Paul Morrissey

Latest V Integration - Hitachi Content Packs for VMware vRealize Log Insight – Compute and Storage

Blog Post created by Paul Morrissey Employee on Oct 14, 2015

I am going to have to update our graphic on the rich set of VMware integrations we provide for both our Hitachi converged and storage platforms. The latest, releasing Hitachi Content Packs for VMware vRealize Log Insight (vRLI).VM integrations.png

 

As you may know, VMware vRealize Log Insight delivers real-time log management for VMware environments, with machine learning-based Intelligent grouping, high performance search and troubleshooting across physical, virtual, and cloud environments. vRLI imports, and analyzes logs to provide real-time answers to problems related to systems, services, and applications and derive important insights. These logs are collected and analyzed through search filters and presented via dashboards that users can customize to their specific needs. Infrastructure Logs are extremely rich in content that can be exploited to optimize and secure the environment.

 

Our Content packs provide prebuilt dashboards and enabled the ability to allow Log Insight to retrieve logs from Hitachi Storage, Compute and Converged platforms. In short, admins configure the syslog server to point to Log Insight IP in order for it receive logs  From there, you can import the Hitachi content packs that will categorize  all your storage/server events on to Log Insight’s widget dashboards. The objective of our content packs is to provide knowledge about a specific set of events in a layout easily understood by administrators and architects to take action on.

 

Let's walk through a typical scenario with our new content pack

 

Case: You want to use vRLI to proactively provide up to the minute updates when there are the following security events

 

  • Multiple failed login attempts into infrastructure resources
  • Malicious activity

 

You would like to see how many failed login attempts there are when a user tries to access a infrastructure resources, such as storage array or converged platform and then get a determination of what activity the user previously accessed. i.e Do you have malicious activity occurring in the infrastructure. These failed login attempts may be caused by the user forgetting their password or kept entering it incorrectly but could be rogue external user forcing entry into infrastructure. You can dig deeper and do searches on what users are actually doing when they logged in and access the infrastructure resources

 

Let's step through it. The main dashboard highlights all the different events you can track.Both typical vCenter infrastructure resources plus Hitachi infrastructure resources once content pack is loaded

main-dashboard.png

 

First, within the query field, you can do a search for “authentication” (i.e. We want vRLI to scan through all the Hitachi infrastructure logs and find the word authentication )

1_event_Search.jpg

We now see all those log entries. You can start setting your parameters to narrow down to a specific search. You have the option to set a exact time frame. In this case I set the field to 7 days.

2_time_range.jpg

 

The screen shot below shown here is a consolidated view. You can do this by selecting the “ Event Types” tab (boxed in orange on the left side). By selecting this tab, it will combine all the related occurrences into separate event types rather than listing each event one by one.  Now, The VM admin will see every single log event related to “authentication” in their environment in graphic form in the bar chart above the search query. This shows the number of "authentication" events in the given time you specified. You will also see on the fields section (highlighted in orange on the right side), This displays what common categories are in each event. i.e. we see appname, ..,LoginResult,... Userid are typical fields in a log entry with the word "authentication". These categories are what make up the data on each dashboard widget


3_Event_Type.jpg


With this realtime information on "userids" exhibiting unusual authentication events, we can dig deeper into log and create a search filter on what users were are actually doing when they logged in and accessed infrastructure resources, such as storage infrastructure. The screen shot below is an example of log summary dashboard showing users who were issuing delete commands under the category of storage configuration access. You can quickly determine visually which users have high frequency of these activities in the time frame specified. The bar chart highlights the different users who logged on according to color. One nice option I like to do is that you can save this specific event type as a filter for future use.

5_Deleteprovisioning.jpg


Final Thoughts

There are many benefits to using vRealize Log Insight. Ideally, logs can and will be used proactively and in realtime to provide early detection for security events but many possibilities for identifying infrastructure optimization or brownouts.  An effective log managing tool should not require a whole team of dedicated resources and should not incur high cost to their environments.  vRLI solves many of these problems with an easy to use dashboard and search query and Hitachi has augmented it with our content pack. This is another great integration that HDS customers can use that adds value along with our other Integrations.

 

Hitachi Storage Content Pack for VMware vRealize Log Insight is a no charge adapter and can be downloaded from portal.HDS.com or VMware Solution Exchange.

 

For additional information on vRLI please visit:

http://www.vmware.com/products/vrealize-log-insight/

 

Need more information, reach out to me or pop a request at http://www.hds.com/get-more-information/ , ius “ Content Packs for Log Insight” within the subject lines.

 

Like to acknowledge the contributions of Andrew Robles who worked closely with engineering on this blog post

Outcomes