VMware Aria Operations for Logs Design for Intelligent Logging and Analytics for VMware Cloud Foundation

Use content packs to have the logs generated from the management components in the SDDC retrieved, extracted, and parsed into a human-readable format. VMware Aria Operations for Logs saves log queries and alerts, and you can use dashboards for efficient monitoring. On the logging sources, you configure either syslog or VMware Aria Operations for Logs agents.

For information about the logging sources for VMware Aria Operations for Logs in this design, see Sizing Compute and Storage Resources.

VMware Aria Operations for Logs Content Packs

Some content packs are installed by default in VMware Aria Operations for Logs, some are installed by SDDC Manager during the deployment of the corresponding SDDC component, and some require manual post-deployment installation.

Table 1. VMware Aria Operations for Logs Content Packs for a VMware Cloud Foundation Instance
Content Pack	Installed by
General	Default
VMware - vSphere	Default
VMware - vSAN	Default
VMware Aria Operations 8.12+	Default
VMware – NSX	SDDC Manager
VMware-Aria-Suite-Lifecycle-8.12+	SDDC Manager
VMware Aria Automation	SDDC Manager
VMware Aria Automation Orchestrator	SDDC Manager
Linux Systemd	SDDC Manager
Linux	SDDC Manager
VMware Workspace ONE Access	Manual installation

Table 2. Design Decisions on VMware Aria Operations for Logs Content Packs
Decision ID	Design Decision	Design Justification	Design Implication
ILA-VAOL-CFG-014	Install the following content packs: Linux - Systemd VMware - NSX VMware-Aria-Suite-Lifecycle-8.12+ VMware Workspace ONE Access	Provides additional granular monitoring on the virtual infrastructure. The following content packs are installed by default in VMware Aria Operations for Logs: VMware - vSphere VMware - vSAN The following content packs are installed automatically by SDDC Manager. Linux - Systemd VMware - NSX VMware - VMware-Aria-Suite-Lifecycle-8.12+	You must manually install the VMware Workspace ONE Access content pack.
ILA-VAOL-CFG-015	Configure the following agent groups that are related to content packs: VMware Aria Suite Lifecycle Photon OS Workspace ONE Access	Provides a standardized configuration that is pushed to all VMware Aria Operations for Logs agents in each of the groups. Supports collection according to the context of the applications and parsing of the logs generated from the SDDC components by the VMware Aria Operations for Logs agent, such as specific log directories, log files, and logging formats. SDDC Manager creates the `vRSLCM` agent group.	Adds minimal load to VMware Aria Operations for Logs.

VMware Aria Operations for Logs Logging Sources

Logging sources can send logs to VMware Aria Operations for Logs in one of the following ways:

Directly to VMware Aria Operations for Logs using the syslog TCP, syslog TCP over TLS/SSL, or syslog UDP protocols.
By using a VMware Aria Operations for Logs agent.

VMware Aria Operations for Logs collects log events from the following management components:

Table 3. VMware Aria Operations for Logs Logging Sources and Types
Logging Source	Logging Type
vCenter Server	Syslog
ESXi hosts	Syslog
NSX Manager	Syslog
NSX Edge	Syslog
Workspace ONE Access	Agent
SDDC Manager	Agent
VMware Aria Suite Lifecycle	Agent

Table 4. Design Decision on Logging Sources for VMware Aria Operations for Logs
Decision ID	Design Decision	Design Justification	Design Implication
ILA-VAOL-CFG-016	Connect VMware Cloud Foundation VI workload domains to VMware Aria Operations for Logs by using SDDC Manager.	SDDC Manager automatically adds the VI workload domain vCenter Server and ESXi hosts to VMware Aria Operations for Logs.	None.
ILA-VAOL-CFG-017	Install and configure the VMware Aria Operations for Logs agent on the clustered Workspace ONE Access nodes to send logs to the VMware Aria Operations for Logs cluster in their corresponding VMware Cloud Foundation instance.	Provides a standardized configuration that is pushed to the VMware Aria Operations for Logs agents for each Workspace ONE Access node. Supports collection according to the context of the Workspace ONE Access using the VMware Aria Operations for Logs Ingestion API and parses of the logs by the VMware Aria Operations for Logs agent, such as specific log directories, log files, and logging formats.	None.
ILA-VAOL-CFG-018	Configure the SDDC - Workspace ONE Access and SDDC - Photon OS agent groups in the VMware Aria Operations for Logs cluster to include the clustered Workspace ONE Access nodes.	Provides a standardized configuration that is pushed to the VMware Aria Operations for Logs agents for each Workspace ONE Access appliance. Supports collection according to the context of the Workspace ONE Access using the VMware Aria Operations for Logs ingestion API and parses of the logs by the VMware Aria Operations for Logs agent, such as specific log directories, log files, and logging formats.	Adds minimal load to the VMware Aria Operations for Logs cluster.
ILA-VAOL-CFG-019	Configure logging sources and VMware Aria Operations for Logs agents to send log data to the FQDN of the VMware Aria Operations for Logs integrated load balancer (ILB).	Ensures proper communication configuration - VMware Aria Operations for Logs can resolve the FQDN to the ILB IP address. Provides potential to scale-out without reconfiguring all log sources with a new destination address. Simplifies the configuration of log sources in the SDDC.	You must enable the integrated load balancer on the VMware Aria Operations for Logs cluster. You must configure valid DNS forward (A) and reverse (PTR) record for the integrated load balancer VIP.
ILA-VAOL-CFG-020	Configure all vCenter Server instances as syslog sources to send log data directly to VMware Aria Operations for Logs in their corresponding VMware Cloud Foundation instance.	Simplifies configuration for log sources that are syslog-capable. The configuration is performed by SDDC Manager	Certain dashboards in VMware Aria Operations for Logs require the use of the VMware Aria Operations for Logs agent for proper ingestion. Not all operating system level events are forwarded to VMware Aria Operations for Logs.
ILA-VAOL-CFG-021	Configure the VMware Aria Operations for Logs agent on the SDDC Manager appliance in each VMware Cloud Foundation instance to forward logs to the local VMware Aria Operations for Logs instance.	Ensures relevant logs are sent to VMware Aria Operations for Logs from SDDC Manager. The integration is performed automatically by SDDC Manager.	None.
ILA-VAOL-CFG-022	Configure the VMware Aria Operations for Logs agent on the VMware Aria Suite Lifecycle appliance to forward logs to VMware Aria Operations for Logs in its corresponding VMware Cloud Foundation instance.	Simplifies configuration of log sources in the SDDC that are pre-packaged with the VMware Aria Operations for Logs agent. The integration is performed automatically by SDDC Manager.	None.
ILA-VAOL-CFG-023	Configure the NSX components as syslog sources for VMware Aria Operations for Logs in their corresponding VMware Cloud Foundation instance, including: NSX Manager instances NSX Edge instances	Simplifies configuration of log sources in the SDDC that are syslog-capable. NSX Manager instances are configured by SDDC Manager.	You must configure NSX components to forward logs to the VMware Aria Operations for Logs VIP. Not all operating system-level events are forwarded to VMware Aria Operations for Logs. You must manually configure NSX Edge instances.
ILA-VAOL-CFG-024	Configure the logging sources, such as ESXi, vCenter Server, and NSX to communicate with VMware Aria Operations for Logs, using the TCP protocol.	Using the TCP syslog protocol ensures reliability and supports retry mechanisms. TCP syslog traffic is secure and more consistent with RFC 5424.	TCP has a higher performance overhead compared to UDP. You must manually deactivate the SSL connection requirement in VMware Aria Operations for Logs.
ILA-VAOL-CFG-025	Do not configure VMware Aria Operations for Logs to automatically update all deployed agents.	Individually update the versions of the VMware Aria Operations for Logs agents for each of the specified components in the SDDC for precise maintenance.	You must maintain manually the VMware Aria Operations for Logs agents on each of the SDDC components.

Log Forwarding Between VMware Cloud Foundation Instances and VMware Aria Operations for Logs

VMware Aria Operations for Logs supports log forwarding to other clusters and standalone instances. Use log forwarding between VMware Cloud Foundation instances to have access to all logs if a disaster occurs in a VMware Cloud Foundation instance.

You forward logs in VMware Aria Operations for Logs by using the Ingestion API or a native syslog implementation. While forwarding logs, the VMware Aria Operations for Logs instance still ingests, stores, and archives logs locally.

The VMware Aria Operations for Logs Ingestion API uses TCP communication. In contrast to syslog, the forwarding module supports the following features for the Ingestion API:

Forwarding to other VMware Aria Operations for Logs instances
Support for both structured and unstructured data, that is, multi-line messages
Metadata in the form of tags
Client-side compression

Table 5. Design Decisions on Event Forwarding Across VMware Aria Operations for Logs Instances for Multiple VMware Cloud Foundation Instances
Decision ID	Design Decision	Design Justification	Design Implication
ILA-VAOL-CFG-026	In an environment with multiple VMware Cloud Foundation instances, forward logs to the other instance by using the Ingestion API.	Supports the following operations: Structured and unstructured data for client-side compression Log throttling from one VMware Aria Operations for Logs cluster to another. In the event of a cross-instance outage, the administrator has access to all logs from the two VMware Cloud Foundation instances although one of the instances is offline.	You must configure each VMware Aria Operations for Logs cluster to forward log data to the cluster in the other VMware Cloud Foundation instance. The configuration introduces administrative overhead to prevent recursion of logging between instances using inclusion and exclusion tagging. Log forwarding adds load to each instance. You must consider log forwarding in the sizing calculations for the VMware Aria Operations for Logs cluster in each instance. You must configure identical size on both source and destination clusters.
ILA-VAOL-CFG-027	In an environment with multiple VMware Cloud Foundation instances, configure log forwarding to use SSL on port 9543.	Ensures that the log forward operations between instances are secure.	You must set up a custom CA- signed SSL certificate. Event forwarding with SSL does not work with the self-signed certificate that is installed on the destination servers by default. If you add VMware Aria Operations for Logs nodes to a cluster, the SSL certificate used by the VMware Aria Operations for Logs cluster in the other VMware Cloud Foundation instance must be installed in the Java keystore of all nodes before SSL can be used.