Azure VMware Solution integration with VMware Aria Operations for Logs Cloud service
Overview
VMware Aria Operations for Logs (formerly vRealize Log Insight and vRealize Log Insight Cloud) is a log management solution that provides visibility across physical, virtual, and cloud environments. It enables you to search and analyze logs in real time, and it provides a scalable platform for managing log data. VMware Aria Operations for Logs can be deployed on-premises or in the cloud. The cloud version is a SaaS offering that is hosted and managed by VMware.
In the following post we will see how to collect logs from Azure VMware Solution (AVS), leverage on Azure Event Hub to forward the logs to the VMware Aria Operations for Logs Cloud Service.
Prerequisites
In order to proceed with the following steps, you will need the following:
- An Azure VMware Solution SDDC deployed in your Azure Subscription
- A VMware Cloud Services account with the VMware Aria Operations for Logs service enabled
We will also need to create a few resources in Azure:
- An Event Hub Namespace
- An Event Hub to receive and forward the logs
- Two Event Hub Authorization Rules
- 1 to allow AVS SDDC diagnostic log forwarded to sent logs to the Event Hub
- 1 to allow an Azure Function to listen to event hub messages and to send logs to the VMware Aria Operations for Logs Cloud Service
Example of Terraform code to create the Event Hub Namespace, Event Hub
1resource "azurerm_eventhub_namespace" "eventhubnamespace" {
2 name = "${var.sddc_name}-eventhubnamespace"
3 resource_group_name = azurerm_resource_group.avs_rg.name
4 location = var.sddc_location
5 sku = "Standard"
6 capacity = 1
7}
8
9# Authorization Rule to allow AVS SDDC diagnostic log forwarded to sent logs to the Event Hub
10resource "azurerm_eventhub_namespace_authorization_rule" "eventhubnamespace-authorization-rule" {
11 name = "${var.sddc_name}-authorization-rule"
12 namespace_name = azurerm_eventhub_namespace.eventhubnamespace.name
13 resource_group_name = azurerm_resource_group.avs_rg.name
14
15 listen = false
16 send = true # AVS SDDC diagnostic log forwarded to sent logs to the Event Hub
17 manage = false
18}
Example of Terraform code to create Authorization Rules
1# Authorization Rule to allow an Azure Function to listen to event hub messages and
2# to send logs to the VMware Aria Operations for Logs Cloud Service
3resource "azurerm_eventhub_namespace_authorization_rule" "eventhubnamespace-af-authorization-rule" {
4 name = "af-authorization-rule"
5 namespace_name = azurerm_eventhub_namespace.eventhubnamespace.name
6 resource_group_name = azurerm_resource_group.avs_rg.name
7
8 listen = true # Azure Function will listen to event hub messages
9 send = false
10 manage = false
11}
12
13resource "azurerm_eventhub" "eventhub" {
14 name = "${var.sddc_name}-eventhub"
15 resource_group_name = azurerm_resource_group.avs_rg.name
16 namespace_name = azurerm_eventhub_namespace.eventhubnamespace.name
17 partition_count = 2
18 message_retention = 1
19}
Azure VMware Solution SDDC Diagnostic Logs
In order to forward the logs from the Azure VMware Solution SDDC to the Event Hub, we will leverage on the Azure Diagnostic Settings.
From Azure Portal: Azure VMware Solution > SDDCs > Select your SDDC > Diagnostic Settings
Then we select the logs we want to forward, the event hub namespace, the event hub and the send authorization rule we created earlier.
When saved, we can go to the next step: preparing VMware Aria Operations for Logs Cloud Service.
Configuration of VMware Aria Operations for Logs Cloud Service
In VMware Aria Operations for Logs Cloud Service, generate API Key from here mgmt.cloud.vmware.com/li/api-keys/keys.
Once created, copy the API URL and API Token to a temporary location, we will need them later.
Deploy Azure Function
In order to forward the logs from the Event Hub to the VMware Aria Operations for Logs Cloud Service, we will leverage on an Azure Function to listen incoming messages in the hub and forwarding to the Aria service.
A sample Azure Function is provided by VMware here: github.com/vmware/vmware-log-collectors-for-public-cloud/blob/master/azure/ and can be easily deployed by using this template:
In the configuration process, provide the API URL and API Token generated earlier:
Post Deployment configuration of Azure Function
When the function has been created, you need to setup the Event Hub connection string as a configuration of the Azure Function.
- To get Event Hub connection string (created earlier) from Azure Portal:
*Event Hub Namespace > Shared access policies > your-eventhubnamespace-af-authorization-rule > Connection string-primary key* - Then go to the deployed function App to set new environment variable :
*Function App > Configuration > New application setting*and add the connection string as a new application setting:- Name:
AzureEventHubLogsConnectionString - Value:
<Event Hub connection string>
- Name:
- Save the configuration
- When saved, open the function and go to the Integrations tab
- Select the Event Hub Trigger and select the
Azure Event Hubstrigger to edit it. - Select the
AzureEventHubLogsConnectionStringconnection string from theEvent Hub Connectiondrop-down menu and update theEvent Hub namein the appropriate field.
- Save the configuration
Log analysis in VMware Aria Operations for Logs Cloud Service
At this point, the logs from the Azure VMware Solution SDDC should be forwarded to the VMware Aria Operations for Logs Cloud Service.
I will not cover the features of the VMware Aria Operations for Logs Cloud Service in this post, but you can find more information here: vmware.com/products/aria-operations-for-logs.html. Instead, I will just highlight some filtering capabilities to help you to find the logs from the Azure VMware Solution SDDC.
Azure VMware Solution content pack
The Azure VMware Solution content pack is a pre-built VMware Aria Operations for Logs content pack that provides a set of dashboards and queries to help you to analyze the logs from the Azure VMware Solution SDDC. It also provides a big set of new extracted fields to help you to filter the logs.
Filtering logs from a specific Azure VMware Solution SDDC
If you are running multiple Azure VMware Solution SDDCs, you can filter the logs from a specific SDDC by using the resourceId field.
Filtering fields
The following fields can also be very effective to optimize a log search:
| Field name | Example | Description |
|---|---|---|
| appname | vpxd | The name of the application that generated the log message. |
| category | vmwaresyslog | The category of the log message selected in AVS troubleshooting pane. |
| event_provider | AZURE_AVS | The provider of the log message. |
| eventsource | PRIVATECLOUDS | The source of the log message. |
| hostname | vc | The name of the host that generated the log message. Could be ESXi, vCSA, NSX-T hostnames. |
| location | southafricanorth | The Azure region where the SDDC is deployed. |
| severity | info | The severity of the log message. |
Dashboards
Dashboards can also be very useful to visualize the logs from Azure VMware Solution SDDCs.
You can use pre-built dashboards from the Azure VMware Solution content packs to monitor:
- NSX-T Application events
- Firewall events
- General AVS events
- Events by severity
Or you can create custom dashboard to visualize logs for specific needs:
Explore logs
With the log exploration feature of VMware Aria Operations for Logs, you can easily search for specific logs and visualize them in a table or in a chart.
In this example, we are looking for the last logs for snapshots creation tasks.
You can also use the Live tail feature to monitor the logs in real time.
