vRealize Log Insight Design for Intelligent Logging and Analytics for VMware Cloud Foundation

Use content packs to have the logs generated from the management components in the SDDC retrieved, extracted, and parsed into a human-readable format. vRealize Log Insight saves log queries and alerts, and you can use dashboards for efficient monitoring. On the logging clients, you configure syslog and vRealize Log Insight agents.

For information about the logging sources for vRealize Log Insight in this design, see Sizing Compute and Storage Resources.

vRealize Log Insight Content Packs

Some content packs are installed by default in vRealize Log Insight. Some content packs are installed by SDDC Manager during the deployment of the corresponding SDDC component.

For VMware Cloud Foundation 4.4, you can manually install a content pack for vRealize Orchestrator.

Table 1. vRealize Log Insight Content Packs for a VMware Cloud Foundation Instance
Content Pack	Installed by
General	Default
VMware - vSphere	Default
VMware - vSAN	Default
VMware - vRealize Operations Manager	Default
VMware – NSX-T Data Center	SDDC Manager
VMware - vRSLCM	SDDC Manager
VMware Identity Manager	SDDC Manager
VMware - vRealize Automation	SDDC Manager
VMware - Linux Systemd	SDDC Manager

Table 2. Design Decisions on vRealize Log Insight Content Packs
Decision ID	Design Decision	Design Justification	Design Implication
ILA-VRLI-CFG-014	Install the following content packs: VMware - Linux Systemd VMware - NSX-T VMware - vRSLCM VMware Identity Manager	Provides additional granular monitoring on the virtual infrastructure. The following content packs are installed by default in vRealize Log Insight: VMware - vSphere VMware - vSAN The following content packs are installed automatically by SDDC Manager. VMware - Linux Systemd VMware - NSX-T VMware - vRSLCM VMware Identity Manager	None.
ILA-VRLI-CFG-015	Configure the following agent groups that are related to content packs: vRSLCM Photon OS Workspace ONE Access	Provides a standardized configuration that is pushed to all vRealize Log Insight agents in each of the groups. Supports collection according to the context of the applications and parsing of the logs generated from the SDDC components by the vRealize Log Insight agent, such as specific log directories, log files, and logging formats. The vRSLCM agent group is created by SDDC Manager.	Adds minimal load to vRealize Log Insight.

vRealize Log Insight Logging Sources

Client applications can send logs to vRealize Log Insight in one of the following ways:

Directly to vRealize Log Insight using the syslog TCP, syslog TCP over TLS/SSL, or syslog UDP protocols
By using a vRealize Log Insight agent
By using vRealize Log Insight to query directly the vSphere Web Server APIs
By using a vRealize Log Insight user interface.

vRealize Log Insight collects log events from the following management components:

Table 3. vRealize Log Insight Logging Sources and Types
Logging Source	Logging Type
vCenter Server	Syslog
ESXi hosts	Syslog
NSX Manager	Syslog
NSX Edge	Syslog
Workspace ONE Access	Agent
SDDC Manager	Agent
vRealize Suite Lifecycle Manager	Agent

Table 4. Design Decision on Logging Sources for vRealize Log Insight
Decision ID	Design Decision	Design Justification	Design Implication
ILA-VRLI-CFG-016	Connect VMware Cloud Foundation VI workload domains to vRealize Log Insight by using SDDC Manager.	SDDC Manager automatically adds the VI workload domain vCenter Server and ESXi hosts to vRealize Log Insight.	None.
ILA-VRLI-CFG-017	Install and configure the vRealize Log Insight agent on the clustered Workspace ONE Access nodes to send logs to the vRealize Log Insight cluster in their corresponding VMware Cloud Foundation instance.	Provides a standardized configuration that is pushed to the vRealize Log Insight agents for each Workspace ONE Access node. Supports collection according to the context of the Workspace ONE Access using the vRealize Log Insight Ingestion API and parses of the logs by the vRealize Log Insight agent, such as specific log directories, log files, and logging formats.	None.
ILA-VRLI-CFG-018	Configure the SDDC - Workspace ONE Access and SDDC - Photon OS agent groups in the vRealize Log Insight cluster to include the clustered Workspace ONE Access nodes.	Provides a standardized configuration that is pushed to the vRealize Log Insight agents for each Workspace ONE Access appliance. Supports collection according to the context of the Workspace ONE Access using the vRealize Log Insight ingestion API and parses of the logs by the vRealize Log Insight agent, such as specific log directories, log files, and logging formats.	Adds minimal load to the vRealize Log Insight cluster.
ILA-VRLI-CFG-019	Configure syslog sources and vRealize Log Insight agents to send log data directly to the virtual IP (VIP) address of the vRealize Log Insight integrated load balancer (ILB).	Provides potential to scale-out without reconfiguring all log sources with a new destination address. Simplifies the configuration of log sources in the SDDC.	You must configure the integrated load balancer on the vRealize Log Insight cluster. You must configure logging sources to forward data to the vRealize Log Insight VIP.
ILA-VRLI-CFG-020	Configure all vCenter Server instances as direct syslog sources to send log data directly to vRealize Log Insight in their corresponding VMware Cloud Foundation instance.	Simplifies configuration for log sources that are syslog-capable. The configuration is performed by SDDC Manager	You must configure syslog sources to forward logs to the vRealize Log Insight VIP. Certain dashboards in vRealize Log Insight require the use of the vRealize Log Insight agent for proper ingestion. Not all operating system level events are forwarded to vRealize Log Insight.
ILA-VRLI-CFG-021	Configure the vRealize Log Insight agent on the SDDC Manager appliance in each VMware Cloud Foundation instance to forward logs to the local vRealize Log Insight instance.	Ensures relevant logs are sent to vRealize Log Insight from SDDC Manager. The integration is performed automatically by SDDC Manager.	None.
ILA-VRLI-CFG-022	Configure the vRealize Log Insight agent on the vRealize Suite Lifecycle Manager appliance to forward logs to vRealize Log Insight in its corresponding VMware Cloud Foundation instance.	Simplifies configuration of log sources in the SDDC that are pre-packaged with the vRealize Log Insight agent. The integration is performed automatically by SDDC Manager.	None.
ILA-VRLI-CFG-023	Configure the NSX-T Data Center components as direct syslog sources for vRealize Log Insight in their corresponding VMware Cloud Foundation instance, including: NSX Manager instances NSX Edge instances	Simplifies configuration of log sources in the SDDC that are syslog-capable. NSX Manager instances are configured by SDDC Manager.	You must configure syslog sources to forward logs to the vRealize Log Insight VIP. Not all operating system-level events are forwarded to vRealize Log Insight. You must manually configure NSX Edge instances.
ILA-VRLI-CFG-024	Communicate with the syslog clients, such as ESXi, vCenter Server, NSX-T Data Center, using the TCP protocol.	Using the TCP syslog protocol ensures reliability and supports retry mechanisms. TCP syslog traffic is secure and more consistent with RFC 5424.	TCP has a higher performance overhead compared to UDP. You must manually deactivate the SSL connection requirement in vRealize Log Insight.
ILA-VRLI-CFG-025	Do not configure vRealize Log Insight to automatically update all deployed agents.	Manually install updated versions of the vRealize Log Insight agents for each of the specified components in the SDDC for precise maintenance.	You must maintain manually the vRealize Log Insight agents on each of the SDDC components.