VMware’s Log Insight tool part of the vRealize suite is an excellent logging solution backed with analytics. Log Insight provides a marketplace-like feature called ‘Content Packs’ that has a variety of supported plug-ins that are pre-built dashboards for other vendor systems. One of those I wanted to dive in today is the install & configure of the Active Directory Content Pack in addition to the Log Insight agent on my home lab Active Directory server.
Installing Log Insight agent on Windows Server 2016 Datacenter
The agent can be downloaded from within the Log Insight interface. From the home page click on ‘Administration’ and then over to ‘Agents’ on the left pane.
On the bottom of the page there is a download link for the agent
You will find agents for the following supported OSs
In our exercise we will download the Windows MSI file. Launch the installer and there is minimal configuration performed, the most important part is either using hostname or IP for for the Log Insight server.
Once the installation is complete, Log Insight Agents console should immediately display the machine.
Configuring the Log Insight Agent
From the ‘Agent’ menu, go to ‘Agent Configuration’, as an example we will create a Windows Event Log configuration for logging.
Create a unique name (no spaces) of the log, in our case we will call it ‘WinApplication’ for the ‘Application’ events in Event Viewer on the server.
Once that is completed you may proceed for other ones, and in the end should look something like this.
Once the agents are configured, these loggings will begin for all agents detected in LogInsight.
You can click on the hyperlink-enabled name of the agent and it will take you straight to the ‘Interactive Analysis’
The Interactive Analysis is your tool to filter through logs.
Installing the Active Directory Content Pack
From the Log Insight home page, go to ‘Content Packs’
The Log Insight Marketplace appears and in there look for ‘Microsoft – Active Directory’, click once, review/agree terms, check the box and click ‘Install’
The install is instant and you should be prompted with ‘Setup Instructions’
By installing the Log Insight agent, we have fullfilled some of the prerequistes already
From the ‘Agents’ menu, find the and copy the template that is now installed
Here you can name the new group and click ‘Copy’
Some pre-populated configurations will load from the copied template, create a filter, in my example, I selected the hostname of my AD server. Ensure the hostname matches what the name from the agent is, this should bring the found agent down below. Click ‘Save Configuration’
After that is done, you can go back to Interactive Analysis and play around with filters, in my test, I simply reloaded DNS Zones and created a new record
This was something really simple and straight forward, there are several more customizations you can leverage with Log Insight, features for alerting via e-mail for particular events you want to capture and more.