I’ve done a few VMware Log Insight posts in the past year but I have yet to do one for Pure Storage. Log Insight is a product that I really love and VMware has been updating it like crazy since its initial release. Just recently they announced the 2.0 version of Log Insight (more info here). Besides just being functionally useful it is VERY easy to use–from kicking off the deployment (it is an OVA) to first use it takes about ten minutes maximum.
So as you are probably at least somewhat aware Log Insight takes information in via syslog and like are things Pure it is very simple to set this up on the FlashArray. While this can also be achieved via the Pure CLI I am going to walk through doing this with the GUI. So first login to your FlashArray GUI and navigate to the System page then configuration then Syslog Server.
Log Insight listens (the last time I checked) on TCP port 514 and UDP on ports 514 and 1514. Any one of these combinations will work just fine on the FlashArray as it supports any combination of ports and transport protocol. Pick one and enter in the hostname or IP address of the Log Insight appliance and click the check to apply it. That’s it when it comes to configuration–as I said very simple. The FlashArray will start syslogging immediately to Log Insight. If you want to test the connectivity a test button will appear after you click the check. Once you click the test you should immediately see a message similar to below in Log Insight in the Interactive Analysis view.
We syslog a variety of events: things like failures and capacity warnings but what you will see the most of is auditing records. Essentially any time someone performs a configuration change, whether that be a new volume, or a snap etc this will get syslogged to Log Insight.
Whether this actually came from the GUI or the CLI it will be recorded the same and will show the options executed by the user on what array and by what user and of course when. Since these messages have a standard output it is very simple to extract fields to make navigating our log messages. So the first field I extract was the Pure Storage FlashArray name. You can do this in interactive mode in Log Insight by highlighting the array name and then clicking extract field that appears. Tell Log Insight that anything that follows “Array Name:” will be the FlashArray name.
Now I can easily search for messages from a particular array.
I am going to extract a few more fields to see what Pure CLI commands are run, so I will create a new field called “Pure CLI Command” which is described as below.
Now a nice little histogram will appear that shows the frequency of all of the commands that were executed.
As you can see in the time frame that I am searching purevol was the most frequently run command with 52 instances. We can do with users or even the CLI options. You might want to create a purevol field so you can quickly find all of those instances.
These can be combined with multiple fields to create dashboards for quick review in the dashboard view. So the below query looks for all instances of purevol snap on a particular array by a particular user.
Click add to dashboard to save it and it will now appear on your dashboard screen.
Look for more posts here on Log Insight and Pure! Working on a content pack so most of this work will be done for you!