Forward OCVS SDDC Logs To vRealize Log Insight Cloud

munishpalmakhija

In the July release of vRealize Log Insight Cloud support for Oracle Cloud VMware Solution (OCVS), log sources were released. In this blog, I describe the procedure to forward logs from OCVS SDDC

What is Oracle Cloud VMware Solution (OCVS)

Oracle Cloud VMware Solution allows you to create and manage VMware-enabled software-defined data centers (SDDCs) in Oracle Cloud Infrastructure. All provisioned private clouds have vCenter Server, vSAN, vSphere, and NSX-T. For more details, you can refer to the official documentation 

Logs from OCVS are now available in vRealize Log Insight Cloud. This enables the following use case for the customers

Audit Use Cases

  1. vCenter and ESXi Hosts Audit Logs for security compliance
  2. Virtual Machine Logs for vMotion tracking

Diagnostic Use Cases

  1. NSX-T firewall packet logs to troubleshoot firewall misconfigurations during migration, new workload rollouts, and day 2 operations.
  2. Filtering and forwarding logs for centralized Data lake or SIEM solutions for threat prevention, threat detection, incident management, and machine learning.

Pre-requisites 

  1. A resolvable hostname for the Cloud Proxy. For more details, you can refer to the documentation
    • It should be resolvable from vCenter and ESXi hosts in OCVS SDDC
    • In our environment, we have it in the same VCN Domain name as the SDDC
  2. Cloud Proxy VM is deployed within OCVS SDDC. It would require outbound access over HTTPS through the firewall to the following URLs. For more details, you can refer to the documentation
    • *.vmware.com
    • symphony-docker-external.jfrog.io
    • ci-data-collector.s3.amazonaws.com

Procedure

We will be performing the following 2 Syslog configurations to forward logs to vRealize Log Insight Cloud 

  1. Integrate vSphere with vRealize Log Insight Cloud
  2. Create a Node Profile with NSX-T

Integrate vSphere with vRealize Log Insight Cloud

Follow these steps to integrate vRealize Log Insight Cloud with vSphere to forward logs from vCenter and ESXi hosts. For the detailed procedure, you can refer to the documentation

Step 1
Navigate to ‘Configuration -> vSphere Integration’ in vRealize Log Insight Cloud and Click Add vCenter Server.

Step 2
Enter the required details in the dialog box, select the Cloud Proxy that is deployed in the Deploy a Cloud Proxy for vRealize Log Insight Cloud section, and click the required logs checkbox.

Step 3
Click Test Connection and Save.

Create a Node Profile with NSX-T

Follow these steps to configure a node profile with NSX-T to forward logs from NSX-T components such as Manager and Controllers. For the detailed procedure, you can refer to the documentation

Step 1
Login to NSX Manager and Navigate to ‘System -> Fabric -> Profiles -> Node Profiles -> All NSX Nodes’ in the Name column.In the Syslog Servers section, click Add to add a Syslog server

Step 2
Enter the Syslog configuration

Step 3
Click Add to save the configuration. Once saved the logs will start flowing into the vRealize Log Insight Cloud.

Verify Logs

If everything is successful you can search for logs using either of following filters

source contains <ip_of_vcenter>
source contains <ip_of_esxi_hosts>
source contains <ip_of_nsx_appliances>

vCenter Logs 

ESXi Logs 

NSXT Logs

 

Related Articles

Deploy VMware Cloud Proxy on VMC/ vSphere using Terraform vSphere Provider

Monitor VMware Cloud Proxy with vROPs Docker Management Pack

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *

%d bloggers like this: