By default, the VMware Aria Operations for Logs virtual appliance uses the preset values for small configurations.
Standalone Deployment
You can change the appliance settings to meet the needs of the environment for which you intend to collect logs during deployment.
VMware Aria Operations for Logs provides preset VM (virtual machine) sizes that you can select from to meet the ingestion requirements of your environment. These presets are certified size combinations of compute and disk resources, though you can add extra resources afterward. A small configuration is suitable only for demos.
To size virtual appliances to XL, XXL, and XXXL, see KB 80928.
| Preset Size | Log Ingest Rate | Virtual CPUs | Memory | IOPS | Syslog Connections (Active TCP Connections) | Events per Second |
|---|---|---|---|---|---|---|
| Small | 30 GB/day | 4 | 8 GB | 500 | 100 | 2000 |
| Medium | 75 GB/day | 8 | 16 GB | 1000 | 250 | 5000 |
| Large | 225 GB/day | 16 | 32 GB | 1500 | 750 | 15,000 |
You can use a syslog aggregator to increase the number of syslog connections that send events to VMware Aria Operations for Logs. However, the maximum number of events per second is fixed and does not depend on the use of a syslog aggregator. A VMware Aria Operations for Logs instance cannot be used as a syslog aggregator.
- Each virtual CPU is at least 2 GHz.
- Each ESXi host sends up to 10 messages per second with an average message size of 170 bytes/message, which is roughly equivalent to 150 MB per day, per host.
- For large installations, you must upgrade the virtual hardware version of the VMware Aria Operations for Logs virtual machine. VMware Aria Operations for Logs supports virtual hardware version 7 or later. Virtual hardware version 7 can support up to 8 virtual CPUs. Therefore, if you plan to provision 16 virtual CPUs, you must upgrade to virtual hardware version 8 or later for ESXi 5.x. You use the vSphere Client to upgrade the virtual hardware. If you want to upgrade the virtual hardware to the latest version, read and understand the information in the VMware knowledge base article Upgrading a virtual machine to the latest hardware version (1010675) .
Cluster Deployment
Use a medium configuration, or larger, for the primary and worker nodes in a VMware Aria Operations for Logs cluster. The number of events per second increases linearly with the number of nodes. For example, in a cluster of 3-18 nodes (clusters must have a minimum of three nodes), the ingestion in an 18-node cluster is 270,000 events per second (EPS), or 4 TB of events per day.
Reducing the Memory Size
Use the Small version of the appliance in a proof-of-concept or test environment, but not in a production environment.
VMware Aria Operations for Logs Sizing Calculator
A calculator to help you determine sizing for VMware Aria Operations for Logs and network and storage use is available. This calculator is intended for guidance only. Many environment inputs are site-specific, so the calculator necessarily uses estimations in some areas. See https://www.vmware.com/go/loginsight/calculator.
