog he describes how LHC is suppose to work and goes into depth of each event and the ID that gets generated.

Yes, there is an event that gets generated when an election takes place. The event to search for is Event ID 3504 as well as Event ID 3501 describes how LHC will be used over a database connection. According to the Citrix documentation, here, there are three main events to monitor and look for. None of those events are 3501. I was looking for and event for confirmation that LHC was working and brokering connections.

George goes into great detail of how Local Host Cache works and how it’s the preferred method in XenApp/XenDesktop 7.15 over the default setting of Connection Leasing in previous versions. Hit George’s site for more details.

Local Host Cache XenApp & XenDesktop

VMworld 2017 General Keynote Overview

General Session Day 1

CEO, Pat Gelsinger, went to the stage talking about  daily expectations. From a one year old baby natively using a touch only device like an iPad to a self driving car and the experience going from wow to boredom. Every industry is being affected by these daily expectations. I believe the point Pat was making was in today’s world we have new expectations and businesses need to adapt to them. All of the industries, banking, retail, telco, and healthcare are changing. The leaders in these industries are embarrassing the digital transformation. Media industries like Netflix, HBO, and Comcast are offering digital content and this new business is exploding and is expected to surpass traditional media next year.

Businesses need to reshape customer experiences with new and better applications. VMware is focused on delivering this new experience by focusing on any device, any application, on any cloud with keeping security in mind for each area. Workspace ONE was introduced and focuses on Apps and Identity, Management and Security, Desktop and Mobile. The newest addition to the device list is a partnership with HP Inc.

The partnership between VMware and Amazon AWS was introduced. Andy Jassy, CEO of AWS, was invited to the stage and talked about running any app on vSphere and moving it into AWS. Andy briefly talks about how customers feel like they have to draw a line in the sand to decide between running their application either in their private data center or in the public cloud on AWS. The partnership gives customers the ability to have both. This offering is only available in one Availability Zone in the west region today, but will be expanding to east cost region and then globally with a promise that before the end of next year all Availability Zones will have this offering. Administrators can use existing tools like vSphere to manage workloads in either environment. Presented was the ecosystem of early partners offering this hybrid service.

Networking is the underpinning that’s allowing VMware to work with other cloud companies like IBM Cloud, Virtustream, GCP, and Azure. “NSX is becoming the connective tissue that ties everything together”. NSX is also being stretched into other areas beyond cloud. Areas like microservices with Docker, Mobile and Desktop, and IoT.

Lastly, Pat talks about security and introduced the five pillars of cyber hygiene. This graphic shows how VMware is trying to make security an easier process to maintain. One of the new ideas introduced, was using the compute layer to help with security. AppDenfese was introduce to help in this new area. AppDefense will reach out to other areas like Puppet to get an idea of how the workloads are suppose function and act. AppDefense will use machine learning and artificial intelligence to create a manifest for its own operations. At this time, the “VM can start monitoring itself and detect if its behavior deviates from good”. Lastly, automate responses by shutting off the VM, send alerts, start pcap, or quarantine itself.

General Session Day 2

The second day introduced more partnerships. Michael Dell came on stage and he and Pat talked about the partnership between Dell EMC and VMware. Next, was a partnership introduced between Pivotal and Google and specifically working closer with Kubernetes. This new partnership for Pivotal was called PKS (Pivotal Container Service). NSX will be integrated into these new services.

The keynote showed a skit where an organization that was in disarray and needed to improve the business . The business failed PCI audits, their mobile app stinks, and the business wants to move faster. The skit showed an executive talking to an IT engineer. The exec promoted the engineer on the spot to VP of IT. Now all the headaches belonged to the new VP of IT.

This theme sets the table for the rest of the keynote. This gives the presenters the opportunity to present multiple services that VMware offers. Things like AppDefense to monitor and secure applications and compute. vRealize Operations to get an overview of environment and their data center capacity. Use VMware on AWS to expand capacity to the public cloud. VMware Network Insight to give network views for migration planning as well as micro-segmentation planning. Lastly, use vRealize Automation to help migrate the apps off on-prem data center to the newly provisioned services in AWS.


My takeaways from the two day general keynotes were there was a big focus on the partnership between VMware and AWS, as well as a focus on NSX. NSX is the core component that gives VMware the ability to migrate their workloads to any public cloud offering. VMware has worked hard with partnering with cloud providers like AWS, IBM, as well Google Cloud Platform. It feels like NSX gives VMware the ability to extend their reach to these providers, but also gives the providers the chance to break into the enterprise data center. We’re early in making everything run in code, but it feels like things are going to take off very soon.

Day 1 video:

Day 2 video:

SRE : Site Resistant Engineer? System Reliable Engineer?

I recently listened to one of my favorite podcasts, Datanauts (here), and the hosts were talking with Rob Hirschfeld (@zehicle). Rob was on to talk about what is an SRE. Rob talked about how IT operations is just as important as development. Google recognized this importance by creating a new title called Site Reliability Engineer. Google even created a new VP of Operations, Ben Traynor (@btreynor), to give the SRE’s more backing to be able to say “no” to the development team when the team tried to push through a change.

Other duties discussed during the podcast was a SRE should only work on production related tasks 50% of the their time. The remaining time should be devoted to writing code and project work. This helps keep the team innovative by writing code to automate more and and to help reduce technical debt.

Hearing this blew my mind! Work on only 50% of production! Work on tickets 50% of the time? Get outta here. My roles have primarily been in a systems administrator function and having the mindset about automation has been, “Fit it in when you can”. Which means, trying to juggle both the production issues and quickly script something to resolve the issue at the same time (Hear that? It’s technical debt calling). Like most people, it’s very difficult to do two things at the same time well. Changing that mindset to change your workload to allow more automation means faster recovery times, higher up-time for production, less technical debt, and using code to remove meaningless tasks for the business. (Doesn’t this sound like a “full stack” engineer?)

I was hooked!! I needed to find out more about this role and its function. I found a great YouTube video by Melissa Binde who’s the Director of Site Reliability Engineering at Google. She talks about hiring the right engineers who know architecture but also know code. Melissa goes on and confirms the 50% rule, but to keep engineers happy you give them project work and time to code. Melissa also introduced a new concept to me, Error Budget. There is no perfect system with an up time of 100%, not even at Google. Error Budget “provides a common incentive that allows both product development and SRE to focus on finding the right balance between innovation and reliability”. If a production service has an SLO (Service Level Objective) of 99.9% that service has an Error Budget of 0.1%. Product Managers and developers can keep pushing out features until production dips below that 0.1% budget. At that point, new features are stopped. This budget is monitored and reviewed quarterly.

Talk about another complete mind shift! Common ground for both Prod and Devs? WOW! You need to have good metrics and monitoring to get these concrete numbers. If not, I can see how this budget could get skewed.

What I learned is operations is hard no matter what organization you work for. Operatations want to automate away those meaningless tasks and keep a solid, working environment. Devs want to roll out new features into production.  Development and operations need a common goal and it seems like Error Budget is a possibility. To achieve all this, a mind shift needs to happen. It sounds like Google has laid down some good pieces to a path we can all take away.

Melissa Binde’s discussion at GCP 20017:

Ben Traynor SRECon 2014