We did an investigation a while back, and the reason we did not go with Loginsight at the time, was due to the limitation on creating custom queries. I'm not sure of the current status, but If you want to create custom queries, be sure to research that.

Hi

Just want to give my opinion... Around three years back I had a project in collecting log data from datacenter components. Working as part of a core datacenter team, my responsibility were to the VMware platform, but the project was not centered around VMware, but the entire datacenter core infrastructure components. There were two reasons collect data, first was security, we needed a way to search through, events when ever a security incident was raised. Secondly, log would be used for operational purposes, tracking, finding events, making correlations between different datacenter silos.

The networking team were already using Splunk, but due to an storage issue which generated millions of events/alerts in vCenter, where we tried to send logs to the network teams Splunk installation and got it to create a huge backlog of data not being indexed. We had learned two things, first the amount of data that a VMware platform could generate can be quite large and with major incidents the amount of data being logged could grow very much and the second thing was that buying Splunk license would cost us more than a million looking a list prices. Given that we might have to buy more capacity up front than what was needed on a daily basis to account for growth during major incidents, as this would be where a sysloging solution would add most value, it seem very expensive and hard to predict how large a license we would need to buy, to always have data at hand.

But more so this would be a general issue and not so much a VMware issue. Think DDOS, worms, malware etc. All thing the could grow the number of events though the roof and over our license limit to index data.

Given that most commercial syslog solutions are priced, licensed and build on the same open source tools, all where skipped (by the way Kiwi syslog, solarwinds, vCenter syslog etc, are in my book useless in this context, due to the horrible search capabilities). Instead a solution called ELSA - GitHub - mcholste/elsa: Enterprise Log Search and Archive was chosen. The reasons were, high ingestion rate/scalable, simple GUI which was easy to use and lastly pricing - free. The thought was that the money saved on a commercial license could easily make up for some of the work that needed to be done to make I useful in our context.

During the POC of ELSA, VMware release the first technical preview of Log Insight, naturally being a VMware guy I jumped in and tested it. Shortly after I started advocating to change our focus away from ELSA to Log Insight. The reasons being, High ingestion rate, promises of scalability, a very simple GUI yet highly customizable to our needs, dead simple to use, very low learning curve and pricing - Not buying an amount of data to ingest, but buying a per OSI license made the pricing very transparent and simple to scale. When version one of Log Insight was released we jump on it and started a POC. And the rest the say is history.

Environment is highend enterprise, based on Cisco nexus/ASA/PIX, HP Blades, F5 load balancers, VMware, HDS/IBM/EMC, Netbackup etc. 150 hosts, 3500 VMs running as an service provider/cloud service. Daily ingesting around 150GB of data.

When I compare Log Insight to Splunk which I consider the defacto standard for enterprise sysloging, Log Insight is much easier to use, to customize(extract fields) and the concept of content packs/widgets is dead easy to work with and adds instant value, which you don't get with any solution that I know of.

Today I work as an consultant on Log Insight and vRops mainly. To give you an example of how Log Insight can be used to troubleshoot - I had a customer call me on a Sunday. They had deploy three new VMware hosts and they would spontaneous reboot, no core dump, no warning, no nothing. The next day, Monday they were to in source IT operations from a large vendor. So of to a very bad start if they didn't get this fixed soon. As there were nothing to go on in vCenter, no alerts etc. I jumped into Log Insight and looked to see if there were anything in the logs on the hosts that rebooted, but no luck. I then turn a way from looking at the host and started to look generally at the environment, on if the best places to start is to view the content pack called vSphere and selecting the Problems dashboard - There I could see there were a lot of storage related issues and that they were all on the new hosts. Looking at the dashboards around storage/scsi in the same content pack, reviled a lot of severe SCSI errors FC frame failing CRC etc.

So I now knew were the problem was, so I compared the HBA of new and old hosts and found that the new host were running at a higher speed the all the old HBAs. Talking to the customer reviled at this was an know configuration issue, the customer changed the speed of the HBA and the problem was gone!

So Log Insight did give me the answer, but then no other solution would have been able to do so for this issue. But what it did was point me to the error in the environment and helped me quickly understand the problem. The solution will most like be different from case to case.

So content packs helps you a lot, and can help you be more proactive. Content pack exists for Cisco ASA/Nexus, Windows, Linux, some applications, like AD, tomcat, etc.

If there is not content pack for a solution, it doesn't mean Log Insight can be used, it just means that Log Insight works like every other syslog solution and just stores the data and the you will be able to create your own fields, widgets, dashboards, alarms etc. or don't if that's not your use case.

All of what you have described can be done with Log Insight.

Hope this helps