!!!!!!UPDATED!!!!!!
This post was over five years old; it is now updated to the latest as of Jan 2024.
1 – Overview.
VMware vRealize Log Insight (vRLI) collects, imports, and analyzes logs to provide real-time answers to problems related to systems, services, and applications and derive essential insights. This is particularly useful in a Virtualized Desktop and/or Application environment where many components generate logs and troubleshooting can prove difficult. vRLI complements vRealize Operations Manager for Horizon to provide comprehensive environment insight and troubleshooting capabilities.
This document will describe how to configure vRLI to collect and analyze logs from the following components of a VMware Horizon Environment:
Horizon Connection Server
Horizon Desktop Agent
App Volumes Manager
Unified Access Gateway
2 – Requirements.
The following Horizon components were already installed and configured:
Horizon Connection Server
Horizon Agent
App Volumes Manager
App Volumes Agent
Unified Access Gateway
An optimized Microsoft Windows 10 64bit “Golden Image” was prepared with the Horizon, App Volumes and vRLI agents.
This guide does not cover the deployment of the vRLI virtual appliance; please see the reference for supporting articles. The following vRLI components were deployed and were configured to integrate with the vCenter hosting the environment (part of the virtual appliance setup wizard):
vRealize Operations Manager Virtual Appliance v8.10
3 – Configuring vRLI Agents for Log Collection.
3.1 - The vRLI Windows Agent.
The vRLI Windows Agent collects events from Windows log files and forwards them to the vRLI server. In a Windows system, applications can store log data in flat text files on the file system. The vRLI Agent can monitor directories and collect events from flat text log files. In this guide will configure the vRLI agent to monitor the various log file for the Horizon components.
3.1.1 - Downloading the vRLI Windows Agent
The vRLI agent is available to download from the vRLI administration interface to retrieve it:
1. Navigate to the Administration page of the vRealize Log Insight Web user interface.
2. Go to the Management section.
3. Click Agents.
4. Click the Download Log Insight Windows agent link.
3.1.2 - Installing the vRLI agent.
In later versions of vRLI vRealize Log Insight is configured to accept only SSL connections, but the Log Insight Agents are configured to use a non-SSL connection, resulting in a failure of the agents to communicate with the vRLI appliance. There are 2 options to resolve this, detailed in the following documentation:
https://docs.vmware.com/en/vRealize-Log-Insight/8.10/com.vmware.log-insight.agent.admin.doc/GUID-EEF83900-2429-48F7-8855-F9812B8FDE21.html
Install the vRLI agent on each of the following components:
Horizon Connection Server(s)
Horizon Desktop Golden Image(s)
App Volumes Manager(s)
If there are multiples of a component such as a Pod of Horizon View Connection Servers, the following process to install the agent should be performed on all servers.
1. Run the downloaded vRLI agent installer
2. The only configurable parameter during a standard installation is specifying the vRLI Server address (FQDN recommended)
Verify the agents are registered to vRLI
1. Log into the vRLI web management page
2. In the management section in the left menu go to Agents
3. Verify that the installed agents are listed in this page
3.1.3 - Configuring the vRLI agent to forward specific logs.
The agents need to be configured to forward logs from the specific log directories you want to monitor. This can be configured via a local liagent.ini file and/or a server-side configuration defined in the vRLI web administration interface.
vRLI also allows you to group agents and apply a server-side configuration to that group. This is useful where you have groups of components where a common configuration is required such as a pod of Connection Servers or pools of desktops.
3.1.4 – Creating server-side agent groups and configurations.
Repeat the following process for each agent group.
1. Log into the vRLI web management page
2. Go to the Administration page (from top right hand corner drop-down menu)
3. In the management section go to Agents
4. Click the drop-down list at the top of the page where it says “All Agents”
5. Click select “New Group” at the bottom of the list
6. Name the group for example “Horizon Connection Servers”
7. Back on the Agents configuration page, ensure you have the newly created group selected from the drop down menu and click the Add Filter button.
8. Select an appropriate filter to catch all agents for that group.
9. In the Agent Configuration Page enter the configuration for the agent group as listed here:
Horizon Connection Servers
[filelog|HorizonViewCS]
directory=C:\ProgramData\VMware\VDM\logs
include=log-*;debug-*
exclude=pcoip_perf*.txt;v4v*.log;wsnm_starts.txt
10. Click “Save Agent Group”
11. Repeat steps 5 thru 11 for each of the agent groups using the following configurations:
Horizon Desktops
[filelog|HorizonDT]
directory=C:\ProgramData\VMware\VDM\logs
include=log-*;debug-;pcoip_agent*;pcoip_server*;pcoip_perf*.txt;v4v*.log
exclude=wsnm_starts.txt
App Volumes Servers
[filelog|AppVolumesManager]
directory=C:\Program Files (x86)\CloudVolumes\Manager\log
include=production*
.
4 – Exploring Logs and Dashboards
Interactive analysis allows you to search, filter and analyze across all logs received by vRLI. The results of these operations may then be saved and presented in a graphical format as a chart on a dashboard. This section will show some examples of useful “Interactive Analysis” searches and how to save them as dashboards.
4.1 - Explore Logs
This Interactive analysis example is a simple query for Horizon View Connection Server events over time.
1. Log into vRLI Web Interface
2. Click on “Explore Logs” in the left hand menu
3. Click “Add Filter”
4. In the first drop-down box, select “hostname”
5. In the second drop-down box select “starts with”
6. In the third drop-down box type in a unique identifier that matches the beginning host names for your connection servers, for example “lab-cs0”
7. Hit enter on your keyboard
8. Select a time range from the drop-down box (default is Last 5 minutes)
9. The lower half of the screen should list events from any hosts matching the filter for the selected period of time.
10. You will see a graph across the the top of the screen showing the events over the time range specified
4.2 - Saving a Query to a Dashboard
An interactive analysis query may be saved as a dashboard as a widget to easily visualize, for example, the trend of log quantities over a period of time to quickly identify when major events are occurring. Using the interactive search from the last section:
1. Follow section 4.1 steps 1 thru 10
2. Click on the “Add Current Query to Dashboard” button.
3. Create a name for the Query in the configuration pop-up box that appears, for example, “Horizon Connection Server Events”
4. Click the down-arrow in the Dashboard section.
5. Click “New Dashboard”
6. Create a name for the Dashboard for example “Horizon Dashboard”
7. Tick the box “Share this Dashboard Among All Users”
8. Click “Save”
9. Click “Add”
10. Click on the Dashboards button at the top of the screen
11. Select Shared Dashboards from the drop-down menu in the top right hand corner of the screen
12. Select the Dashboard you just created
5 - Other useful query/dashboard examples
5.1 – Horizon Logins Over Time
1. Log into vRLI Web Interface
2. Click on “Interactive Analysis” at the top of the screen
3. Click “Add Filter”
4. In the first drop-down box, select “hostname”
5. In the second drop-down box select “starts with”
6. In the third box type in a unique identifier that matches the beginning host names for your connection servers, for example “lab-cs0”
7. Select a time range from the drop-down box (default is Last 5 minutes)
8. Click “Add Filter”
9. In the first drop-down box, select “text”
10. In the second drop-down box select ”contains”
11. In the third box type in “authenticated to VDM” (do not include quotes)
12. The lower half of the screen should list events from any hosts matching the filter for the selected period of time.
13. Hit enter on your keyboard
14. You will see a graph across the the top of the screen showing the number of authentication events over the time range specified
15. Follow Section 4.2 steps 2 thru 4 to add the query to a dashboard
5.2 – App Volumes Events Over Time
1. Log into vRLI Web Interface
2. Click on “Interactive Analysis” at the top of the screen
3. Click “Add Filter”
4. In the first drop-down box, select “hostname”
5. In the second drop-down box select “starts with”
6. In the third drop-down box type in a unique identifier that matches the beginning host names for your connection servers, for example “lab-avm0”
7. Hit enter on your keyboard
8. Select a time range from the drop-down box (default is Last 5 minutes)
9. The lower half of the screen should list events matching the query for the selected period of time.
10. You will see a graph across the the top of the screen showing the events over the time range specified
11. Follow Section 4.2 steps 2 thru 4 to add the query to a dashboard
5.3 – Query for specific user events across Horizon and App Volumes
This query is useful to identify and correlate events for a user across Horizon View and App Volumes when troubleshooting.
1. Log into vRLI Web Interface
2. Click on “Explore Logs” at the top of the screen
3. Click “Add Filter”
4. In the first drop-down box, select “hostname”
5. In the second drop-down box select “starts with”
6. In the third box type in a unique identifier that matches the beginning host names for your connection servers, for example “lab-cs0”
7. Select a time range from the drop-down box (default is Last 5 minutes)
8. Click “Add Filter”
9. In the first drop-down box, select “hostname”
10. In the second drop-down box select “starts with”
11. In the third text box type in a unique identifier that matches the beginning host names for your connection servers, for example “lab-avm0”
12. Hit enter on your keyboard
13. Click “Add Filter”
14. In the first drop-down box, select “text”
15. In the second drop-down box select ”contains”
16. In the third box type in “username” (do not include quotes)
17. Hit enter on your keyboard
18. The lower half of the screen should list events matching the query for the selected period of time.
19. You will see a graph across the the top of the screen showing the number of authentication events over the time range specified.
5.4 – Estimate Login Time for a User based on Connection Server Logs
This is an example of how analyzing could help with identifying log in delays.
1. Log into vRLI Web Interface
2. Click on “Explore Logs” in the left-hand menu.
3. Click “Add Filter”
4. In the first drop-down box, select “hostname”
5. In the second drop-down box select “starts with”
6. In the third box type in a unique identifier that matches the beginning host names for your connection servers, for example “lab-cs0”
7. Select a time range from the drop-down box (default is Last 5 minutes)
8. Click “Add Filter”
9. In the first drop-down box, select “text”
10. In the second drop-down box select “contains”
11. In the third text box type in a “username”
12. Hit enter on your keyboard
13. Click “Add Filter”
14. In the first drop-down box, select “text”
15. In the second drop-down box select “contains”
16. In the third text box type in “successfully authenticated” and “session allocated”
17. Hit enter on your keyboard
18. The lower half of the screen should list events matching the query for the selected period of time. Each Log-in event will show two entries, first a successfully authenticated, second a session allocated. Each will have a time-stamp, the delta between these highlights how long it took view to hand-over a session to an authenticated user.