Forward AVS SDDC logs to vRealize Log Insight Cloud

In the July release of vRealize Log Insight Cloud support for VMware Azure VMware Solution (AVS), log sources were released. In this blog, I describe the procedure to forward logs from AVS SDDC

What is VMware Azure VMware Solution (AVS) 

Azure VMware Solution (AVS) provides you with private clouds that contain vSphere clusters built from dedicated bare-metal Azure infrastructure. All provisioned private clouds have vCenter Server, vSAN, vSphere, and NSX-T. For more details, you can refer to the official documentation

Logs from Azure VMware Solution (AVS) are now available in vRealize Log Insight Cloud

Audit Use Cases

  1. vCenter and ESXi Hosts Audit Logs for security compliance
  2. Virtual Machine Logs for vMotion tracking 

Diagnostic Use Cases

  1. NSX-T firewall packet logs to troubleshoot firewall misconfigurations during migration, new workload rollouts, and day 2 operations.
  2. Filtering and forwarding logs for centralized Data lake or SIEM solutions for threat prevention, threat detection, incident management, and machine learning.

Options

To configure AVS to send logs to vRealize Log Insight Cloud, use either of the following methods:

  1. Event Hub – It is a fully managed, real-time data ingestion service. It can stream millions of events per second from any source to build dynamic data pipelines
  2. Storage Account(Blob Storage) – It is an object storage solution for the Azure cloud. We will be using it to save the NSG flow logs. You can use an existing account however I will be demonstrating how to create one as well

 

adsa

Notes –

  1. In both the options the Azure Function needs to be deployed in the same Azure subscription where AVS SDDC is deployed. It will mean there will be an additional cost for the same.
  2. Each option has its own quotas & limits. Please refer Azure documentation for the same

What is the vRLI Cloud Azure function? 

vRLI Cloud Azure Function – It creates an Azure function using a custom ARM Template that fetches logs from Event Hub or Blob Storage and forwards them to vRealize Log Insight Cloud. It has been open-sourced. For more details, you can refer to the github-repo. I will be demonstrating how to deploy this as part of this blog

Procedure

The following section includes step-by-step instructions to enable log forwarding of AVS SDDC to vRealize Log Insight Cloud via Event Hub 

Step 1 – Create an Event Hub

Navigate to instructions under log source on how to create Event Hub. 

https://www.mgmt.cloud.vmware.com/li/sources/details?id=eventhub

If you want to use an existing Event then you will need to use ARM template under Map an Event Hub. There are some additional configs to be done. This blog doesn’t cover that.

 

Step 2 – Configure diagnostic settings for AVS SDDC

From your Azure VMware Solution private cloud, select Diagnostic settings, then Add diagnostic settings.

In the Diagnostic setting, under Destination details,

  • Select the vmwaresyslog
  • Select Stream to an Event Hub

From the Event Hub namespace drop-down menu, choose where you want to send the logs, select, and Save.

 

Step 3 – Azure Event Hub Trigger to fetch logs from Event Hub

The Eventhub trigger starts a vRealize Log Insight Cloud function when an event is sent to an event hub event stream.

Navigate to the Functions section under the Functions tab of vRealize Log Insight Cloud Function (Name should start with \” VMwareLogsFunction\”) and click eventHubFunction

 

Click the Integration tab under the Developer section and then click Azure Event Hub Trigger to edit the trigger details

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Step 4 Verify Logs in vRealize LogInsight Cloud

If everything is successful you can search for logs using

event_provider contains AZURE_AVS

Related Articles

Monitor Azure NSG Flow Logs with vRealize Log Insight Cloud

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *