Datasets are a useful way to segregate content ingested by Log Insight and give users access to that specific content.

In this post I want to allow a user to log in and see logs regarding Active Directory events and another user to log in and view logs from a Windows based jump server.

Define Data sets

First I goto Administration on the top menu bar and then from the left side click Access Control. In the centre pane there are 3 tabs. Click Data Sets and then Click New Data Set.

In the new Data set we can give it a name. In this case I have given it the name Active Directory Data Set.

Under filters we can add one or more filters on what we would like to include in the Data Set. In my test lab I have one Domain Controller that I want to include. So I can set a simple filter:

hostname > matches > sto-dc-01

It goes without saying that this host has to be already sending logs to Log Insight. By ingesting the logs already, as I type the hostname into the text field, vRLI tries to autocomplete the name for me.

The filter list contains static fields only and excludes fields that are extracted, user shared, and text fields, and fields created through event_type filters. If you want to use your own custom filters please check out Thomas Kopton’s blog post vRealize Log Insight Data Sets using custom filters

I repeat the process for the second Data Set and include the server sto-jump-01.

Create and Modify Custom Roles

Now that I have the Data sets defined I need to create a new Role and assign the role the right to access the respective Data Set.

So again I goto Administration on the top menu bar and then from the left side click Access Control. This time Click Roles and then click New Role. We can give the role a Name and Description. Here my role is called AD Log Role. In the role we can give it one or more permissions from the Permissions list. Here, all I want is to give my users access to Interactive Analytics and Dashboards. Now on the right hand side I can select the Data Set I previously created.

I can add a second role in the same way but choose the sto-jump-01 Data Set.

Add User and Assign Role

Now I can goto Administration on the top menu bar and then from the left side click Access Control and under Users and Groups I can add new users. In my case vRLI uses Active Directory as an Authentication source so I can search for my two AD users, Sara and Bob and Assign them each the roles I previously created. Below you can see Bob is the user who will have the AD-Log-Role.

Log in as User and Test

Now the Bob can browse to Log Insight and log in with his account.

As you can see below once the user Bob has logged in he sees only information regarding the Active Directory server defined in the Data Set.

Sara can also log in but she sees only the logs for the jump server which is exactly what was expected.

Documentation

VMware Log Insight Documentation can be found here.