VMware Log Intelligence (LINT) is a public VMware Cloud Service that is available to all VMware Cloud on AWS (VMC) customers. LINT provides customers with a unified view of their SDDC infrastructure including vSphere, NSX and vSAN from a logging standpoint and LINT can also be used with an on-premises deployment. The LINT team recently published a nice overview here, which I highly recommend a read.
One really interesting capability of LINT is the alert and notification feature, which includes UI and email, but what really stood out to me with this feature is that you can also trigger a Webhook! This means you can literally integrate with any external system including public cloud services that can receive or process a Webhook. Some examples can include publishing to a specific Slack channel, sending an SMS to your SRE team, an alert in PagerDuty or even calling an AWS Lambda function. The possibilities are truly endless on what you can do with a Webhook integration!
For our recent VMC Customer Summit, I thought it would be really cool to show off some demos on what you could do with LINT Webhooks. In this blog post, I will show you how to use the If Then This That (IFTTT) service which natively supports Webhooks and publish a specific VMC event into a Slack channel. Slack also supports native webhooks, but using IFTTT, you can apply this example to other Cloud Services that you may want to integrate with.
Step 1 - Enable Incoming Webhooks for your IFTTT account by following this tutorial here. Once enabled, you will be provided with your own personal Webhook URL (which includes an auth token embedded in the URL, so do not share with others). The URL will look like the following: https://maker.ifttt.com/trigger/[EVENT_KEY]/with/key/asdfasfasdf where EVENT_KEY is a string you will define when creating an IFTTT recipe on which service to trigger (e.g Slack).
Step 2 - Create a new IFTTT Recipe using the Webhoook service and provide a string to identify the specific Event, in my example, I am using VMC. Next, you will want to select the Slack trigger and then connect that to your Slack instance and configure where and how you want the message to show up.
Step 3 - Login to LINT to configure and enable Webhook notifications by navigating to Configuration->Webhook Configuration. Create a new Webhook by giving it a name and in this example I am using IFTTT. Next, specify the IFTTT Webhook URL https://maker.ifttt.com/trigger/[EVENT_KEY]/with/key/asdfasfasdf and replace the event key with the one you had defined in Step 2.
Another really cool thing about LINT's Webhook integration is that you can actually get to define the payload that will be sent, usually this is pre-defined by the provider. IFTTT Webhook only support three fields: value1, value2 and value3 which are hardcoded variables that you must pass into your Webhook for processing. There are a number of LINT variables that you can use, but the most interesting one that contains useful information is the $additionalInfo variable.
In my example, I have the following payload (Make sure the "v" in value is lower case as its sensitive):
Step 4 - Before proceeding to create a LINT Alert, we can verify that our Webhook is working by simply clicking on the "Send Test" option. If everything is configured correctly, you should see a test notification in Slack. In my setup, I used a Slack DM and below is an example of what the message would look like.
Step 5 - Finally, to create a LINT alert, navigate to Alerts->Alert Definitions. Here is where you will create an alert based on a specific text query. In my example, I am going to trigger off of "Successful login *protected email*" which is an event string on when the CloudAdmin user logins to VMC vCenter Server.
There are a number of trigger types that you can choose from when an alert is evaluated. One recent addition which is currently in Preview is the "On even match" which will trigger each time a particular event is identified and will only include that latest event. Prior to this feature, queries would match both current and past events which means your payload would include historical information which you may not want. To get this feature enabled, you just have to file a support request or just ask for it via the live chat.
Once you have defined the query string and trigger, you can then specify how you want this alert to notify you. By default, it is just a UI indication within the LINT UI but you can click on the Notification section and enable Email or any Webhooks you may have defined. We will go ahead and select the IFTT notification which we had defined in Step 3 and then click on the "Disk" Icon on the upper right hand corner to save our alert definition.
Using IFTTT is just one of the many ways customers can consume LINT's Webhook integration. Other public cloud services which support Webhooks natively can be used, including building your own Webhook listener to process the payload. One popular request that I have heard from a number of VMC customers is being able to interact with AWS services given a specific VMC Event and specifically be able to run an AWS Lambda function which can call into other AWS services. In the next blog post, I will demonstrate how to interact forward VMC Events to an AWS Lambda function!