You can deploy VMware Aria Operations for Logs with a single node, single cluster, or cluster with forwarders.
Installation Through Aria Suite Lifecycle
The Aria Suite Lifecycle automates the installation, configuration, upgrade, patch, configuration management, drift remediation, and health for Aria Suite products. As an alternative to installation with VMware Aria Operations for Logs, you can install VMware Aria Operations for Logs through the Aria Suite Lifecycle. You must use Aria Suite Lifecycle 1.2 or later to install VMware Aria Operations for Logs 4.5.1 or later. See Aria Suite Lifecycle documentation for more information.
Single Nodes
A basic VMware Aria Operations for Logs configuration includes a single node. Log sources can be applications, OS logs, virtual machine logs, hosts, the vCenter Server, virtual or physical switches and routers, storage hardware, and so on. Log streams are transported to the VMware Aria Operations for Logs node using syslog (UDP, TCP, TCP+SSL) or CFAPI (the VMware Aria Operations for Logs native ingestion protocol over HTTP or HTTPS), either directly by an application, syslog concentrator, or the VMware Aria Operations for Logs agent installed on the source.
As a best practice for single-node deployments to use the VMware Aria Operations for Logs Integrated Load Balancer (ILB) and to send queries and ingestion traffic to the ILB. This does not incur overhead and simplifies configuration if you want to add nodes to create a cluster for your deployment in the future.
As a best practice, do not use single nodes for production environments.
Clusters
Production environments generally require the use of clusters. Clusters must meet the following requirements:
- Nodes in clusters must all be of the same size and in the same data center.
- The ILB used with clusters requires that nodes be in the same L2 network.
- VMware Aria Operations for Logs virtual machines must be excluded from VMware NSX Distributed Firewall Protection.
This is because virtual IPs for clusters use a Linux Virtual Server in Direct Server Return Mode (LVS-DR) for load balancing. Direct Server Return is more efficient than routing all response traffic through a single cluster member. However, it also resembles spoofed traffic, which NSX Distributed Firewall blocks.
Sizing Clusters
A VMware Aria Operations for Logs single cluster configuration can include 3 to 18 nodes. When nodes are offline or unhealthy, the feature availability depends on the minimum number of nodes that are available for the cluster to run functionalities.
The following table lists the maximum number of nodes that can fail to maintain a healthy, active cluster:
| Number of nodes in a cluster | Number of nodes that can fail |
|---|---|
| 1 | 0 |
| 2 | 0 |
| 3 | 1 |
| 4 | 1 |
| 5 | 2 |
| 6 | 2 |
| 7-18 | 3 |
- You might experience certain UI limitations in accessing cluster details and statistics.
- You cannot add new nodes.
- You cannot remove existing nodes.
For information about sizing, see Sizing the VMware Aria Operations for Logs Virtual Appliance.
Clusters with Forwarders
A VMware Aria Operations for Logs cluster with forwarders configuration includes main indexing, storage, and a query cluster of three to 18 nodes using the ILB. A single log message is present in only one location within the main cluster, as for the single cluster.
The design is extended through the addition of multiple forwarder clusters at remote sites or clusters. Each forwarder cluster is configured to forward all its log messages to the main cluster and users connect to the main cluster, taking advantage of CFAPI for compression and resilience on the forwarding path. Forwarder clusters configured as top-of-rack can be configured with a larger local retention.
Cross-Forwarding for Redundancy
This VMware Aria Operations for Logs deployment scenario includes a cluster with forwarder that is extended and mirrored. Two main clusters are used for indexing, storage, and query. One main cluster is in each data center. Each is front-ended with a pair of dedicated forwarder clusters. All log sources from all top-of-rack aggregations concentrate at the forwarder clusters. You can independently query the same logs on both retention clusters.
VMware Aria Operations for Logs Integrated Load Balancer
To properly balance traffic across nodes in a cluster and to minimize administrative overhead, use the Integrated Load Balancer (ILB) for all deployments. This ensures that incoming ingestion traffic is accepted even if some VMware Aria Operations for Logs nodes are unavailable.
