At a customer I am working on the design of vRealize Log Insight. With the authentication objective we can choose from the sources local, Active Directory or VMware Identity Manager. In the latest release (4.5) it is clearly stated that authentication configuration of Active Directory directly from Log Insight is depreciated.
Edit: Unlike some previous information going around, Active Directory from Log Insight directly is still supported. Quote from updated VMware Knowledge base article: Although direct connectivity from VMware vRealize Log Insight to Active Directory is still supported in Log Insight 4.5, it may be removed in a future version.
But I think it will still be very beneficial to move to vIDM sooner then later.
Now how do I authenticate my Active Directory users against Log Insight you might ask. Well this is what VMware Identity Manager is meant for. Not for a lot of VMware Products, but used in the VMware Horizon suite as Workspace ONE, vRealize Automation integrated with vRA and now vRealize Log insight as a separate virtual appliance.
First overheard reactions, that is going to cost us extra for vIDM. Well no. With a Log Insight edition you are entitled to use vIDM and you can download it from the Log Insight page (among other places). And you could even be entitled to Log Insight without knowing for example Log Insight for vCenter or via NSX for desktop for example. One heads up here, these are limited to certain versions and workloads by EULA. For NSX this has been so since the release of NSX 6.2.3: https://blogs.vmware.com/management/2016/06/log-insight-for-nsx-frequently-asked-questions-faq.html.
If you happen to have vIDM configured as part of the Horizon suite and/or vRealize Automation, you can go ahead and configure vRealize Log Insight to use that vIDM. Either by skipping the vIDM deployment part in this blog, or exit here and read the configuration specifics on the VMware blog at: https://blogs.vmware.com/management/2017/06/vidm-log-insight.html.
EUC and vRealize Log Insight
vRealize Log Insight is not standardly included with the Horizon suite licensing, however Iike above you are might be entitled by for example NSX for desktop. Else adding vRealize Log Insight to your EUC management layer will be highly beneficial as all those components in your Horizon environment and EUC landscape create a lot of information. Think about all those OS logs, virtual appliances, components logs, audit logs, application log and so on, stored on all those components. A centralized log aggregator increasing visibility, structuring unstructured data, adding deep troubleshooting insights and monitoring is what you need. Integrating with vROPS (for Horizon) to also broaden that point of view.
VMware Identity Manager Deployment
Normally you would design the vIDM architecture appropriately, it will get a more prominent part in your environment when more components are using its feature. Think about load balancing, redundancy, resilience and so on. For more input on this subjects please read VMware Identity Deployment considerations this can be found here: https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/techpaper/vmware-identity-manager-on-premises-deployment-considerations.pdf
For this blog post I deployed an Active Directory, vIDM and Log Insight in Lab application in Oracle Ravello Cloud. If you want to see the details on deploying virtual appliances in Oracle Ravello Cloud, see my blog post: https://pascalswereld.nl/2017/03/14/vcap-dtm-deploy-prep-horizon-lab-on-ravello-cloud-and-import-ova/. After boot up configure hostname and networking on the console. After network interface restart you are ready to go and do the vIDM initial configuration by opening vIDM from a browser and go to https://idm-hostname.
Continue the vIDM installation with passwords and database settings. Well actually not, because above screenshot I haven’t used the FQDN. You will receive “Invalid organization name. Chosen name (null) includes invalid characters” error. Restart the browser session with FQDN.
Finished click the link in the summary page. Login with the local admin user for whom you set the password in the setup wizard. You are directed to the Directories page where you can add a directory.
Add Directory to Active Directory and fill in the required values. Service accounts to join and bind are necessary. Confirm on the domain name and attributes required for synchronization (you can change them later on). Select the required groups to synchronize for Log Insight. These normally will be role based groups for Log insight. Review what it is to be synchronized and let the engines roar. When the sync is complete you can test and logon with an administrator from your domain. When importing administrator for example, this is added the administrator role in vIDM. Logout the local admin.
Logon with Domainname\User in vIDM to test user synchronization. When we can logon with the domain user we are good for this part.
vRealize Log Insight
Now for vRealize Log Insight. Note for Oracle Ravello Cloud users, after uploading the OVA you will have to change the VM accordingly for the size of deployment. Extract the OVF file to look at the figures, lower the vCPU, vRAM and correct the disk configuration. When you boot you will get a warning and an empty vami boot screen (except for some background colors). You will have start the installer on the console. For that you will have to set the password and networking settings with vami. Take it from the part running Log Insight on Ravello in this blog post: https://michaelryom.dk/running-log-insight-on-ravello/?doing_wp_cron=1498290958.2310669422149658203125#.WU4bERN97aY.
Open a browser and go to the Log Insight URL. I am starting a new configuration for this lab.
After the initial setup is done, go to the admin page and select Configuration – Authentication. On the first page we can set up authentication with VMware Identity Manager.
Do not forget: The username must be local System vIDM user to let the binding be succesful.
Do the test connection and accept the certificate of vIDM. Save if everything is a success. Next go to users configuration ( or Management – Access Control) page to grant access for vIDM users to Log Insight.
Check the information in vIDM users if you don’t know what to fill in:
Do not forget: your Active Directory user must have mail and a UPN and synchronized to vIDM.
Now logout the built-in local admin. From the login page of Log Insight select VMware Identity Manager as the provider.
When you push Login via SSO you will be redirected to Identity Manager to logon or when you have an active token your logged on to Log Insight.
And viola: Administrator is logged on:
This concludes the setup and configuration part.
Fun fact blast from the past, I have a blog post from 2013 where I did a Log Insight 1.0.4 Evaluation (https://pascalswereld.nl/2013/08/28/evaluation-vmware-vcenter-log-insight-part-one-the/). We have done some good life time cycles 🙂
– Happy broadening your Horizon!