Hello Everyone,
I recently deployed the vCenter Log Insight appliance and was able to start collecting log information for 6 ESXi 5.1 servers. However, it seems not all logs are being collected. I'm also unable to view these logs interactively.
In the dashboard I have setup, I am unable to view the following items below:
VMware Tools not running
Number of VMKernal Warning grouped by host
Number of VIM Faults grouped by (host, VIM fault type)
I know there are a number of events being logged in the vmkwarning file but I am unable to see this in log insight.
Any ideas why I'm not collecting all logs?
vCenter Insight Version 1.0.4-1169900
Thanks,
Aries
Hey Aries,
Some questions for you:
1.) How did you configure your 6 ESXi 5.1 servers to send logs to Log Insight?
2.) How do you know that not all logs are being collected?
3.) What do you mean you are unable to view these logs interactively? Do you mean from the Interactive Analytics page? How are you trying to view them interactively (the more specific the better)?
4.) When you say you are unable to view certain chart widgets do you mean they are not returning results?
When configuring ESXi hosts to send logs to Log Insight, you need to be sure to configure the remote destination as well as the firewall (configure-esxi will handle both of these for you). In addition, if you are using TCP or SSL then you need to be aware that any connectivity issue between the ESXi host and a remote syslog destination will result in ESXi not sending remote logs without its syslog process being restarted (configure-esxi with the -r flag will handle this for you). Also note that some chart widgets may not display any results until a specific event occurs. One important thing to note is that only new logs since the remote syslog destination has been configured will be sent to Log Insight (i.e. not old logs). I hope this helps!
Hi,
1.) How did you configure your 6 ESXi 5.1 servers to send logs to Log Insight?
I used the method described in the admin guide, i.e. configure-esxi -u 'my-vc-user' -s myvc.mydomain.com -t udp://loginsight.mydomain.com:port. I have tried using UDP as the transport method and got the same results.
2.) How do you know that not all logs are being collected?
If I tail the vmkwarning log for any of the hosts that have been added to Insight, I can see events no longer than 2 hours old.
3.) What do you mean you are unable to view these logs interactively? Do you mean from the Interactive Analytics page? How are you trying to view them interactively (the more specific the better)?
Yes, this would be the interactive analytics. I assume this is a way to query for real time output, correct?
4.) When you say you are unable to view certain chart widgets do you mean they are not returning results?
Yes, for example, I know there are running VM's that do not have VMware Tools installed so they should show up, right?
I'm aware of having to reload the syslog and have done this multiple times in efforts to get the results above to display, but no luck.
Thanks for the help.
Aries
Hey Aries,
Are you seeing *any* log messages from the ESXi hosts you configured? Do you see log messages for some period of time and then they stop?
Hello,
Here's what I am able to view so far.
For ESX/ESXi Hosts are:
For SCSI/iSCSI and NFS:
I don't think all the logs are being redirected correctly. I should be able to view a lot more information.
Your thoughts?
Maybe not. First, what time range are you looking over? In my demo environment for the last 5 minutes I see less than you do for ESX/ESXi hosts. For the last 24 hours, I see the same as you for SCSI/iSCSI and NFS. It really depends on your environment and what logs are being generated. You will notice that many of the dashboard widgets have the word fail/failed/failure/etc in them (look at SCSI/iSCSI and NFS), if you are not experiencing any issues then many of the widgets will display no results - this is a good thing! Now, if you have a lot of environmental issues then perhaps many widgets do have results - this likely points to one or more problems that need to be addressed.
In regards to ESXi logs, you options for log forwarding are enabled or disabled. There is not an allow this file, but not that file. The configure-esxi script configures the remote syslog target for you and also ensures the firewall is configured properly on the ESXi host. If you have used it then the vSphere content pack is working as designed. You could try adding more devices to Log Insight or triggering some problems to validate the content pack is working.
Just following up, were you able to get this addressed?
Just following up, were you able to get this addressed?
