For now, the environment looks like as planned. We have a load balancer (VIP), a 3 node cluster for the end user operations and one log forwarder. Its time to configure the forwarder and the main cluster.
1, First, lets enable the IDM authentication. This part is same for both forwarder and cluster members, therefore it must be done in both places. Please log in to your Log Insight instances with admin user and click on Administration. On this tab select Authentication.
Check the Host details, It should contain your IDM’s FQDN, if not please add it. We don’t need other data here, only the Host, the API port and the Redirect URL Host. Leave the rest empty. Click on Test Connection, if all good, Save it.
2, Once the first step was performed in every instance, login to the IDM appliance. Go to Users and Groups tab, select Groups. Select your administrative group and click on its name.
On the group’s page click on APPs.
Click on Add Entitlement.
Select all Log Insight Instance, then click on Save.
3, To add the group you entitled, go back to the Administration tab in Log Insight instances, and click on Access Control.
Click on + New Group.
The Domain already filled, while to the name field you have to type exactly the same group name you enabled in IDM (Task 2) in format of groupname@domain.
Now, you should able to log in to your instances with IDM SSO. Log off and test it. Dont forget to select the proper domain on the login screen.
4, Authentication is complete, lets add Archive storage. Log in to your cluster. Use use your VIP address or any of the cluster members. Go to the Administration tab and at the bottom, select Archiving. Enable Data archiving and add a location. Click onTest, and all fine, the Save it.
5, Its time to enable log forwarding and add sources. Login to your forwarder, click on Administration and Event Forwarding.
Click on + New Destination. Enter a name, and type your VIP address to the Host field. Use Ingestion API protocol and enable SSL usage. Tags are optional, but ive added a DC tag. Like DC=NewYork
6. Enable different log sources is easy, just go to the Administration tab in your forwarder instance. Look for the Integration section and select vSphere. If you are here in first time you don’t need to click on +ADD VCENTER SERVER, only for the second or third or more sources.
Fill out the form. I Recommend to create a new user for this configuration in the vCenter Servers. Administator user is not recommended.
The role require the following privileges:
- Read-Only +
- Host.Configuration.Advanced Settings
- Host.Configuration.Change Settings
- Host.Configuration.Network configuration
- Host.Configuration.Security profile and firewall
Dont click on Save yet. First select both checkboxes on the right side and click on configure ESXI hosts. In the pop-up windows you’ll see the hosts of the configured vCenter. Select SSL as Syslog protocol and Automatically enable host configuration.
Note: Be aware. Automated configuration take ownership of the ESXi host’s global loghost parameter in the advanced settings. If you have host profile enabled with syslog target, the profile remediation will fail.
Click on configure. Please repeat task 6 if you have multiple vSphere sources. If you would like to add different solutions like SRM, click on Content Packs menu item and select the desired plugin. If you click on the downloaded plugin, you’ll get a configuration guide.
If you need guidance with the plugins just leave me a comment, or send a mail. Ill be more than happy to help.
With this part we are done with the series.
If it was helpful of you have further questions just leave a comment.